Add new log_passwords and passprompt_regex settings.

When logging terminal input, if log_passwords is false and any
of the regular expressions in the passprompt_regex list are found
in the terminal output, terminal input will be replaced with '*'
characters until a newline or carriage return is found in the input
or an output character is received.

3 files changed, 93 insertions, 17 deletions

diff --git a/logsrvd/logsrvd.h b/logsrvd/logsrvd.h
index ef8191b65..2565e999a 100644
--- a/logsrvd/logsrvd.h
+++ b/logsrvd/logsrvd.h
@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -208,6 +208,8 @@ struct connection_closure *connection_closure_alloc(int fd, bool tls, bool relay
 bool logsrvd_conf_read(const char *path);
 const char *logsrvd_conf_iolog_dir(void);
 const char *logsrvd_conf_iolog_file(void);
+bool logsrvd_conf_iolog_log_passwords(void);
+void *logsrvd_conf_iolog_passprompt_regex(void);
 struct server_address_list *logsrvd_conf_server_listen_address(void);
 struct server_address_list *logsrvd_conf_relay_address(void);
 const char *logsrvd_conf_relay_dir(void);
diff --git a/logsrvd/logsrvd_conf.c b/logsrvd/logsrvd_conf.c
index 836f1a7d8..993c4b4f6 100644
--- a/logsrvd/logsrvd_conf.c
+++ b/logsrvd/logsrvd_conf.c
@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -148,12 +148,14 @@ static struct logsrvd_config {
 	bool compress;
 	bool flush;
 	bool gid_set;
+	bool log_passwords;
 	uid_t uid;
 	gid_t gid;
 	mode_t mode;
 	unsigned int maxseq;
 	char *iolog_dir;
 	char *iolog_file;
+	void *passprompt_regex;
     } iolog;
     struct logsrvd_config_eventlog {
 	int log_type;
@@ -215,6 +217,18 @@ logsrvd_conf_iolog_file(void)
     return logsrvd_config->iolog.iolog_file;
 }
 
+bool
+logsrvd_conf_iolog_log_passwords(void)
+{
+    return logsrvd_config->iolog.log_passwords;
+}
+
+void *
+logsrvd_conf_iolog_passprompt_regex(void)
+{
+    return logsrvd_config->iolog.passprompt_regex;
+}
+
 /* server getters */
 struct server_address_list *
 logsrvd_conf_server_listen_address(void)
@@ -368,6 +382,19 @@ cb_iolog_compress(struct logsrvd_config *config, const char *str, size_t offset)
 }
 
 static bool
+cb_iolog_log_passwords(struct logsrvd_config *config, const char *str, size_t offset)
+{
+    int val;
+    debug_decl(cb_iolog_log_passwords, SUDO_DEBUG_UTIL);
+
+    if ((val = sudo_strtobool(str)) == -1)
+	debug_return_bool(false);
+
+    config->iolog.log_passwords = val;
+    debug_return_bool(true);
+}
+
+static bool
 cb_iolog_flush(struct logsrvd_config *config, const char *str, size_t offset)
 {
     int val;
@@ -449,6 +476,20 @@ cb_iolog_maxseq(struct logsrvd_config *config, const char *str, size_t offset)
     debug_return_bool(true);
 }
 
+static bool
+cb_iolog_passprompt_regex(struct logsrvd_config *config, const char *str, size_t offset)
+{
+    debug_decl(cb_iolog_passprompt_regex, SUDO_DEBUG_UTIL);
+
+    if (config->iolog.passprompt_regex == NULL) {
+	/* Lazy alloc of the passprompt regex handle. */
+	config->iolog.passprompt_regex = iolog_pwfilt_alloc();
+	if (config->iolog.passprompt_regex == NULL)
+	    debug_return_bool(false);
+    }
+    debug_return_bool(iolog_pwfilt_add(config->iolog.passprompt_regex, str));
+}
+
 /* Server callbacks */
 static bool
 append_address(struct server_address_list *addresses, const char *str,
@@ -1069,7 +1110,9 @@ static struct logsrvd_config_entry iolog_conf_entries[] = {
     { "iolog_user", cb_iolog_user },
     { "iolog_group", cb_iolog_group },
     { "iolog_mode", cb_iolog_mode },
+    { "log_passwords", cb_iolog_log_passwords },
     { "maxseq", cb_iolog_maxseq },
+    { "passprompt_regex", cb_iolog_passprompt_regex },
     { NULL }
 };
 
@@ -1242,7 +1285,7 @@ logsrvd_stub_close_log(int type, FILE *fp)
     return;
 }
 
-/* Set eventlog configuration settings from on logsrvd config. */
+/* Set eventlog configuration settings from logsrvd config. */
 static void
 logsrvd_conf_eventlog_setconf(struct logsrvd_config *config)
 {
@@ -1262,6 +1305,22 @@ logsrvd_conf_eventlog_setconf(struct logsrvd_config *config)
     debug_return;
 }
 
+/* Set I/O log configuration settings from logsrvd config. */
+static void
+logsrvd_conf_iolog_setconf(struct logsrvd_config *config)
+{
+    debug_decl(logsrvd_conf_iolog_setconf, SUDO_DEBUG_UTIL);
+
+    iolog_set_defaults();
+    iolog_set_compress(config->iolog.compress);
+    iolog_set_flush(config->iolog.flush);
+    iolog_set_owner(config->iolog.uid, config->iolog.gid);
+    iolog_set_mode(config->iolog.mode);
+    iolog_set_maxseq(config->iolog.maxseq);
+
+    debug_return;
+}
+
 /*
  * Conversation function for use by sudo_warn/sudo_fatal.
  * Logs to stdout/stderr.
@@ -1483,6 +1542,7 @@ logsrvd_conf_free(struct logsrvd_config *config)
     /* struct logsrvd_config_iolog */
     free(config->iolog.iolog_dir);
     free(config->iolog.iolog_file);
+    iolog_pwfilt_free(config->iolog.passprompt_regex);
 
     /* struct logsrvd_config_logfile */
     free(config->logfile.path);
@@ -1573,6 +1633,7 @@ logsrvd_conf_alloc(void)
     config->iolog.uid = ROOT_UID;
     config->iolog.gid = ROOT_GID;
     config->iolog.gid_set = false;
+    config->iolog.log_passwords = true;
 
     /* Event log defaults */
     config->eventlog.log_type = EVLOG_SYSLOG;
@@ -1619,6 +1680,12 @@ logsrvd_conf_apply(struct logsrvd_config *config)
 #endif
     debug_decl(logsrvd_conf_apply, SUDO_DEBUG_UTIL);
 
+    /* There can be multiple passprompt regular expressions. */
+    if (config->iolog.passprompt_regex == NULL) {
+	if (!cb_iolog_passprompt_regex(config, PASSPROMPT_REGEX, 0))
+	    debug_return_bool(false);
+    }
+
     /* There can be multiple addresses so we can't set a default earlier. */
     if (TAILQ_EMPTY(&config->server.addresses.addrs)) {
 	/* Enable plaintext listender. */
@@ -1738,15 +1805,12 @@ logsrvd_conf_apply(struct logsrvd_config *config)
 	break;
     }
 
-    /* Set I/O log library settings */
-    iolog_set_defaults();
-    iolog_set_compress(config->iolog.compress);
-    iolog_set_flush(config->iolog.flush);
-    iolog_set_owner(config->iolog.uid, config->iolog.gid);
-    iolog_set_mode(config->iolog.mode);
-    iolog_set_maxseq(config->iolog.maxseq);
-
-    /* Set event log config */
+    /*
+     * Update event and I/O log library config and install the new
+     * logsrvd config.  We must not fail past this point or the event
+     * and I/O log config will be inconsistent with the logsrvd config.
+     */
+    logsrvd_conf_iolog_setconf(config);
     logsrvd_conf_eventlog_setconf(config);
 
     logsrvd_conf_free(logsrvd_config);
diff --git a/logsrvd/logsrvd_local.c b/logsrvd/logsrvd_local.c
index 819c60bb2..a4cbb9fdb 100644
--- a/logsrvd/logsrvd_local.c
+++ b/logsrvd/logsrvd_local.c
@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -523,8 +523,9 @@ store_iobuf_local(int iofd, IoBuffer *iobuf, uint8_t *buf, size_t buflen,
     struct connection_closure *closure)
 {
     const struct eventlog *evlog = closure->evlog;
+    struct ProtobufCBinaryData data = iobuf->data;
+    char tbuf[1024], *newbuf = NULL;
     const char *errstr;
-    char tbuf[1024];
     int len;
     debug_decl(store_iobuf_local, SUDO_DEBUG_UTIL);
 
@@ -538,19 +539,27 @@ store_iobuf_local(int iofd, IoBuffer *iobuf, uint8_t *buf, size_t buflen,
     /* FIXME - assumes IOFD_* matches IO_EVENT_* */
     len = snprintf(tbuf, sizeof(tbuf), "%d %lld.%09d %zu\n",
 	iofd, (long long)iobuf->delay->tv_sec, (int)iobuf->delay->tv_nsec,
-	iobuf->data.len);
+	data.len);
     if (len < 0 || len >= ssizeof(tbuf)) {
 	sudo_warnx(U_("unable to format timing buffer, length %d"), len);
 	goto bad;
     }
 
+    if (!logsrvd_conf_iolog_log_passwords()) {
+	if (!iolog_pwfilt_run(logsrvd_conf_iolog_passprompt_regex(), iofd,
+		(char *)data.data, data.len, &newbuf))
+	    goto bad;
+	if (newbuf != NULL)
+	    data.data = (uint8_t *)newbuf;
+    }
+
     /* Write to specified I/O log file. */
-    if (!iolog_write(&closure->iolog_files[iofd], iobuf->data.data,
-	    iobuf->data.len, &errstr)) {
+    if (!iolog_write(&closure->iolog_files[iofd], data.data, data.len, &errstr)) {
 	sudo_warnx(U_("%s/%s: %s"), evlog->iolog_path, iolog_fd_to_name(iofd),
 	    errstr);
 	goto bad;
     }
+    free(newbuf);
 
     /* Write timing data. */
     if (!iolog_write(&closure->iolog_files[IOFD_TIMING], tbuf,
@@ -574,6 +583,7 @@ store_iobuf_local(int iofd, IoBuffer *iobuf, uint8_t *buf, size_t buflen,
 
     debug_return_bool(true);
 bad:
+    free(newbuf);
     if (closure->errstr == NULL)
 	closure->errstr = _("error writing IoBuffer");
     debug_return_bool(false);