Do not log LDAP bindpw or tls_keypw to debug log.

millert · millert · commit d83714aac082 · 2025-11-09T09:24:23.000-07:00
Found by the ZeroPath AI Security Engineer <https://zeropath.com>
diff --git a/plugins/sudoers/ldap_conf.c b/plugins/sudoers/ldap_conf.c
@@ -338,7 +338,7 @@ sudo_ldap_decode_secret(const char *secret)
 	    }
 	}
     }
-    debug_return_str((char *)result);
+    debug_return_str_masked((char *)result);
 }
 
 static void
@@ -637,7 +637,7 @@ sudo_ldap_read_config(const struct sudoers_context *ctx)
     DPRINTF1("binddn           %s",
 	ldap_conf.binddn ? ldap_conf.binddn : "(anonymous)");
     DPRINTF1("bindpw           %s",
-	ldap_conf.bindpw ? ldap_conf.bindpw : "(anonymous)");
+	ldap_conf.bindpw ? "********" : "(anonymous)");
     if (ldap_conf.bind_timelimit > 0) {
 	DPRINTF1("bind_timelimit   %d", ldap_conf.bind_timelimit);
     }

Original file line number	Diff line number	Diff line change
`@@ -338,7 +338,7 @@ sudo_ldap_decode_secret(const char *secret)`
`338`	`338`	`}`
`339`	`339`	`}`
`340`	`340`	`}`
`341`		`- debug_return_str((char *)result);`
	`341`	`+ debug_return_str_masked((char *)result);`
`342`	`342`	`}`
`343`	`343`
`344`	`344`	`static void`
`@@ -637,7 +637,7 @@ sudo_ldap_read_config(const struct sudoers_context *ctx)`
`637`	`637`	`DPRINTF1("binddn %s",`
`638`	`638`	`ldap_conf.binddn ? ldap_conf.binddn : "(anonymous)");`
`639`	`639`	`DPRINTF1("bindpw %s",`
`640`		`- ldap_conf.bindpw ? ldap_conf.bindpw : "(anonymous)");`
	`640`	`+ ldap_conf.bindpw ? "********" : "(anonymous)");`
`641`	`641`	`if (ldap_conf.bind_timelimit > 0) {`
`642`	`642`	`DPRINTF1("bind_timelimit %d", ldap_conf.bind_timelimit);`
`643`	`643`	`}`