<refsect1>
<title>Description</title>
- <para>Unit configuration files for services, sockets
+ <para>Unit configuration files for services, sockets,
mount points and swap devices share a subset of
configuration options which define the execution
environment of spawned processes.</para>
<para>This man page lists the configuration options
- shared by these three unit types. See
+ shared by these four unit types. See
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for the common options of all unit configuration
files, and
for details.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>ControlGroupModify=</varname></term>
+ <listitem><para>Takes a boolean
+ argument. If true, the control groups
+ created for this unit will be owned by
+ ther user specified with
+ <varname>User=</varname> (and the
+ configured group), and he can create
+ subgroups as well as add processes to
+ the group.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>CapabilityBoundingSet=</varname></term>
executed process. See
<citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for details. Takes a whitespace
- seperated list of capability names as
+ separated list of capability names as
read by
<citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
Capabilities listed will be included
removed. If the list of capabilities
is prefixed with ~ all but the listed
capabilities will be included, the
- effect of this assignment
+ effect of the assignment
inverted. Note that this option does
not actually set or unset any
capabilities in the effective,
path for this unit is implied. This
option may be used to place executed
processes in arbitrary groups in
- arbitrary hierachies -- which can be
+ arbitrary hierarchies -- which can be
configured externally with additional execution limits. By default
systemd will place all executed
processes in separate per-unit control
usual file access controls would
permit this. Directories listed in
<varname>InaccessibleDirectories=</varname>
- will be made inaccesible for processes
+ will be made inaccessible for processes
inside the namespace. Note that
restricting access with these options
does not extend to submounts of a