userdb: mark PII fields as sensitive in user records

Mark realName, emailAddress, and location as sensitive in JSON user
records so that they are excluded from debug log output. These fields
contain personally identifiable information that should not be leaked
in logs, which are generally more accessible than the user database
itself.

diff --git a/src/shared/user-record.c b/src/shared/user-record.c
index d5e572dc094db415a26d652a17844ec6f4ac9c1f..c65bab4ff4684d46455cce45087ec77a1a7a7b09 100644 (file)
--- a/src/shared/user-record.c
+++ b/src/shared/user-record.c
@@ -1491,10 +1491,17 @@ int user_group_record_mangle(
         if (USER_RECORD_STRIP_MASK(load_flags) == _USER_RECORD_MASK_MAX) /* strip everything? */
                 return json_log(v, json_flags, SYNTHETIC_ERRNO(EINVAL), "Stripping everything from record, refusing.");
 
-        /* Extra safety: mark the "secret" part (that contains literal passwords and such) as sensitive, so
-         * that it is not included in debug output and erased from memory when we are done. We do this for
-         * any record that passes through here. */
-        sd_json_variant_sensitive(sd_json_variant_by_key(v, "secret"));
+        /* Extra safety: mark sensitive parts of the JSON as such, so that they are not included in debug
+         * output and erased from memory when we are done. We do this for any record that passes through here. */
+        FOREACH_STRING(key,
+                       /* This section contains literal passwords and such in plain text */
+                       "secret",
+
+                       /* Personally Identifiable Information (PII) — avoid leaking in logs */
+                       "realName",
+                       "location",
+                       "emailAddress")
+                sd_json_variant_sensitive(sd_json_variant_by_key(v, key));
 
         /* Check if we have the special sections and if they match our flags set */
         FOREACH_ELEMENT(i, mask_field) {