From: Gerd von Egidy Date: Mon, 25 May 2015 17:40:55 +0000 (+0200) Subject: don't log passwords by default, but make password logging optional X-Git-Tag: v1.1~1 X-Git-Url: http://developer.intra2net.com/git/?p=bpdyndnsd;a=commitdiff_plain;h=04d261b9378388afd4ecfd57aa92a9f8b38a2ffb don't log passwords by default, but make password logging optional --- diff --git a/src/config.cpp b/src/config.cpp index 863a978..b326a11 100644 --- a/src/config.cpp +++ b/src/config.cpp @@ -47,6 +47,7 @@ Config::Config() , DaemonMode(false) , Syslog(false) , EnableIPv6(false) + , LogPasswords(false) , Loglevel(0) , ConfigPath("/etc/bpdyndnsd") , WebcheckInterval(0) @@ -74,6 +75,7 @@ Config::Config(Logger::Ptr _log, Serviceholder::Ptr _serviceholder) , DaemonMode(false) , Syslog(false) , EnableIPv6(false) + , LogPasswords(false) , Loglevel(0) , ConfigPath("/etc/bpdyndnsd") , WebcheckInterval(0) @@ -132,6 +134,7 @@ void Config::define_config_options() ("daemon_mode",po::value()->default_value(false),"Run as system daemon.") ("loglevel",po::value()->default_value(0),"Loglevel.") ("syslog",po::value()->default_value(false),"Use syslog facility.") + ("log_passwords",po::value()->default_value(false),"Log passwords in cleartext.") ("enable_ipv6",po::value()->default_value(false),"Try to use IPv6.") ("webcheck_enabled",po::value()->default_value(false),"Use webcheck url to determine actual IP address.") ("webcheck_url",po::value()->default_value(""),"Use this URL to determine IP.") @@ -259,6 +262,9 @@ int Config::parse_cmd_line(int argc, char *argv[]) if ( VariablesMap.count("syslog") ) Syslog = VariablesMap["syslog"].as(); + if ( VariablesMap.count("log_passwords") ) + LogPasswords = VariablesMap["log_passwords"].as(); + if ( VariablesMap.count("enable_ipv6") ) EnableIPv6 = VariablesMap["enable_ipv6"].as(); @@ -547,6 +553,9 @@ int Config::load_main_config_file(const string& full_filename) if ( VariablesMap.count("syslog") ) Syslog = VariablesMap["syslog"].as(); + if ( VariablesMap.count("log_passwords") ) + LogPasswords = VariablesMap["log_passwords"].as(); + if ( VariablesMap.count("enable_ipv6") ) EnableIPv6 = VariablesMap["enable_ipv6"].as(); @@ -738,6 +747,16 @@ bool Config::get_syslog() const /** + * Getter for member LogPasswords. + * @return True if we want to log passwords in cleartext. + */ +bool Config::get_log_passwords() const +{ + return LogPasswords; +} + + +/** * Getter for member EnableIPv6 * @return Wether IPv6 should be used or not. */ diff --git a/src/config.hpp b/src/config.hpp index b93c5dc..4f908e5 100644 --- a/src/config.hpp +++ b/src/config.hpp @@ -37,6 +37,7 @@ private: bool DaemonMode; bool Syslog; bool EnableIPv6; + bool LogPasswords; int Loglevel; std::string ConfigPath; std::string WebcheckIpUrl; @@ -85,6 +86,8 @@ public: bool get_syslog() const; + bool get_log_passwords() const; + bool get_enable_ipv6() const; std::string get_proxy() const; diff --git a/src/logger.cpp b/src/logger.cpp index 7e3beb8..4775f98 100644 --- a/src/logger.cpp +++ b/src/logger.cpp @@ -31,6 +31,7 @@ Logger::Logger() , Syslog(false) , ExternalWarningLevel(0) , ExternalLogOnlyOnce(false) + , LogPasswords(false) { set_log_facility(Loglevel,Syslog,ExternalWarningLog,ExternalWarningLevel,ExternalLogOnlyOnce); } @@ -44,6 +45,8 @@ Logger::~Logger() } + + /** * Decides if a external log message can be send. * @param msg The message to log. @@ -155,6 +158,16 @@ void Logger::set_external_log_only_once( const bool _external_log_only_once ) /** + * Setter for member LogPasswords. + * @param _log_passwords If we want to log passwords or not. + */ +void Logger::set_log_passwords( const bool _log_passwords ) +{ + LogPasswords = _log_passwords; +} + + +/** * Setter for member Loglevel. * @param _loglevel Value to set Loglevel to. */ @@ -827,7 +840,12 @@ void Logger::print_service_object(const string& message, const string& protocol, msg << "\t" << "Protocol: " << protocol << endl; msg << "\t" << "Hostname: " << hostname << endl; msg << "\t" << "Login: " << login << endl; - msg << "\t" << "Password: " << password << endl; + + if (LogPasswords) + msg << "\t" << "Password: " << password << endl; + else + msg << "\t" << "Password: (*hidden*)" << endl; + msg << "\t" << "Update Interval: " << update_interval << endl; msg << "\t" << "Max Updates: " << max_updates_within_interval << endl; msg << "\t" << "Max equal Updates:" << max_equal_updates_in_succession << endl; @@ -1440,7 +1458,13 @@ void Logger::print_service_not_authorized(const string& service, const string& u if ( level <= Loglevel ) { ostringstream msg; - msg << "Not authorized to perform update operation on service: " << service << " Please check username and password: " << username << ":" << password << endl; + msg << "Not authorized to perform update operation on service: " << service << " Please check username and password: " << username << ":"; + + if (LogPasswords) + msg << password << endl; + else + msg << "(*hidden*)" << endl; + log_notice(msg.str()); } } diff --git a/src/logger.hpp b/src/logger.hpp index cc3c1f0..18be8f3 100644 --- a/src/logger.hpp +++ b/src/logger.hpp @@ -29,6 +29,7 @@ private: int ExternalWarningLevel; std::set ExternalSendMessages; bool ExternalLogOnlyOnce; + bool LogPasswords; public: @@ -40,6 +41,8 @@ public: void set_external_log_only_once( const bool _external_log_only_once ); + void set_log_passwords( const bool _log_passwords ); + void clear_external_send_messages(); std::string escape_shellarg(const std::string &input); diff --git a/src/updater.cpp b/src/updater.cpp index 28a58fe..7c3b021 100644 --- a/src/updater.cpp +++ b/src/updater.cpp @@ -215,6 +215,8 @@ void Updater::init_log_facility() const { Log->set_log_facility(Conf->get_loglevel(),Conf->get_syslog(),Conf->get_external_warning_log(),Conf->get_external_warning_level(),Conf->get_external_log_only_once()); Log->print_init_log_facility(); + + Log->set_log_passwords(Conf->get_log_passwords()); }