Disable log_passwords by default in sudoers and sudo_logsrvd.conf.

Found by the ZeroPath AI Security Engineer <https://zeropath.com>

Author: millert

docs/sudo_logsrvd.conf.man.in

@@ -629,7 +629,7 @@ when the
 option is set), only the
 first character of the password will be replaced in the I/O log.
 The default value is
-\fItrue\fR.
+\fIfalse\fR.
 .TP 6n
 maxseq = number
 The maximum sequence number that will be substituted for the
@@ -1049,9 +1049,10 @@ Sudo log server configuration file
 # specified by iolog_mode.
 #iolog_mode = 0600
 
-# If disabled, sudo_logsrvd will attempt to avoid logging plaintext
+# By default, sudo_logsrvd will attempt to avoid logging plaintext
 # password in the terminal input using passprompt_regex.
-#log_passwords = true
+# If log_passwords is enabled, these checks are not performed.
+#log_passwords = false
 
 # The maximum sequence number that will be substituted for the "%{seq}"
 # escape in the I/O log file.  While the value substituted for "%{seq}"

docs/sudo_logsrvd.conf.mdoc.in

@@ -561,7 +561,7 @@ when the
 option is set), only the
 first character of the password will be replaced in the I/O log.
 The default value is
-.Em true .
+.Em false .
 .It maxseq = number
 The maximum sequence number that will be substituted for the
 .Dq %{seq}
@@ -968,9 +968,10 @@ Sudo log server configuration file
 # specified by iolog_mode.
 #iolog_mode = 0600
 
-# If disabled, sudo_logsrvd will attempt to avoid logging plaintext
+# By default, sudo_logsrvd will attempt to avoid logging plaintext
 # password in the terminal input using passprompt_regex.
-#log_passwords = true
+# If log_passwords is enabled, these checks are not performed.
+#log_passwords = false
 
 # The maximum sequence number that will be substituted for the "%{seq}"
 # escape in the I/O log file.  While the value substituted for "%{seq}"

docs/sudo_logsrvd.man.in

@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "SUDO_LOGSRVD" "@mansectsu@" "October 17, 2025" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "SUDO_LOGSRVD" "@mansectsu@" "October 25, 2025" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"

docs/sudo_logsrvd.mdoc.in

@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd October 17, 2025
+.Dd October 25, 2025
 .Dt SUDO_LOGSRVD @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME

docs/sudoers.man.in

@@ -26,7 +26,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.TH "SUDOERS" "@mansectform@" "September 26, 2025" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "@mansectform@" "October 25, 2025" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -3025,7 +3025,7 @@ or
 \fIlog_ttyin\fR
 are also set.
 This flag is
-\fIon\fR
+\fIoff\fR
 by default.
 .sp
 This setting is only supported by version 1.9.10 or higher.
@@ -6865,9 +6865,11 @@ In most cases, logging the command output via
 or
 \fRLOG_OUTPUT\fR
 is all that is required.
-When logging input, consider disabling the
+When logging input, avoid enabling the
 \fIlog_passwords\fR
-flag.
+flag unless absolutely necessary and extend the
+\fIpassprompt_regex\fR
+setting with additional password prompt patterns used on your system.
 .PP
 Since each session's I/O logs are stored in a separate directory,
 traditional log rotation utilities cannot be used to limit the

docs/sudoers.mdoc.in

@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.Dd September 26, 2025
+.Dd October 25, 2025
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -2860,7 +2860,7 @@ or
 .Em log_ttyin
 are also set.
 This flag is
-.Em on
+.Em off
 by default.
 .Pp
 This setting is only supported by version 1.9.10 or higher.
@@ -6369,9 +6369,11 @@ In most cases, logging the command output via
 or
 .Dv LOG_OUTPUT
 is all that is required.
-When logging input, consider disabling the
+When logging input, avoid enabling the
 .Em log_passwords
-flag.
+flag unless absolutely necessary and extend the
+.Em passprompt_regex
+setting with additional password prompt patterns used on your system.
 .Pp
 Since each session's I/O logs are stored in a separate directory,
 traditional log rotation utilities cannot be used to limit the

examples/sudo_logsrvd.conf.in

@@ -177,9 +177,10 @@
 # specified by iolog_mode.
 #iolog_mode = 0600
 
-# If disabled, sudo_logsrvd will attempt to avoid logging plaintext
+# By default, sudo_logsrvd will attempt to avoid logging plaintext
 # password in the terminal input using passprompt_regex.
-#log_passwords = true
+# If log_passwords is enabled, these checks are not performed.
+#log_passwords = false
 
 # The maximum sequence number that will be substituted for the "%{seq}"
 # escape in the I/O log file.  While the value substituted for "%{seq}"

logsrvd/logsrvd_conf.c

@@ -1686,7 +1686,7 @@ logsrvd_conf_alloc(void)
     config->iolog.uid = ROOT_UID;
     config->iolog.gid = ROOT_GID;
     config->iolog.gid_set = false;
-    config->iolog.log_passwords = true;
+    config->iolog.log_passwords = false;
 
     /* Event log defaults */
     config->eventlog.log_type = EVLOG_SYSLOG;

plugins/sudoers/defaults.c

@@ -609,7 +609,7 @@ init_defaults(void)
     def_ignore_audit_errors = true;
     def_ignore_iolog_errors = false;
     def_ignore_logfile_errors = true;
-    def_log_passwords = true;
+    def_log_passwords = false;
 #ifdef SUDOERS_LOG_CLIENT
     def_log_server_timeout = 30;
     def_log_server_verify = true;

plugins/sudoers/iolog.c

@@ -64,7 +64,7 @@ static struct sudoers_io_operations {
 
 static struct log_details iolog_details;
 static bool warned = false;
-static bool log_passwords = true;
+static bool log_passwords = false;
 static int iolog_dir_fd = -1;
 static struct timespec last_time;
 static void *passprompt_regex_handle;