1 <?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?>
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
6 This file is part of systemd.
8 Copyright 2010 Lennart Poettering
10 systemd is free software; you can redistribute it and/or modify it
11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
13 (at your option) any later version.
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public License
21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 <refentry id="systemd.exec">
26 <title>systemd.exec</title>
27 <productname>systemd</productname>
31 <contrib>Developer</contrib>
32 <firstname>Lennart</firstname>
33 <surname>Poettering</surname>
34 <email>lennart@poettering.net</email>
40 <refentrytitle>systemd.exec</refentrytitle>
41 <manvolnum>5</manvolnum>
45 <refname>systemd.exec</refname>
46 <refpurpose>Execution environment configuration</refpurpose>
50 <para><filename><replaceable>service</replaceable>.service</filename>,
51 <filename><replaceable>socket</replaceable>.socket</filename>,
52 <filename><replaceable>mount</replaceable>.mount</filename>,
53 <filename><replaceable>swap</replaceable>.swap</filename></para>
57 <title>Description</title>
59 <para>Unit configuration files for services, sockets,
60 mount points and swap devices share a subset of
61 configuration options which define the execution
62 environment of spawned processes.</para>
64 <para>This man page lists the configuration options
65 shared by these four unit types. See
66 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
67 for the common options of all unit configuration
69 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
70 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
71 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
73 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
74 for more information on the specific unit
75 configuration files. The execution specific
76 configuration options are configured in the [Service],
77 [Socket], [Mount], or [Swap] sections, depending on the unit
80 <para>Processes started by the system systemd instance
81 are executed in a clean environment in which only the
82 <varname>$PATH</varname> and <varname>$LANG</varname>
83 variables are set by default. In order to add
84 additional variables, see the
85 <varname>Environment=</varname> and
86 <varname>EnvironmentFile=</varname> options below. To
87 specify variables globally, see
88 <varname>DefaultEnvironment=</varname> in
89 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
91 <varname>systemd.setenv=</varname> in
92 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>. Processes
93 started by the user systemd instances inherit all
94 environment variables from the user systemd instance,
95 and have <varname>$HOME</varname>,
96 <varname>$USER</varname>,
97 <varname>$XDG_RUNTIME_DIR</varname> defined, among
98 others. In addition, <varname>$MANAGERPID</varname>
99 contains the PID of the user systemd instance.</para>
103 <title>Options</title>
105 <variablelist class='unit-directives'>
108 <term><varname>WorkingDirectory=</varname></term>
110 <listitem><para>Takes an absolute
111 directory path. Sets the working
112 directory for executed processes. If
113 not set, defaults to the root directory
114 when systemd is running as a system
115 instance and the respective user's
116 home directory if run as
117 user.</para></listitem>
121 <term><varname>RootDirectory=</varname></term>
123 <listitem><para>Takes an absolute
124 directory path. Sets the root
125 directory for executed processes, with
127 <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>
128 system call. If this is used, it must
129 be ensured that the process and all
130 its auxiliary files are available in
131 the <function>chroot()</function>
132 jail.</para></listitem>
136 <term><varname>User=</varname></term>
137 <term><varname>Group=</varname></term>
139 <listitem><para>Sets the Unix user
140 or group that the processes are executed
141 as, respectively. Takes a single user or group
142 name or ID as argument. If no group is
143 set, the default group of the user is
144 chosen.</para></listitem>
148 <term><varname>SupplementaryGroups=</varname></term>
150 <listitem><para>Sets the supplementary
151 Unix groups the processes are executed
152 as. This takes a space-separated list
153 of group names or IDs. This option may
154 be specified more than once in which
155 case all listed groups are set as
156 supplementary groups. When the empty
157 string is assigned the list of
158 supplementary groups is reset, and all
159 assignments prior to this one will
160 have no effect. In any way, this
161 option does not override, but extends
162 the list of supplementary groups
163 configured in the system group
165 user.</para></listitem>
169 <term><varname>Nice=</varname></term>
171 <listitem><para>Sets the default nice
172 level (scheduling priority) for
173 executed processes. Takes an integer
174 between -20 (highest priority) and 19
175 (lowest priority). See
176 <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>
177 for details.</para></listitem>
181 <term><varname>OOMScoreAdjust=</varname></term>
183 <listitem><para>Sets the adjustment
184 level for the Out-Of-Memory killer for
185 executed processes. Takes an integer
186 between -1000 (to disable OOM killing
187 for this process) and 1000 (to make
188 killing of this process under memory
189 pressure very likely). See <ulink
190 url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
191 for details.</para></listitem>
195 <term><varname>IOSchedulingClass=</varname></term>
197 <listitem><para>Sets the IO scheduling
198 class for executed processes. Takes an
199 integer between 0 and 3 or one of the
200 strings <option>none</option>,
201 <option>realtime</option>,
202 <option>best-effort</option> or
203 <option>idle</option>. See
204 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
205 for details.</para></listitem>
209 <term><varname>IOSchedulingPriority=</varname></term>
211 <listitem><para>Sets the IO scheduling
212 priority for executed processes. Takes
213 an integer between 0 (highest
214 priority) and 7 (lowest priority). The
215 available priorities depend on the
216 selected IO scheduling class (see
218 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
219 for details.</para></listitem>
223 <term><varname>CPUSchedulingPolicy=</varname></term>
225 <listitem><para>Sets the CPU
226 scheduling policy for executed
227 processes. Takes one of
228 <option>other</option>,
229 <option>batch</option>,
230 <option>idle</option>,
231 <option>fifo</option> or
232 <option>rr</option>. See
233 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
234 for details.</para></listitem>
238 <term><varname>CPUSchedulingPriority=</varname></term>
240 <listitem><para>Sets the CPU
241 scheduling priority for executed
242 processes. The available priority
243 range depends on the selected CPU
244 scheduling policy (see above). For
245 real-time scheduling policies an
246 integer between 1 (lowest priority)
247 and 99 (highest priority) can be used.
248 See <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
254 <term><varname>CPUSchedulingResetOnFork=</varname></term>
256 <listitem><para>Takes a boolean
257 argument. If true, elevated CPU
258 scheduling priorities and policies
259 will be reset when the executed
260 processes fork, and can hence not leak
261 into child processes. See
262 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
263 for details. Defaults to false.</para></listitem>
267 <term><varname>CPUAffinity=</varname></term>
269 <listitem><para>Controls the CPU
270 affinity of the executed
271 processes. Takes a space-separated
272 list of CPU indexes. This option may
273 be specified more than once in which
274 case the specificed CPU affinity masks
275 are merged. If the empty string is
276 assigned, the mask is reset, all
277 assignments prior to this will have no
279 <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
280 for details.</para></listitem>
284 <term><varname>UMask=</varname></term>
286 <listitem><para>Controls the file mode
287 creation mask. Takes an access mode in
289 <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
290 for details. Defaults to
291 0022.</para></listitem>
295 <term><varname>Environment=</varname></term>
297 <listitem><para>Sets environment
298 variables for executed
299 processes. Takes a space-separated
300 list of variable assignments. This
301 option may be specified more than once
302 in which case all listed variables
303 will be set. If the same variable is
304 set twice, the later setting will
305 override the earlier setting. If the
306 empty string is assigned to this
307 option, the list of environment
308 variables is reset, all prior
309 assignments have no effect.
310 Variable expansion is not performed
311 inside the strings, however, specifier
312 expansion is possible. The $ character has
314 If you need to assign a value containing spaces
315 to a variable, use double quotes (")
316 for the assignment.</para>
319 <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"</programlisting>
320 gives three variables <literal>VAR1</literal>,
321 <literal>VAR2</literal>, <literal>VAR3</literal>.
326 <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
327 for details about environment variables.</para></listitem>
330 <term><varname>EnvironmentFile=</varname></term>
331 <listitem><para>Similar to
332 <varname>Environment=</varname> but
333 reads the environment variables from a
334 text file. The text file should
335 contain new-line-separated variable
336 assignments. Empty lines and lines
337 starting with ; or # will be ignored,
338 which may be used for commenting. A line
339 ending with a backslash will be concatenated
340 with the following one, allowing multiline variable
341 definitions. The parser strips leading
342 and trailing whitespace from the values
343 of assignments, unless you use
344 double quotes (").</para>
346 <para>The argument passed should be an
347 absolute filename or wildcard
348 expression, optionally prefixed with
349 <literal>-</literal>, which indicates
350 that if the file does not exist, it
351 will not be read and no error or warning
352 message is logged. This option may be
353 specified more than once in which case
354 all specified files are read. If the
355 empty string is assigned to this
356 option, the list of file to read is
357 reset, all prior assignments have no
360 <para>The files listed with this
361 directive will be read shortly before
362 the process is executed. Settings from
363 these files override settings made
365 <varname>Environment=</varname>. If
366 the same variable is set twice from
367 these files, the files will be read in
368 the order they are specified and the
369 later setting will override the
370 earlier setting.</para></listitem>
374 <term><varname>StandardInput=</varname></term>
375 <listitem><para>Controls where file
376 descriptor 0 (STDIN) of the executed
377 processes is connected to. Takes one
378 of <option>null</option>,
379 <option>tty</option>,
380 <option>tty-force</option>,
381 <option>tty-fail</option> or
382 <option>socket</option>. If
383 <option>null</option> is selected,
384 standard input will be connected to
385 <filename>/dev/null</filename>,
386 i.e. all read attempts by the process
387 will result in immediate EOF. If
388 <option>tty</option> is selected,
389 standard input is connected to a TTY
391 <varname>TTYPath=</varname>, see
392 below) and the executed process
393 becomes the controlling process of the
394 terminal. If the terminal is already
395 being controlled by another process, the
396 executed process waits until the current
397 controlling process releases the
399 <option>tty-force</option>
400 is similar to <option>tty</option>,
401 but the executed process is forcefully
402 and immediately made the controlling
403 process of the terminal, potentially
404 removing previous controlling
406 terminal. <option>tty-fail</option> is
407 similar to <option>tty</option> but if
408 the terminal already has a controlling
409 process start-up of the executed
411 <option>socket</option> option is only
412 valid in socket-activated services,
413 and only when the socket configuration
415 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
416 for details) specifies a single socket
417 only. If this option is set, standard
418 input will be connected to the socket
419 the service was activated from, which
420 is primarily useful for compatibility
421 with daemons designed for use with the
423 <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
424 daemon. This setting defaults to
425 <option>null</option>.</para></listitem>
428 <term><varname>StandardOutput=</varname></term>
429 <listitem><para>Controls where file
430 descriptor 1 (STDOUT) of the executed
431 processes is connected to. Takes one
432 of <option>inherit</option>,
433 <option>null</option>,
434 <option>tty</option>,
435 <option>syslog</option>,
436 <option>kmsg</option>,
437 <option>journal</option>,
438 <option>syslog+console</option>,
439 <option>kmsg+console</option>,
440 <option>journal+console</option> or
441 <option>socket</option>. If set to
442 <option>inherit</option>, the file
443 descriptor of standard input is
444 duplicated for standard output. If set
445 to <option>null</option>, standard
446 output will be connected to
447 <filename>/dev/null</filename>,
448 i.e. everything written to it will be
449 lost. If set to <option>tty</option>,
450 standard output will be connected to a
451 tty (as configured via
452 <varname>TTYPath=</varname>, see
453 below). If the TTY is used for output
454 only, the executed process will not
455 become the controlling process of the
456 terminal, and will not fail or wait
457 for other processes to release the
458 terminal. <option>syslog</option>
459 connects standard output to the
460 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
462 service. <option>kmsg</option>
463 connects it with the kernel log buffer
464 which is accessible via
465 <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>journal</option>
466 connects it with the journal which is
468 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
469 (Note that everything that is written
470 to syslog or kmsg is implicitly stored
471 in the journal as well, those options
472 are hence supersets of this
473 one). <option>syslog+console</option>,
474 <option>journal+console</option> and
475 <option>kmsg+console</option> work
476 similarly but copy the output to the
478 well. <option>socket</option> connects
479 standard output to a socket from
480 socket activation, semantics are
481 similar to the respective option of
482 <varname>StandardInput=</varname>.
483 This setting defaults to the value set
485 <option>DefaultStandardOutput=</option>
487 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
489 <option>journal</option>.</para></listitem>
492 <term><varname>StandardError=</varname></term>
493 <listitem><para>Controls where file
494 descriptor 2 (STDERR) of the executed
495 processes is connected to. The
496 available options are identical to
498 <varname>StandardOutput=</varname>,
499 with one exception: if set to
500 <option>inherit</option> the file
501 descriptor used for standard output is
502 duplicated for standard error. This
503 setting defaults to the value set with
504 <option>DefaultStandardError=</option>
506 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
508 <option>inherit</option>.</para></listitem>
511 <term><varname>TTYPath=</varname></term>
512 <listitem><para>Sets the terminal
513 device node to use if standard input,
514 output or stderr are connected to a
515 TTY (see above). Defaults to
516 <filename>/dev/console</filename>.</para></listitem>
519 <term><varname>TTYReset=</varname></term>
520 <listitem><para>Reset the terminal
521 device specified with
522 <varname>TTYPath=</varname> before and
523 after execution. Defaults to
524 <literal>no</literal>.</para></listitem>
527 <term><varname>TTYVHangup=</varname></term>
528 <listitem><para>Disconnect all clients
529 which have opened the terminal device
531 <varname>TTYPath=</varname>
532 before and after execution. Defaults
534 <literal>no</literal>.</para></listitem>
537 <term><varname>TTYVTDisallocate=</varname></term>
538 <listitem><para>If the terminal
539 device specified with
540 <varname>TTYPath=</varname> is a
541 virtual console terminal, try to
542 deallocate the TTY before and after
543 execution. This ensures that the
544 screen and scrollback buffer is
546 <literal>no</literal>.</para></listitem>
549 <term><varname>SyslogIdentifier=</varname></term>
550 <listitem><para>Sets the process name
551 to prefix log lines sent to syslog or
552 the kernel log buffer with. If not set,
553 defaults to the process name of the
554 executed process. This option is only
556 <varname>StandardOutput=</varname> or
557 <varname>StandardError=</varname> are
558 set to <option>syslog</option> or
559 <option>kmsg</option>.</para></listitem>
562 <term><varname>SyslogFacility=</varname></term>
563 <listitem><para>Sets the syslog
564 facility to use when logging to
565 syslog. One of <option>kern</option>,
566 <option>user</option>,
567 <option>mail</option>,
568 <option>daemon</option>,
569 <option>auth</option>,
570 <option>syslog</option>,
571 <option>lpr</option>,
572 <option>news</option>,
573 <option>uucp</option>,
574 <option>cron</option>,
575 <option>authpriv</option>,
576 <option>ftp</option>,
577 <option>local0</option>,
578 <option>local1</option>,
579 <option>local2</option>,
580 <option>local3</option>,
581 <option>local4</option>,
582 <option>local5</option>,
583 <option>local6</option> or
584 <option>local7</option>. See
585 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
586 for details. This option is only
588 <varname>StandardOutput=</varname> or
589 <varname>StandardError=</varname> are
590 set to <option>syslog</option>.
592 <option>daemon</option>.</para></listitem>
595 <term><varname>SyslogLevel=</varname></term>
596 <listitem><para>Default syslog level
597 to use when logging to syslog or the
598 kernel log buffer. One of
599 <option>emerg</option>,
600 <option>alert</option>,
601 <option>crit</option>,
602 <option>err</option>,
603 <option>warning</option>,
604 <option>notice</option>,
605 <option>info</option>,
606 <option>debug</option>. See
607 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
608 for details. This option is only
610 <varname>StandardOutput=</varname> or
611 <varname>StandardError=</varname> are
612 set to <option>syslog</option> or
613 <option>kmsg</option>. Note that
614 individual lines output by the daemon
615 might be prefixed with a different log
616 level which can be used to override
617 the default log level specified
618 here. The interpretation of these
619 prefixes may be disabled with
620 <varname>SyslogLevelPrefix=</varname>,
621 see below. For details see
622 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
625 <option>info</option>.</para></listitem>
629 <term><varname>SyslogLevelPrefix=</varname></term>
630 <listitem><para>Takes a boolean
631 argument. If true and
632 <varname>StandardOutput=</varname> or
633 <varname>StandardError=</varname> are
634 set to <option>syslog</option>,
635 <option>kmsg</option> or
636 <option>journal</option>, log lines
637 written by the executed process that
638 are prefixed with a log level will be
639 passed on to syslog with this log
640 level set but the prefix removed. If
641 set to false, the interpretation of
642 these prefixes is disabled and the
643 logged lines are passed on as-is. For
644 details about this prefixing see
645 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
646 Defaults to true.</para></listitem>
650 <term><varname>TimerSlackNSec=</varname></term>
651 <listitem><para>Sets the timer slack
652 in nanoseconds for the executed
653 processes. The timer slack controls
654 the accuracy of wake-ups triggered by
656 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
657 for more information. Note that in
658 contrast to most other time span
659 definitions this parameter takes an
660 integer value in nano-seconds if no
661 unit is specified. The usual time
663 too.</para></listitem>
667 <term><varname>LimitCPU=</varname></term>
668 <term><varname>LimitFSIZE=</varname></term>
669 <term><varname>LimitDATA=</varname></term>
670 <term><varname>LimitSTACK=</varname></term>
671 <term><varname>LimitCORE=</varname></term>
672 <term><varname>LimitRSS=</varname></term>
673 <term><varname>LimitNOFILE=</varname></term>
674 <term><varname>LimitAS=</varname></term>
675 <term><varname>LimitNPROC=</varname></term>
676 <term><varname>LimitMEMLOCK=</varname></term>
677 <term><varname>LimitLOCKS=</varname></term>
678 <term><varname>LimitSIGPENDING=</varname></term>
679 <term><varname>LimitMSGQUEUE=</varname></term>
680 <term><varname>LimitNICE=</varname></term>
681 <term><varname>LimitRTPRIO=</varname></term>
682 <term><varname>LimitRTTIME=</varname></term>
683 <listitem><para>These settings control
684 various resource limits for executed
686 <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
687 for details. Use the string
688 <varname>infinity</varname> to
689 configure no limit on a specific
690 resource.</para></listitem>
694 <term><varname>PAMName=</varname></term>
695 <listitem><para>Sets the PAM service
696 name to set up a session as. If set,
697 the executed process will be
698 registered as a PAM session under the
699 specified service name. This is only
700 useful in conjunction with the
701 <varname>User=</varname> setting. If
702 not set, no PAM session will be opened
703 for the executed processes. See
704 <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
705 for details.</para></listitem>
709 <term><varname>TCPWrapName=</varname></term>
710 <listitem><para>If this is a
711 socket-activated service, this sets the
712 tcpwrap service name to check the
713 permission for the current connection
714 with. This is only useful in
715 conjunction with socket-activated
716 services, and stream sockets (TCP) in
717 particular. It has no effect on other
718 socket types (e.g. datagram/UDP) and
719 on processes unrelated to socket-based
720 activation. If the tcpwrap
721 verification fails, daemon start-up
722 will fail and the connection is
724 <citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
725 for details. Note that this option may
726 be used to do access control checks
727 only. Shell commands and commands
729 <citerefentry><refentrytitle>hosts_options</refentrytitle><manvolnum>5</manvolnum></citerefentry>
730 are not supported.</para></listitem>
734 <term><varname>CapabilityBoundingSet=</varname></term>
736 <listitem><para>Controls which
737 capabilities to include in the
738 capability bounding set for the
739 executed process. See
740 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
741 for details. Takes a whitespace-separated
742 list of capability names as read by
743 <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
744 e.g. <constant>CAP_SYS_ADMIN</constant>,
745 <constant>CAP_DAC_OVERRIDE</constant>,
746 <constant>CAP_SYS_PTRACE</constant>.
747 Capabilities listed will be included
748 in the bounding set, all others are
749 removed. If the list of capabilities
750 is prefixed with <literal>~</literal>,
751 all but the listed capabilities will
752 be included, the effect of the
753 assignment inverted. Note that this
754 option also affects the respective
755 capabilities in the effective,
756 permitted and inheritable capability
758 <varname>Capabilities=</varname>
759 does. If this option is not used, the
760 capability bounding set is not
761 modified on process execution, hence
762 no limits on the capabilities of the
763 process are enforced. This option may
764 appear more than once in which case
765 the bounding sets are merged. If the
766 empty string is assigned to this
767 option, the bounding set is reset to
768 the empty capability set, and all
769 prior settings have no effect. If set
770 to <literal>~</literal> (without any
771 further argument), the bounding set is
772 reset to the full set of available
773 capabilities, also undoing any
774 previous settings.</para></listitem>
778 <term><varname>SecureBits=</varname></term>
779 <listitem><para>Controls the secure
780 bits set for the executed process. See
781 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
782 for details. Takes a list of strings:
783 <option>keep-caps</option>,
784 <option>keep-caps-locked</option>,
785 <option>no-setuid-fixup</option>,
786 <option>no-setuid-fixup-locked</option>,
787 <option>noroot</option> and/or
788 <option>noroot-locked</option>. This
789 option may appear more than once in
790 which case the secure bits are
791 ORed. If the empty string is assigned
792 to this option, the bits are reset to
797 <term><varname>Capabilities=</varname></term>
798 <listitem><para>Controls the
799 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
800 set for the executed process. Take a
801 capability string describing the
802 effective, permitted and inherited
803 capability sets as documented in
804 <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
805 Note that these capability sets are
806 usually influenced by the capabilities
807 attached to the executed file. Due to
809 <varname>CapabilityBoundingSet=</varname>
810 is probably the much more useful
811 setting.</para></listitem>
815 <term><varname>ReadWriteDirectories=</varname></term>
816 <term><varname>ReadOnlyDirectories=</varname></term>
817 <term><varname>InaccessibleDirectories=</varname></term>
819 <listitem><para>Sets up a new
820 file system namespace for executed
821 processes. These options may be used
822 to limit access a process might have
823 to the main file system
824 hierarchy. Each setting takes a
825 space-separated list of absolute
826 directory paths. Directories listed in
827 <varname>ReadWriteDirectories=</varname>
828 are accessible from within the
829 namespace with the same access rights
830 as from outside. Directories listed in
831 <varname>ReadOnlyDirectories=</varname>
832 are accessible for reading only,
833 writing will be refused even if the
834 usual file access controls would
835 permit this. Directories listed in
836 <varname>InaccessibleDirectories=</varname>
837 will be made inaccessible for
838 processes inside the namespace. Note
839 that restricting access with these
840 options does not extend to submounts
841 of a directory. You must list
842 submounts separately in these settings
843 to ensure the same limited
844 access. These options may be specified
845 more than once in which case all
846 directories listed will have limited
847 access from within the namespace. If
848 the empty string is assigned to this
849 option, the specific list is reset, and
850 all prior assignments have no
853 <varname>ReadOnlyDirectories=</varname>
855 <varname>InaccessibleDirectories=</varname>
857 <literal>-</literal>, in which case
858 they will be ignored when they do not
859 exist.</para></listitem>
863 <term><varname>PrivateTmp=</varname></term>
865 <listitem><para>Takes a boolean
866 argument. If true, sets up a new file
867 system namespace for the executed
868 processes and mounts private
869 <filename>/tmp</filename> and
870 <filename>/var/tmp</filename> directories
871 inside it, that are not shared by
872 processes outside of the
873 namespace. This is useful to secure
874 access to temporary files of the
875 process, but makes sharing between
877 <filename>/tmp</filename> or
878 <filename>/var/tmp</filename>
879 impossible. All temporary data created
880 by service will be removed after service
881 is stopped. Defaults to
882 false.</para></listitem>
886 <term><varname>PrivateNetwork=</varname></term>
888 <listitem><para>Takes a boolean
889 argument. If true, sets up a new
890 network namespace for the executed
891 processes and configures only the
892 loopback network device
893 <literal>lo</literal> inside it. No
894 other network devices will be
895 available to the executed process.
896 This is useful to securely turn off
897 network access by the executed
899 false.</para></listitem>
903 <term><varname>MountFlags=</varname></term>
905 <listitem><para>Takes a mount
907 <option>shared</option>,
908 <option>slave</option> or
909 <option>private</option>, which
910 control whether the file system
911 namespace set up for this unit's
912 processes will receive or propagate
914 <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
915 for details. Default to
916 <option>shared</option>.</para></listitem>
920 <term><varname>UtmpIdentifier=</varname></term>
922 <listitem><para>Takes a four
923 character identifier string for an
924 utmp/wtmp entry for this service. This
925 should only be set for services such
926 as <command>getty</command>
927 implementations where utmp/wtmp
928 entries must be created and cleared
929 before and after execution. If the
930 configured string is longer than four
931 characters, it is truncated and the
932 terminal four characters are
933 used. This setting interprets %I style
934 string replacements. This setting is
935 unset by default, i.e. no utmp/wtmp
936 entries are created or cleaned up for
937 this service.</para></listitem>
941 <term><varname>IgnoreSIGPIPE=</varname></term>
943 <listitem><para>Takes a boolean
944 argument. If true, causes <constant>SIGPIPE</constant> to be
945 ignored in the executed
946 process. Defaults to true because
947 <constant>SIGPIPE</constant> generally is useful only in
948 shell pipelines.</para></listitem>
952 <term><varname>NoNewPrivileges=</varname></term>
954 <listitem><para>Takes a boolean
955 argument. If true, ensures that the
956 service process and all its children
957 can never gain new privileges. This
958 option is more powerful than the respective
959 secure bits flags (see above), as it
960 also prohibits UID changes of any
961 kind. This is the simplest, most
962 effective way to ensure that a process
963 and its children can never elevate
964 privileges again.</para></listitem>
968 <term><varname>SystemCallFilter=</varname></term>
970 <listitem><para>Takes a space-separated
972 names. If this setting is used, all
973 system calls executed by the unit
974 process except for the listed ones
975 will result in immediate process
977 <constant>SIGSYS</constant> signal
978 (whitelisting). If the first character
979 of the list is <literal>~</literal>,
980 the effect is inverted: only the
981 listed system calls will result in
982 immediate process termination
983 (blacklisting). If this option is used,
984 <varname>NoNewPrivileges=yes</varname>
985 is implied. This feature makes use of
986 the Secure Computing Mode 2 interfaces
987 of the kernel ('seccomp filtering')
988 and is useful for enforcing a minimal
989 sandboxing environment. Note that the
990 <function>execve</function>,
991 <function>rt_sigreturn</function>,
992 <function>sigreturn</function>,
993 <function>exit_group</function>,
994 <function>exit</function> system calls
995 are implicitly whitelisted and do not
996 need to be listed explicitly. This
997 option may be specified more than once
998 in which case the filter masks are
999 merged. If the empty string is
1000 assigned, the filter is reset, all
1001 prior assignments will have no
1002 effect.</para></listitem>
1009 <title>See Also</title>
1011 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1012 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1013 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1014 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1015 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1016 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1017 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1018 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1019 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1020 <citerefentry><refentrytitle>systemd.cgroup</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1021 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>
~ianmdlvl / elogind.git / blob