Passwords in journalctl

[merzly...@gmail.com]

Hi Mark,

I was surprised today. Two years after the software started being used, I discovered something today.

When looking through the logs with the command

journalctl -u tac_plus-ng

I found that passwords are published in plain text there.

Is there any way to prevent this? Our security team is quite upset about it.

[Marc Huber]

Hi,

I don't see how this could happen. Please show sample logs. Passwords won't even show up in the debug log unless the DEBUG_USERINPUT_FLAG debug level is explicitly set.

Cheers,

Marc

--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/cce192a5-f76b-4906-b406-d4424cc67f1bn%40googlegroups.com.

[merzly...@gmail.com]

Mark, thank you very much for reminding me.

I previously enabled DEBUG and completely forgot about it.

Section 7.2 mentions this.

USERINPUT Show user input (this may include passwords)

понедельник, 17 марта 2025 г. в 22:10:09 UTC+5, Marc Huber: