Fix #5584 - raise awareness of safer logging - warn about potentially unsafe config options

changes/bug5584

@@ -0,0 +1,4 @@
+  o Minor features:
+    - Raise awareness of safer logging - notice user of potentially
+      unsafe configuration options: logging above "notice" or
+      clearning SafeLogging flag. Fixes #5584.

src/or/config.c

@@ -1005,6 +1005,7 @@ options_act_reversible(const or_options_t *old_options, char **msg)
   int set_conn_limit = 0;
   int r = -1;
   int logs_marked = 0;
+  int old_min_log_level = get_min_log_level();
 
   /* Daemonize _first_, since we only want to open most of this stuff in
    * the subprocess.  Libevent bases can't be reliably inherited across
@@ -1153,6 +1154,13 @@ options_act_reversible(const or_options_t *old_options, char **msg)
     control_adjust_event_log_severity();
     tor_free(severity);
   }
+  if (get_min_log_level() >= LOG_INFO &&
+      get_min_log_level() != old_min_log_level) {
+    log_warn(LD_GENERAL, "Your log may contain sensitive information - you're "
+             "logging above \"notice\". Please log safely. Don't log unless "
+             "it serves an important reason. Overwrite the log afterwards.");
+  }
+
   SMARTLIST_FOREACH(replaced_listeners, connection_t *, conn,
   {
     log_notice(LD_NET, "Closing old %s on %s:%d",
@@ -1335,6 +1343,13 @@ options_act(const or_options_t *old_options)
   }
 #endif
 
+  if (options->SafeLogging_ != SAFELOG_SCRUB_ALL &&
+      (!old_options || old_options->SafeLogging_ != options->SafeLogging_)) {
+    log_warn(LD_GENERAL, "Your log may contain sensitive information - you "
+             "disabled SafeLogging. Please log safely. Don't log unless it "
+             "serves an important reason. Overwrite the log afterwards.");
+  }
+
   if (options->Bridges) {
     mark_bridge_list();
     for (cl = options->Bridges; cl; cl = cl->next) {