X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=5b0d2ce37b74de68d5d355912b904c9913a32833;hb=8f28cbcdfe55bdaaa3e8f9c68f39b1369dd0e5dd;hp=e9576e1e7268535a127ed2577329aa9e8794aeda;hpb=28dbc1e80b0db09313f11e44f218138aefd646c8;p=elogind.git
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index e9576e1e7..5b0d2ce37 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -284,7 +284,17 @@
"-", which indicates that if the file
does not exist it won't be read and no
error or warning message is
- logged.
+ logged. The files listed with this
+ directive will be read shortly before
+ the process is executed. Settings from
+ these files override settings made
+ with
+ Environment=. If
+ the same variable is set twice from
+ these files the files will be read in
+ the order they are specified and the
+ later setting will override the
+ earlier setting.
@@ -412,7 +422,7 @@
/dev/console.
- SyslogIdentifer=
+ SyslogIdentifier=
Sets the process name
to prefix log lines sent to syslog or
the kernel log buffer with. If not set
@@ -548,7 +558,10 @@
various resource limits for executed
processes. See
setrlimit2
- for details.
+ for details. Use the string
+ infinity to
+ configure no limit on a specific
+ resource.
@@ -587,16 +600,34 @@
- Capabilities=
- Controls the
+ CapabilityBoundingSet=
+
+ Controls which
+ capabilities to include in the
+ capability bounding set for the
+ executed process. See
capabilities7
- set for the executed process. Take a
- capability string as described in
- cap_from_text3.
- Note that this capability set is
- usually influenced by the capabilities
- attached to the executed
- file.
+ for details. Takes a whitespace
+ seperated list of capability names as
+ read by
+ cap_from_name3.
+ Capabilities listed will be included
+ in the bounding set, all others are
+ removed. If the list of capabilities
+ is prefixed with ~ all but the listed
+ capabilities will be included, the
+ effect of this assignment
+ inverted. Note that this option does
+ not actually set or unset any
+ capabilities in the effective,
+ permitted or inherited capability
+ sets. That's what
+ Capabilities= is
+ for. If this option is not used the
+ capability bounding set is not
+ modified on process execution, hence
+ no limits on the capabilities of the
+ process are enforced.
@@ -615,16 +646,21 @@
- CapabilityBoundingSetDrop=
-
+ Capabilities=
Controls the
- capability bounding set drop set for
- the executed process. See
capabilities7
- for details. Takes a list of
- capability names as read by
- cap_from_name3.
-
+ set for the executed process. Take a
+ capability string describing the
+ effective, permitted and inherited
+ capability sets as documented in
+ cap_from_text3.
+ Note that these capability sets are
+ usually influenced by the capabilities
+ attached to the executed file. Due to
+ that
+ CapabilityBoundingSet=
+ is probably the much more useful
+ setting.