X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=5b0d2ce37b74de68d5d355912b904c9913a32833;hb=af49ec2c7de8698da61114c9e1ddfc8a8b9802c8;hp=51dcdcd94708ca2cd2f0087c5957b77248cc714c;hpb=169c1bda807d183a362b47efe0b5b56e9320e430;p=elogind.git diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 51dcdcd94..5b0d2ce37 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -50,29 +50,32 @@ systemd.service, systemd.socket, - systemd.mount + systemd.mount, + systemd.swap Description Unit configuration files for services, sockets - and mount points share a subset of configuration - options which define the execution environment of - spawned processes. + mount points and swap devices share a subset of + configuration options which define the execution + environment of spawned processes. This man page lists the configuration options shared by these three unit types. See systemd.unit5 for the common options of all unit configuration files, and - systemd.service5, systemd.socket5 + systemd.service5, + systemd.socket5, + systemd.swap5 and systemd.mount5 for more information on the specific unit configuration files. The execution specific configuration options are configured in the [Service], - [Socket] resp. [Mount] section, depending on the unit + [Socket], [Mount] resp. [Swap] section, depending on the unit type. @@ -127,7 +130,7 @@ be specified more than once in which case all listed groups are set as supplementary groups. This option does - not override but extend the list of + not override but extends the list of supplementary groups configured in the system group database for the user. @@ -275,8 +278,23 @@ contain new-line separated variable assignments. Empty lines and lines starting with ; or # will be ignored, - which may be used for - commenting. + which may be used for commenting. The + argument passed should be an absolute + file name, optionally prefixed with + "-", which indicates that if the file + does not exist it won't be read and no + error or warning message is + logged. The files listed with this + directive will be read shortly before + the process is executed. Settings from + these files override settings made + with + Environment=. If + the same variable is set twice from + these files the files will be read in + the order they are specified and the + later setting will override the + earlier setting. @@ -301,10 +319,11 @@ below) and the executed process becomes the controlling process of the terminal. If the terminal is already - being controlled by another process it - is waited until that process releases - the - terminal. + being controlled by another process the + executed process waits until the current + controlling process releases the + terminal. + is similar to , but the executed process is forcefully and immediately made the controlling @@ -341,7 +360,9 @@ , , , - or + , + , + or . If set to the file descriptor of standard input is @@ -365,9 +386,13 @@ system logger. connects it with the kernel log buffer which is accessible via - dmesg1. - connects standard output to a socket - from socket activation, semantics are + dmesg1. + and work + similarly but copy the output to the + system console as + well. connects + standard output to a socket from + socket activation, semantics are similar to the respective option of StandardInput=. This setting defaults to @@ -381,7 +406,7 @@ available options are identical to those of StandardOutput=, - whith one exception: if set to + with one exception: if set to the file descriptor used for standard output is duplicated for standard error. This @@ -397,7 +422,7 @@ /dev/console. - SyslogIdentifer= + SyslogIdentifier= Sets the process name to prefix log lines sent to syslog or the kernel log buffer with. If not set @@ -500,15 +525,15 @@ TimerSlackNSec= Sets the timer slack in nanoseconds for the executed - processes The timer slack controls the + processes. The timer slack controls the accuracy of wake-ups triggered by timers. See prctl2 for more information. Note that in contrast to most other time span - definitions this value is takes a - nano-seconds integer and does not - understand any other + definitions this parameter takes an + integer value in nano-seconds and does + not understand any other units. @@ -533,7 +558,10 @@ various resource limits for executed processes. See setrlimit2 - for details. + for details. Use the string + infinity to + configure no limit on a specific + resource. @@ -572,16 +600,34 @@ - Capabilities= - Controls the + CapabilityBoundingSet= + + Controls which + capabilities to include in the + capability bounding set for the + executed process. See capabilities7 - set for the executed process. Take a - capability string as described in - cap_from_text3. - Note that this capability set is - usually influenced by the capabilities - attached to the executed - file. + for details. Takes a whitespace + seperated list of capability names as + read by + cap_from_name3. + Capabilities listed will be included + in the bounding set, all others are + removed. If the list of capabilities + is prefixed with ~ all but the listed + capabilities will be included, the + effect of this assignment + inverted. Note that this option does + not actually set or unset any + capabilities in the effective, + permitted or inherited capability + sets. That's what + Capabilities= is + for. If this option is not used the + capability bounding set is not + modified on process execution, hence + no limits on the capabilities of the + process are enforced. @@ -600,16 +646,21 @@ - CapabilityBoundingSetDrop= - + Capabilities= Controls the - capability bounding set drop set for - the executed process. See capabilities7 - for details. Takes a list of - capability names as read by - cap_from_name3. - + set for the executed process. Take a + capability string describing the + effective, permitted and inherited + capability sets as documented in + cap_from_text3. + Note that these capability sets are + usually influenced by the capabilities + attached to the executed file. Due to + that + CapabilityBoundingSet= + is probably the much more useful + setting. @@ -677,7 +728,7 @@ restricting access with these options does not extend to submounts of a directory. You must list submounts - separately in these setttings to + separately in these settings to ensure the same limited access. These options may be specified more than once in which case all directories @@ -760,6 +811,7 @@ systemd.unit5, systemd.service5, systemd.socket5, + systemd.swap5, systemd.mount5