From e3d0fa5ac4397263a039f85cb39c3b72715ba798 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 23 Jun 2025 14:40:25 +0200 Subject: [PATCH] userdb: when loading a user record from JSON, mark 'secret' section in JSON variant as sensitive as side effect When we load a user record we retain a reference to the original JSON. Thus the loaded objects might live at least as long as our user record object, hence we better make sure we set the 'sensitive' flag for the 'secret' section if it's not marked like that yet. This is paranoia only: we already should be setting this flag properly earlier, when acquiring the json variant in the first place. But it's better to be safe than sorry. --- src/shared/user-record.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/shared/user-record.c b/src/shared/user-record.c index 20f5d922464..09e96f0c9a5 100644 --- a/src/shared/user-record.c +++ b/src/shared/user-record.c @@ -1531,6 +1531,11 @@ int user_group_record_mangle( if (USER_RECORD_STRIP_MASK(load_flags) == _USER_RECORD_MASK_MAX) /* strip everything? */ return json_log(v, json_flags, SYNTHETIC_ERRNO(EINVAL), "Stripping everything from record, refusing."); + /* Extra safety: mark the "secret" part (that contains literal passwords and such) as sensitive, so + * that it is not included in debug output and erased from memory when we are done. We do this for + * any record that passes through here. */ + sd_json_variant_sensitive(sd_json_variant_by_key(v, "secret")); + /* Check if we have the special sections and if they match our flags set */ FOREACH_ELEMENT(i, mask_field) { sd_json_variant *e, *k; -- 2.47.3