From: Dylan M. Taylor Date: Fri, 6 Mar 2026 15:05:32 +0000 (-0500) Subject: userdb: mark PII fields as sensitive in user records X-Git-Tag: v260-rc3~23 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=c72860d5f6b2c1a1f0c718d1fbb09247a7cfa41f;p=thirdparty%2Fsystemd.git userdb: mark PII fields as sensitive in user records Mark realName, emailAddress, and location as sensitive in JSON user records so that they are excluded from debug log output. These fields contain personally identifiable information that should not be leaked in logs, which are generally more accessible than the user database itself. --- diff --git a/src/shared/user-record.c b/src/shared/user-record.c index d5e572dc094..c65bab4ff46 100644 --- a/src/shared/user-record.c +++ b/src/shared/user-record.c @@ -1491,10 +1491,17 @@ int user_group_record_mangle( if (USER_RECORD_STRIP_MASK(load_flags) == _USER_RECORD_MASK_MAX) /* strip everything? */ return json_log(v, json_flags, SYNTHETIC_ERRNO(EINVAL), "Stripping everything from record, refusing."); - /* Extra safety: mark the "secret" part (that contains literal passwords and such) as sensitive, so - * that it is not included in debug output and erased from memory when we are done. We do this for - * any record that passes through here. */ - sd_json_variant_sensitive(sd_json_variant_by_key(v, "secret")); + /* Extra safety: mark sensitive parts of the JSON as such, so that they are not included in debug + * output and erased from memory when we are done. We do this for any record that passes through here. */ + FOREACH_STRING(key, + /* This section contains literal passwords and such in plain text */ + "secret", + + /* Personally Identifiable Information (PII) — avoid leaking in logs */ + "realName", + "location", + "emailAddress") + sd_json_variant_sensitive(sd_json_variant_by_key(v, key)); /* Check if we have the special sections and if they match our flags set */ FOREACH_ELEMENT(i, mask_field) {