Add a new sudoers settings log_passwords and passprompt_regex.

When logging terminal input, if log_passwords is disabled and any of the regular expressions in the passprompt_regex list are found in the terminal output, terminal input will be replaced with '*' characters until a newline or carriage return is found in the input or an output character is received.
2025-08-31 22:35:10 +00:00 · 2022-01-28 08:52:41 -07:00
parent 946404434e
commit 0efe280037
11 changed files with 255 additions and 16 deletions
--- a/plugins/sudoers/def_data.c
+++ b/plugins/sudoers/def_data.c
@@ -645,6 +645,14 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"rlimit_stack", T_RLIMIT|T_BOOL,
 	N_("The maximum size to which the process's stack may grow (in bytes): %s"),
 	NULL,
+    }, {
+	"log_passwords", T_FLAG,
+	N_("Store plaintext passwords in I/O log input"),
+	NULL,
+    }, {
+	"passprompt_regex", T_LIST|T_BOOL,
+	N_("List of regular expressions to use when matching a password prompt"),
+	NULL,
    }, {
 	NULL, 0, NULL
    }