Skip to content

journald: set a lower size limit for FDs from unpriv processes#40571

Merged
poettering merged 1 commit into
systemd:mainfrom
bluca:journal_user_blob_size
Feb 9, 2026
Merged

journald: set a lower size limit for FDs from unpriv processes#40571
poettering merged 1 commit into
systemd:mainfrom
bluca:journal_user_blob_size

Conversation

@bluca

@bluca bluca commented Feb 5, 2026

Copy link
Copy Markdown
Member

Unprivileged processes can send 768M in a FD-based message to journald, which will be malloc'ed in one go, likely causing memory issues. Set the limit for unprivileged users to 24M.

Allow coredumps as an exception, since we always allowed storing up to the 768M max core files in the journal.

Reported on yeswehack.com as #YWH-PGM9780-48

@github-actions github-actions Bot added journal util-lib import please-review PR is ready for (re-)review by a maintainer labels Feb 5, 2026
Comment thread src/journal/journald-native.c Outdated
Comment thread src/shared/journal-importer.h Outdated
@poettering

Copy link
Copy Markdown
Member

would love it if this was configurable via env var. because if coredumps are submitted these will come in via unpriv connections, and thus this hardcoded logic would basically make it impossible to save coredumps in journal files, which we however officially support. hence, please make this configurable via env var, so that we at least can tell people that if they really want this, there is a way out without patching

@poettering poettering added reviewed/needs-rework 🔨 PR has been reviewed and needs another round of reworks and removed please-review PR is ready for (re-)review by a maintainer labels Feb 5, 2026
@bluca

bluca commented Feb 5, 2026

Copy link
Copy Markdown
Member Author

Doesn't coredump run as root?

@bluca bluca force-pushed the journal_user_blob_size branch from 838a71e to 96c1beb Compare February 5, 2026 14:42
@bluca

bluca commented Feb 5, 2026

Copy link
Copy Markdown
Member Author

Ah yes it's sent as the user of the crashed process - I have changed it to check the context, and allow it if the sender is [email protected]. The core files limit can be set anyway with privileges, and the storage too, so it should be ok I think, and it avoids breaking compat.

@bluca bluca changed the title journald: set a lower size limit for messages from unpriv processes journald: set a lower size limit for FDs from unpriv processes Feb 5, 2026
@github-actions github-actions Bot added please-review PR is ready for (re-)review by a maintainer and removed reviewed/needs-rework 🔨 PR has been reviewed and needs another round of reworks labels Feb 5, 2026
log_ratelimit_warning_errno(r, JOURNAL_LOG_RATELIMIT,
"Failed to retrieve credentials for PID " PID_FMT ", ignoring: %m",
ucred->pid);
else if (context->unit && startswith(context->unit, "systemd-coredump@"))

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to be updated after #39287 is merged.

@bluca

bluca commented Feb 6, 2026

Copy link
Copy Markdown
Member Author

Ah yes it's sent as the user of the crashed process - I have changed it to check the context, and allow it if the sender is [email protected]. The core files limit can be set anyway with privileges, and the storage too, so it should be ok I think, and it avoids breaking compat.

I can still add an env var of course if you want it, if there's some other use case to enable

@poettering

Copy link
Copy Markdown
Member

i still think there should be an env var for this knob

Comment thread src/journal/journald-native.c Outdated
Comment thread src/journal/journald-native.c Outdated
Comment thread src/journal/journald-native.c Outdated
@poettering poettering added reviewed/needs-rework 🔨 PR has been reviewed and needs another round of reworks and removed please-review PR is ready for (re-)review by a maintainer labels Feb 8, 2026
@bluca bluca force-pushed the journal_user_blob_size branch from 96c1beb to 170791c Compare February 9, 2026 00:27
@github-actions github-actions Bot added documentation please-review PR is ready for (re-)review by a maintainer and removed reviewed/needs-rework 🔨 PR has been reviewed and needs another round of reworks labels Feb 9, 2026
Comment thread src/journal/journald-native.c Outdated
Comment thread src/journal/journald-native.c Outdated
@poettering poettering added good-to-merge/with-minor-suggestions and removed please-review PR is ready for (re-)review by a maintainer labels Feb 9, 2026
Unprivileged processes can send 768M in a FD-based message to journald,
which will be malloc'ed in one go, likely causing memory issues.
Set the limit for unprivileged users to 24M.

Allow coredumps as an exception, since we always allowed storing
up to the 768M max core files in the journal.

Reported on yeswehack.com as #YWH-PGM9780-48
@bluca bluca force-pushed the journal_user_blob_size branch from 170791c to 8ac2c4d Compare February 9, 2026 10:58
@poettering poettering added good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed and removed good-to-merge/with-minor-suggestions labels Feb 9, 2026
@poettering poettering merged commit e67b008 into systemd:main Feb 9, 2026
50 of 56 checks passed
@github-actions github-actions Bot removed the good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed label Feb 9, 2026
@bluca bluca deleted the journal_user_blob_size branch February 9, 2026 12:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Development

Successfully merging this pull request may close these issues.

3 participants