1 <?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?>
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
6 This file is part of systemd.
8 Copyright 2010 Lennart Poettering
10 systemd is free software; you can redistribute it and/or modify it
11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
13 (at your option) any later version.
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public License
21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 <refentry id="systemd.exec">
26 <title>systemd.exec</title>
27 <productname>systemd</productname>
31 <contrib>Developer</contrib>
32 <firstname>Lennart</firstname>
33 <surname>Poettering</surname>
34 <email>lennart@poettering.net</email>
40 <refentrytitle>systemd.exec</refentrytitle>
41 <manvolnum>5</manvolnum>
45 <refname>systemd.exec</refname>
46 <refpurpose>Execution environment configuration</refpurpose>
50 <para><filename><replaceable>service</replaceable>.service</filename>,
51 <filename><replaceable>socket</replaceable>.socket</filename>,
52 <filename><replaceable>mount</replaceable>.mount</filename>,
53 <filename><replaceable>swap</replaceable>.swap</filename></para>
57 <title>Description</title>
59 <para>Unit configuration files for services, sockets, mount
60 points, and swap devices share a subset of configuration options
61 which define the execution environment of spawned
64 <para>This man page lists the configuration options shared by
65 these four unit types. See
66 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
67 for the common options of all unit configuration files, and
68 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
69 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
70 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
72 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
73 for more information on the specific unit configuration files. The
74 execution specific configuration options are configured in the
75 [Service], [Socket], [Mount], or [Swap] sections, depending on the
80 <title>Options</title>
82 <variablelist class='unit-directives'>
85 <term><varname>WorkingDirectory=</varname></term>
87 <listitem><para>Takes an absolute directory path. Sets the
88 working directory for executed processes. If not set, defaults
89 to the root directory when systemd is running as a system
90 instance and the respective user's home directory if run as
91 user.</para></listitem>
95 <term><varname>RootDirectory=</varname></term>
97 <listitem><para>Takes an absolute directory path. Sets the
98 root directory for executed processes, with the
99 <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>
100 system call. If this is used, it must be ensured that the
101 process and all its auxiliary files are available in the
102 <function>chroot()</function> jail.</para></listitem>
106 <term><varname>User=</varname></term>
107 <term><varname>Group=</varname></term>
109 <listitem><para>Sets the Unix user or group that the processes
110 are executed as, respectively. Takes a single user or group
111 name or ID as argument. If no group is set, the default group
112 of the user is chosen.</para></listitem>
116 <term><varname>SupplementaryGroups=</varname></term>
118 <listitem><para>Sets the supplementary Unix groups the
119 processes are executed as. This takes a space-separated list
120 of group names or IDs. This option may be specified more than
121 once in which case all listed groups are set as supplementary
122 groups. When the empty string is assigned the list of
123 supplementary groups is reset, and all assignments prior to
124 this one will have no effect. In any way, this option does not
125 override, but extends the list of supplementary groups
126 configured in the system group database for the
127 user.</para></listitem>
131 <term><varname>Nice=</varname></term>
133 <listitem><para>Sets the default nice level (scheduling
134 priority) for executed processes. Takes an integer between -20
135 (highest priority) and 19 (lowest priority). See
136 <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>
137 for details.</para></listitem>
141 <term><varname>OOMScoreAdjust=</varname></term>
143 <listitem><para>Sets the adjustment level for the
144 Out-Of-Memory killer for executed processes. Takes an integer
145 between -1000 (to disable OOM killing for this process) and
146 1000 (to make killing of this process under memory pressure
147 very likely). See <ulink
148 url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
149 for details.</para></listitem>
153 <term><varname>IOSchedulingClass=</varname></term>
155 <listitem><para>Sets the IO scheduling class for executed
156 processes. Takes an integer between 0 and 3 or one of the
157 strings <option>none</option>, <option>realtime</option>,
158 <option>best-effort</option> or <option>idle</option>. See
159 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
160 for details.</para></listitem>
164 <term><varname>IOSchedulingPriority=</varname></term>
166 <listitem><para>Sets the IO scheduling priority for executed
167 processes. Takes an integer between 0 (highest priority) and 7
168 (lowest priority). The available priorities depend on the
169 selected IO scheduling class (see above). See
170 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
171 for details.</para></listitem>
175 <term><varname>CPUSchedulingPolicy=</varname></term>
177 <listitem><para>Sets the CPU scheduling policy for executed
178 processes. Takes one of
179 <option>other</option>,
180 <option>batch</option>,
181 <option>idle</option>,
182 <option>fifo</option> or
183 <option>rr</option>. See
184 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
185 for details.</para></listitem>
189 <term><varname>CPUSchedulingPriority=</varname></term>
191 <listitem><para>Sets the CPU scheduling priority for executed
192 processes. The available priority range depends on the
193 selected CPU scheduling policy (see above). For real-time
194 scheduling policies an integer between 1 (lowest priority) and
195 99 (highest priority) can be used. See
196 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
197 for details. </para></listitem>
201 <term><varname>CPUSchedulingResetOnFork=</varname></term>
203 <listitem><para>Takes a boolean argument. If true, elevated
204 CPU scheduling priorities and policies will be reset when the
205 executed processes fork, and can hence not leak into child
207 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
208 for details. Defaults to false.</para></listitem>
212 <term><varname>CPUAffinity=</varname></term>
214 <listitem><para>Controls the CPU affinity of the executed
215 processes. Takes a space-separated list of CPU indices. This
216 option may be specified more than once in which case the
217 specified CPU affinity masks are merged. If the empty string
218 is assigned, the mask is reset, all assignments prior to this
219 will have no effect. See
220 <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
221 for details.</para></listitem>
225 <term><varname>UMask=</varname></term>
227 <listitem><para>Controls the file mode creation mask. Takes an
228 access mode in octal notation. See
229 <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
230 for details. Defaults to 0022.</para></listitem>
234 <term><varname>Environment=</varname></term>
236 <listitem><para>Sets environment variables for executed
237 processes. Takes a space-separated list of variable
238 assignments. This option may be specified more than once in
239 which case all listed variables will be set. If the same
240 variable is set twice, the later setting will override the
241 earlier setting. If the empty string is assigned to this
242 option, the list of environment variables is reset, all prior
243 assignments have no effect. Variable expansion is not
244 performed inside the strings, however, specifier expansion is
245 possible. The $ character has no special meaning. If you need
246 to assign a value containing spaces to a variable, use double
247 quotes (") for the assignment.</para>
250 <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting>
251 gives three variables <literal>VAR1</literal>,
252 <literal>VAR2</literal>, <literal>VAR3</literal>
253 with the values <literal>word1 word2</literal>,
254 <literal>word3</literal>, <literal>$word 5 6</literal>.
259 <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
260 for details about environment variables.</para></listitem>
263 <term><varname>EnvironmentFile=</varname></term>
264 <listitem><para>Similar to <varname>Environment=</varname> but
265 reads the environment variables from a text file. The text
266 file should contain new-line-separated variable assignments.
267 Empty lines and lines starting with ; or # will be ignored,
268 which may be used for commenting. A line ending with a
269 backslash will be concatenated with the following one,
270 allowing multiline variable definitions. The parser strips
271 leading and trailing whitespace from the values of
272 assignments, unless you use double quotes (").</para>
274 <para>The argument passed should be an absolute filename or
275 wildcard expression, optionally prefixed with
276 <literal>-</literal>, which indicates that if the file does
277 not exist, it will not be read and no error or warning message
278 is logged. This option may be specified more than once in
279 which case all specified files are read. If the empty string
280 is assigned to this option, the list of file to read is reset,
281 all prior assignments have no effect.</para>
283 <para>The files listed with this directive will be read
284 shortly before the process is executed (more specifically,
285 after all processes from a previous unit state terminated.
286 This means you can generate these files in one unit state, and
287 read it with this option in the next). Settings from these
288 files override settings made with
289 <varname>Environment=</varname>. If the same variable is set
290 twice from these files, the files will be read in the order
291 they are specified and the later setting will override the
292 earlier setting.</para></listitem>
296 <term><varname>StandardInput=</varname></term>
297 <listitem><para>Controls where file descriptor 0 (STDIN) of
298 the executed processes is connected to. Takes one of
299 <option>null</option>,
300 <option>tty</option>,
301 <option>tty-force</option>,
302 <option>tty-fail</option> or
303 <option>socket</option>.</para>
305 <para>If <option>null</option> is selected, standard input
306 will be connected to <filename>/dev/null</filename>, i.e. all
307 read attempts by the process will result in immediate
310 <para>If <option>tty</option> is selected, standard input is
311 connected to a TTY (as configured by
312 <varname>TTYPath=</varname>, see below) and the executed
313 process becomes the controlling process of the terminal. If
314 the terminal is already being controlled by another process,
315 the executed process waits until the current controlling
316 process releases the terminal.</para>
318 <para><option>tty-force</option> is similar to
319 <option>tty</option>, but the executed process is forcefully
320 and immediately made the controlling process of the terminal,
321 potentially removing previous controlling processes from the
324 <para><option>tty-fail</option> is similar to
325 <option>tty</option> but if the terminal already has a
326 controlling process start-up of the executed process
329 <para>The <option>socket</option> option is only valid in
330 socket-activated services, and only when the socket
331 configuration file (see
332 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
333 for details) specifies a single socket only. If this option is
334 set, standard input will be connected to the socket the
335 service was activated from, which is primarily useful for
336 compatibility with daemons designed for use with the
338 <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
341 <para>This setting defaults to
342 <option>null</option>.</para></listitem>
345 <term><varname>StandardOutput=</varname></term>
346 <listitem><para>Controls where file descriptor 1 (STDOUT) of
347 the executed processes is connected to. Takes one of
348 <option>inherit</option>,
349 <option>null</option>,
350 <option>tty</option>,
351 <option>journal</option>,
352 <option>syslog</option>,
353 <option>kmsg</option>,
354 <option>journal+console</option>,
355 <option>syslog+console</option>,
356 <option>kmsg+console</option> or
357 <option>socket</option>.</para>
359 <para><option>inherit</option> duplicates the file descriptor
360 of standard input for standard output.</para>
362 <para><option>null</option> connects standard output to
363 <filename>/dev/null</filename>, i.e. everything written to it
366 <para><option>tty</option> connects standard output to a tty
367 (as configured via <varname>TTYPath=</varname>, see below). If
368 the TTY is used for output only, the executed process will not
369 become the controlling process of the terminal, and will not
370 fail or wait for other processes to release the
373 <para><option>journal</option> connects standard output with
374 the journal which is accessible via
375 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
376 Note that everything that is written to syslog or kmsg (see
377 below) is implicitly stored in the journal as well, the
378 specific two options listed below are hence supersets of this
381 <para><option>syslog</option> connects standard output to the
382 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
383 system syslog service, in addition to the journal. Note that
384 the journal daemon is usually configured to forward everything
385 it receives to syslog anyway, in which case this option is no
386 different from <option>journal</option>.</para>
388 <para><option>kmsg</option> connects standard output with the
389 kernel log buffer which is accessible via
390 <citerefentry project='man-pages'><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
391 in addition to the journal. The journal daemon might be
392 configured to send all logs to kmsg anyway, in which case this
393 option is no different from <option>journal</option>.</para>
395 <para><option>journal+console</option>,
396 <option>syslog+console</option> and
397 <option>kmsg+console</option> work in a similar way as the
398 three options above but copy the output to the system console
401 <para><option>socket</option> connects standard output to a
402 socket acquired via socket activation. The semantics are
403 similar to the same option of
404 <varname>StandardInput=</varname>.</para>
406 <para>This setting defaults to the value set with
407 <option>DefaultStandardOutput=</option> in
408 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
409 which defaults to <option>journal</option>.</para></listitem>
412 <term><varname>StandardError=</varname></term>
413 <listitem><para>Controls where file descriptor 2 (STDERR) of
414 the executed processes is connected to. The available options
415 are identical to those of <varname>StandardOutput=</varname>,
416 with one exception: if set to <option>inherit</option> the
417 file descriptor used for standard output is duplicated for
418 standard error. This setting defaults to the value set with
419 <option>DefaultStandardError=</option> in
420 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
421 which defaults to <option>inherit</option>.</para></listitem>
424 <term><varname>TTYPath=</varname></term>
425 <listitem><para>Sets the terminal device node to use if
426 standard input, output, or error are connected to a TTY (see
428 <filename>/dev/console</filename>.</para></listitem>
431 <term><varname>TTYReset=</varname></term>
432 <listitem><para>Reset the terminal device specified with
433 <varname>TTYPath=</varname> before and after execution.
434 Defaults to <literal>no</literal>.</para></listitem>
437 <term><varname>TTYVHangup=</varname></term>
438 <listitem><para>Disconnect all clients which have opened the
439 terminal device specified with <varname>TTYPath=</varname>
440 before and after execution. Defaults to
441 <literal>no</literal>.</para></listitem>
444 <term><varname>TTYVTDisallocate=</varname></term>
445 <listitem><para>If the terminal device specified with
446 <varname>TTYPath=</varname> is a virtual console terminal, try
447 to deallocate the TTY before and after execution. This ensures
448 that the screen and scrollback buffer is cleared. Defaults to
449 <literal>no</literal>.</para></listitem>
452 <term><varname>SyslogIdentifier=</varname></term>
453 <listitem><para>Sets the process name to prefix log lines sent
454 to the logging system or the kernel log buffer with. If not
455 set, defaults to the process name of the executed process.
456 This option is only useful when
457 <varname>StandardOutput=</varname> or
458 <varname>StandardError=</varname> are set to
459 <option>syslog</option>, <option>journal</option> or
460 <option>kmsg</option> (or to the same settings in combination
461 with <option>+console</option>).</para></listitem>
464 <term><varname>SyslogFacility=</varname></term>
465 <listitem><para>Sets the syslog facility to use when logging
466 to syslog. One of <option>kern</option>,
467 <option>user</option>, <option>mail</option>,
468 <option>daemon</option>, <option>auth</option>,
469 <option>syslog</option>, <option>lpr</option>,
470 <option>news</option>, <option>uucp</option>,
471 <option>cron</option>, <option>authpriv</option>,
472 <option>ftp</option>, <option>local0</option>,
473 <option>local1</option>, <option>local2</option>,
474 <option>local3</option>, <option>local4</option>,
475 <option>local5</option>, <option>local6</option> or
476 <option>local7</option>. See
477 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
478 for details. This option is only useful when
479 <varname>StandardOutput=</varname> or
480 <varname>StandardError=</varname> are set to
481 <option>syslog</option>. Defaults to
482 <option>daemon</option>.</para></listitem>
485 <term><varname>SyslogLevel=</varname></term>
486 <listitem><para>Default syslog level to use when logging to
487 syslog or the kernel log buffer. One of
488 <option>emerg</option>,
489 <option>alert</option>,
490 <option>crit</option>,
491 <option>err</option>,
492 <option>warning</option>,
493 <option>notice</option>,
494 <option>info</option>,
495 <option>debug</option>. See
496 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
497 for details. This option is only useful when
498 <varname>StandardOutput=</varname> or
499 <varname>StandardError=</varname> are set to
500 <option>syslog</option> or <option>kmsg</option>. Note that
501 individual lines output by the daemon might be prefixed with a
502 different log level which can be used to override the default
503 log level specified here. The interpretation of these prefixes
504 may be disabled with <varname>SyslogLevelPrefix=</varname>,
505 see below. For details see
506 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
509 <option>info</option>.</para></listitem>
513 <term><varname>SyslogLevelPrefix=</varname></term>
514 <listitem><para>Takes a boolean argument. If true and
515 <varname>StandardOutput=</varname> or
516 <varname>StandardError=</varname> are set to
517 <option>syslog</option>, <option>kmsg</option> or
518 <option>journal</option>, log lines written by the executed
519 process that are prefixed with a log level will be passed on
520 to syslog with this log level set but the prefix removed. If
521 set to false, the interpretation of these prefixes is disabled
522 and the logged lines are passed on as-is. For details about
524 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
525 Defaults to true.</para></listitem>
529 <term><varname>TimerSlackNSec=</varname></term>
530 <listitem><para>Sets the timer slack in nanoseconds for the
531 executed processes. The timer slack controls the accuracy of
532 wake-ups triggered by timers. See
533 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
534 for more information. Note that in contrast to most other time
535 span definitions this parameter takes an integer value in
536 nano-seconds if no unit is specified. The usual time units are
537 understood too.</para></listitem>
541 <term><varname>LimitCPU=</varname></term>
542 <term><varname>LimitFSIZE=</varname></term>
543 <term><varname>LimitDATA=</varname></term>
544 <term><varname>LimitSTACK=</varname></term>
545 <term><varname>LimitCORE=</varname></term>
546 <term><varname>LimitRSS=</varname></term>
547 <term><varname>LimitNOFILE=</varname></term>
548 <term><varname>LimitAS=</varname></term>
549 <term><varname>LimitNPROC=</varname></term>
550 <term><varname>LimitMEMLOCK=</varname></term>
551 <term><varname>LimitLOCKS=</varname></term>
552 <term><varname>LimitSIGPENDING=</varname></term>
553 <term><varname>LimitMSGQUEUE=</varname></term>
554 <term><varname>LimitNICE=</varname></term>
555 <term><varname>LimitRTPRIO=</varname></term>
556 <term><varname>LimitRTTIME=</varname></term>
557 <listitem><para>These settings set both soft and hard limits
558 of various resources for executed processes. See
559 <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
560 for details. Use the string <varname>infinity</varname> to
561 configure no limit on a specific resource.</para></listitem>
564 <title>Limit directives and their equivalent with ulimit</title>
567 <colspec colname='directive' />
568 <colspec colname='equivalent' />
571 <entry>Directive</entry>
572 <entry>ulimit equivalent</entry>
577 <entry>LimitCPU</entry>
578 <entry>ulimit -t</entry>
581 <entry>LimitFSIZE</entry>
582 <entry>ulimit -f</entry>
585 <entry>LimitDATA</entry>
586 <entry>ulimit -d</entry>
589 <entry>LimitSTACK</entry>
590 <entry>ulimit -s</entry>
593 <entry>LimitCORE</entry>
594 <entry>ulimit -c</entry>
597 <entry>LimitRSS</entry>
598 <entry>ulimit -m</entry>
601 <entry>LimitNOFILE</entry>
602 <entry>ulimit -n</entry>
605 <entry>LimitAS</entry>
606 <entry>ulimit -v</entry>
609 <entry>LimitNPROC</entry>
610 <entry>ulimit -u</entry>
613 <entry>LimitMEMLOCK</entry>
614 <entry>ulimit -l</entry>
617 <entry>LimitLOCKS</entry>
618 <entry>ulimit -x</entry>
621 <entry>LimitSIGPENDING</entry>
622 <entry>ulimit -i</entry>
625 <entry>LimitMSGQUEUE</entry>
626 <entry>ulimit -q</entry>
629 <entry>LimitNICE</entry>
630 <entry>ulimit -e</entry>
633 <entry>LimitRTPRIO</entry>
634 <entry>ulimit -r</entry>
637 <entry>LimitRTTIME</entry>
638 <entry>No equivalent</entry>
646 <term><varname>PAMName=</varname></term>
647 <listitem><para>Sets the PAM service name to set up a session
648 as. If set, the executed process will be registered as a PAM
649 session under the specified service name. This is only useful
650 in conjunction with the <varname>User=</varname> setting. If
651 not set, no PAM session will be opened for the executed
653 <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
654 for details.</para></listitem>
658 <term><varname>CapabilityBoundingSet=</varname></term>
660 <listitem><para>Controls which capabilities to include in the
661 capability bounding set for the executed process. See
662 <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
663 for details. Takes a whitespace-separated list of capability
665 <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
666 e.g. <constant>CAP_SYS_ADMIN</constant>,
667 <constant>CAP_DAC_OVERRIDE</constant>,
668 <constant>CAP_SYS_PTRACE</constant>. Capabilities listed will
669 be included in the bounding set, all others are removed. If
670 the list of capabilities is prefixed with
671 <literal>~</literal>, all but the listed capabilities will be
672 included, the effect of the assignment inverted. Note that
673 this option also affects the respective capabilities in the
674 effective, permitted and inheritable capability sets, on top
675 of what <varname>Capabilities=</varname> does. If this option
676 is not used, the capability bounding set is not modified on
677 process execution, hence no limits on the capabilities of the
678 process are enforced. This option may appear more than once in
679 which case the bounding sets are merged. If the empty string
680 is assigned to this option, the bounding set is reset to the
681 empty capability set, and all prior settings have no effect.
682 If set to <literal>~</literal> (without any further argument),
683 the bounding set is reset to the full set of available
684 capabilities, also undoing any previous
685 settings.</para></listitem>
689 <term><varname>SecureBits=</varname></term>
690 <listitem><para>Controls the secure bits set for the executed
691 process. Takes a space-separated combination of options from
693 <option>keep-caps</option>,
694 <option>keep-caps-locked</option>,
695 <option>no-setuid-fixup</option>,
696 <option>no-setuid-fixup-locked</option>,
697 <option>noroot</option>, and
698 <option>noroot-locked</option>.
699 This option may appear more than once in which case the secure
700 bits are ORed. If the empty string is assigned to this option,
701 the bits are reset to 0. See
702 <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
703 for details.</para></listitem>
707 <term><varname>Capabilities=</varname></term>
708 <listitem><para>Controls the
709 <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
710 set for the executed process. Take a capability string
711 describing the effective, permitted and inherited capability
712 sets as documented in
713 <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
714 Note that these capability sets are usually influenced (and
715 filtered) by the capabilities attached to the executed file.
716 Due to that <varname>CapabilityBoundingSet=</varname> is
717 probably a much more useful setting.</para></listitem>
721 <term><varname>ReadWriteDirectories=</varname></term>
722 <term><varname>ReadOnlyDirectories=</varname></term>
723 <term><varname>InaccessibleDirectories=</varname></term>
725 <listitem><para>Sets up a new file system namespace for
726 executed processes. These options may be used to limit access
727 a process might have to the main file system hierarchy. Each
728 setting takes a space-separated list of absolute directory
729 paths. Directories listed in
730 <varname>ReadWriteDirectories=</varname> are accessible from
731 within the namespace with the same access rights as from
732 outside. Directories listed in
733 <varname>ReadOnlyDirectories=</varname> are accessible for
734 reading only, writing will be refused even if the usual file
735 access controls would permit this. Directories listed in
736 <varname>InaccessibleDirectories=</varname> will be made
737 inaccessible for processes inside the namespace. Note that
738 restricting access with these options does not extend to
739 submounts of a directory that are created later on. These
740 options may be specified more than once in which case all
741 directories listed will have limited access from within the
742 namespace. If the empty string is assigned to this option, the
743 specific list is reset, and all prior assignments have no
746 <varname>ReadOnlyDirectories=</varname>
748 <varname>InaccessibleDirectories=</varname>
750 <literal>-</literal>, in which case
751 they will be ignored when they do not
752 exist. Note that using this
753 setting will disconnect propagation of
754 mounts from the service to the host
755 (propagation in the opposite direction
756 continues to work). This means that
757 this setting may not be used for
758 services which shall be able to
759 install mount points in the main mount
760 namespace.</para></listitem>
764 <term><varname>PrivateTmp=</varname></term>
766 <listitem><para>Takes a boolean argument. If true, sets up a
767 new file system namespace for the executed processes and
768 mounts private <filename>/tmp</filename> and
769 <filename>/var/tmp</filename> directories inside it that is
770 not shared by processes outside of the namespace. This is
771 useful to secure access to temporary files of the process, but
772 makes sharing between processes via <filename>/tmp</filename>
773 or <filename>/var/tmp</filename> impossible. If this is
774 enabled, all temporary files created by a service in these
775 directories will be removed after the service is stopped.
776 Defaults to false. It is possible to run two or more units
777 within the same private <filename>/tmp</filename> and
778 <filename>/var/tmp</filename> namespace by using the
779 <varname>JoinsNamespaceOf=</varname> directive, see
780 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
781 for details. Note that using this setting will disconnect
782 propagation of mounts from the service to the host
783 (propagation in the opposite direction continues to work).
784 This means that this setting may not be used for services
785 which shall be able to install mount points in the main mount
786 namespace.</para></listitem>
790 <term><varname>PrivateDevices=</varname></term>
792 <listitem><para>Takes a boolean argument. If true, sets up a
793 new /dev namespace for the executed processes and only adds
794 API pseudo devices such as <filename>/dev/null</filename>,
795 <filename>/dev/zero</filename> or
796 <filename>/dev/random</filename> (as well as the pseudo TTY
797 subsystem) to it, but no physical devices such as
798 <filename>/dev/sda</filename>. This is useful to securely turn
799 off physical device access by the executed process. Defaults
800 to false. Enabling this option will also remove
801 <constant>CAP_MKNOD</constant> from the capability bounding
802 set for the unit (see above), and set
803 <varname>DevicePolicy=closed</varname> (see
804 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
805 for details). Note that using this setting will disconnect
806 propagation of mounts from the service to the host
807 (propagation in the opposite direction continues to work).
808 This means that this setting may not be used for services
809 which shall be able to install mount points in the main mount
810 namespace.</para></listitem>
814 <term><varname>PrivateNetwork=</varname></term>
816 <listitem><para>Takes a boolean argument. If true, sets up a
817 new network namespace for the executed processes and
818 configures only the loopback network device
819 <literal>lo</literal> inside it. No other network devices will
820 be available to the executed process. This is useful to
821 securely turn off network access by the executed process.
822 Defaults to false. It is possible to run two or more units
823 within the same private network namespace by using the
824 <varname>JoinsNamespaceOf=</varname> directive, see
825 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
826 for details. Note that this option will disconnect all socket
827 families from the host, this includes AF_NETLINK and AF_UNIX.
828 The latter has the effect that AF_UNIX sockets in the abstract
829 socket namespace will become unavailable to the processes
830 (however, those located in the file system will continue to be
831 accessible).</para></listitem>
835 <term><varname>ProtectSystem=</varname></term>
837 <listitem><para>Takes a boolean argument or
838 <literal>full</literal>. If true, mounts the
839 <filename>/usr</filename> and <filename>/boot</filename>
840 directories read-only for processes invoked by this unit. If
841 set to <literal>full</literal>, the <filename>/etc</filename>
842 directory is mounted read-only, too. This setting ensures that
843 any modification of the vendor supplied operating system (and
844 optionally its configuration) is prohibited for the service.
845 It is recommended to enable this setting for all long-running
846 services, unless they are involved with system updates or need
847 to modify the operating system in other ways. Note however
848 that processes retaining the CAP_SYS_ADMIN capability can undo
849 the effect of this setting. This setting is hence particularly
850 useful for daemons which have this capability removed, for
851 example with <varname>CapabilityBoundingSet=</varname>.
852 Defaults to off.</para></listitem>
856 <term><varname>ProtectHome=</varname></term>
858 <listitem><para>Takes a boolean argument or
859 <literal>read-only</literal>. If true, the directories
860 <filename>/home</filename> and <filename>/run/user</filename>
861 are made inaccessible and empty for processes invoked by this
862 unit. If set to <literal>read-only</literal>, the two
863 directories are made read-only instead. It is recommended to
864 enable this setting for all long-running services (in
865 particular network-facing ones), to ensure they cannot get
866 access to private user data, unless the services actually
867 require access to the user's private data. Note however that
868 processes retaining the CAP_SYS_ADMIN capability can undo the
869 effect of this setting. This setting is hence particularly
870 useful for daemons which have this capability removed, for
871 example with <varname>CapabilityBoundingSet=</varname>.
872 Defaults to off.</para></listitem>
876 <term><varname>MountFlags=</varname></term>
878 <listitem><para>Takes a mount propagation flag:
879 <option>shared</option>, <option>slave</option> or
880 <option>private</option>, which control whether mounts in the
881 file system namespace set up for this unit's processes will
882 receive or propagate mounts or unmounts. See
883 <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
884 for details. Defaults to <option>shared</option>. Use
885 <option>shared</option> to ensure that mounts and unmounts are
886 propagated from the host to the container and vice versa. Use
887 <option>slave</option> to run processes so that none of their
888 mounts and unmounts will propagate to the host. Use
889 <option>private</option> to also ensure that no mounts and
890 unmounts from the host will propagate into the unit processes'
891 namespace. Note that <option>slave</option> means that file
892 systems mounted on the host might stay mounted continuously in
893 the unit's namespace, and thus keep the device busy. Note that
894 the file system namespace related options
895 (<varname>PrivateTmp=</varname>,
896 <varname>PrivateDevices=</varname>,
897 <varname>ProtectSystem=</varname>,
898 <varname>ProtectHome=</varname>,
899 <varname>ReadOnlyDirectories=</varname>,
900 <varname>InaccessibleDirectories=</varname> and
901 <varname>ReadWriteDirectories=</varname>) require that mount
902 and unmount propagation from the unit's file system namespace
903 is disabled, and hence downgrade <option>shared</option> to
904 <option>slave</option>. </para></listitem>
908 <term><varname>UtmpIdentifier=</varname></term>
910 <listitem><para>Takes a four character identifier string for
911 an utmp/wtmp entry for this service. This should only be set
912 for services such as <command>getty</command> implementations
913 where utmp/wtmp entries must be created and cleared before and
914 after execution. If the configured string is longer than four
915 characters, it is truncated and the terminal four characters
916 are used. This setting interprets %I style string
917 replacements. This setting is unset by default, i.e. no
918 utmp/wtmp entries are created or cleaned up for this
919 service.</para></listitem>
923 <term><varname>SELinuxContext=</varname></term>
925 <listitem><para>Set the SELinux security context of the
926 executed process. If set, this will override the automated
927 domain transition. However, the policy still needs to
928 authorize the transition. This directive is ignored if SELinux
929 is disabled. If prefixed by <literal>-</literal>, all errors
931 <citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
932 for details.</para></listitem>
936 <term><varname>AppArmorProfile=</varname></term>
938 <listitem><para>Takes a profile name as argument. The process
939 executed by the unit will switch to this profile when started.
940 Profiles must already be loaded in the kernel, or the unit
941 will fail. This result in a non operation if AppArmor is not
942 enabled. If prefixed by <literal>-</literal>, all errors will
943 be ignored. </para></listitem>
947 <term><varname>SmackProcessLabel=</varname></term>
949 <listitem><para>Takes a <option>SMACK64</option> security
950 label as argument. The process executed by the unit will be
951 started under this label and SMACK will decide whether the
952 processes is allowed to run or not based on it. The process
953 will continue to run under the label specified here unless the
954 executable has its own <option>SMACK64EXEC</option> label, in
955 which case the process will transition to run under that
956 label. When not specified, the label that systemd is running
957 under is used. This directive is ignored if SMACK is
960 <para>The value may be prefixed by <literal>-</literal>, in
961 which case all errors will be ignored. An empty value may be
962 specified to unset previous assignments.</para>
967 <term><varname>IgnoreSIGPIPE=</varname></term>
969 <listitem><para>Takes a boolean argument. If true, causes
970 <constant>SIGPIPE</constant> to be ignored in the executed
971 process. Defaults to true because <constant>SIGPIPE</constant>
972 generally is useful only in shell pipelines.</para></listitem>
976 <term><varname>NoNewPrivileges=</varname></term>
978 <listitem><para>Takes a boolean argument. If true, ensures
979 that the service process and all its children can never gain
980 new privileges. This option is more powerful than the
981 respective secure bits flags (see above), as it also prohibits
982 UID changes of any kind. This is the simplest, most effective
983 way to ensure that a process and its children can never
984 elevate privileges again.</para></listitem>
988 <term><varname>SystemCallFilter=</varname></term>
990 <listitem><para>Takes a space-separated list of system call
991 names. If this setting is used, all system calls executed by
992 the unit processes except for the listed ones will result in
993 immediate process termination with the
994 <constant>SIGSYS</constant> signal (whitelisting). If the
995 first character of the list is <literal>~</literal>, the
996 effect is inverted: only the listed system calls will result
997 in immediate process termination (blacklisting). If running in
998 user mode and this option is used,
999 <varname>NoNewPrivileges=yes</varname> is implied. This
1000 feature makes use of the Secure Computing Mode 2 interfaces of
1001 the kernel ('seccomp filtering') and is useful for enforcing a
1002 minimal sandboxing environment. Note that the
1003 <function>execve</function>,
1004 <function>rt_sigreturn</function>,
1005 <function>sigreturn</function>,
1006 <function>exit_group</function>, <function>exit</function>
1007 system calls are implicitly whitelisted and do not need to be
1008 listed explicitly. This option may be specified more than once
1009 in which case the filter masks are merged. If the empty string
1010 is assigned, the filter is reset, all prior assignments will
1011 have no effect.</para>
1013 <para>If you specify both types of this option (i.e.
1014 whitelisting and blacklisting), the first encountered will
1015 take precedence and will dictate the default action
1016 (termination or approval of a system call). Then the next
1017 occurrences of this option will add or delete the listed
1018 system calls from the set of the filtered system calls,
1019 depending of its type and the default action. (For example, if
1020 you have started with a whitelisting of
1021 <function>read</function> and <function>write</function>, and
1022 right after it add a blacklisting of
1023 <function>write</function>, then <function>write</function>
1024 will be removed from the set.) </para></listitem>
1028 <term><varname>SystemCallErrorNumber=</varname></term>
1030 <listitem><para>Takes an <literal>errno</literal> error number
1031 name to return when the system call filter configured with
1032 <varname>SystemCallFilter=</varname> is triggered, instead of
1033 terminating the process immediately. Takes an error name such
1034 as <constant>EPERM</constant>, <constant>EACCES</constant> or
1035 <constant>EUCLEAN</constant>. When this setting is not used,
1036 or when the empty string is assigned, the process will be
1037 terminated immediately when the filter is
1038 triggered.</para></listitem>
1042 <term><varname>SystemCallArchitectures=</varname></term>
1044 <listitem><para>Takes a space separated list of architecture
1045 identifiers to include in the system call filter. The known
1046 architecture identifiers are <constant>x86</constant>,
1047 <constant>x86-64</constant>, <constant>x32</constant>,
1048 <constant>arm</constant> as well as the special identifier
1049 <constant>native</constant>. Only system calls of the
1050 specified architectures will be permitted to processes of this
1051 unit. This is an effective way to disable compatibility with
1052 non-native architectures for processes, for example to
1053 prohibit execution of 32-bit x86 binaries on 64-bit x86-64
1054 systems. The special <constant>native</constant> identifier
1055 implicitly maps to the native architecture of the system (or
1056 more strictly: to the architecture the system manager is
1057 compiled for). If running in user mode and this option is
1058 used, <varname>NoNewPrivileges=yes</varname> is implied. Note
1059 that setting this option to a non-empty list implies that
1060 <constant>native</constant> is included too. By default, this
1061 option is set to the empty list, i.e. no architecture system
1062 call filtering is applied.</para></listitem>
1066 <term><varname>RestrictAddressFamilies=</varname></term>
1068 <listitem><para>Restricts the set of socket address families
1069 accessible to the processes of this unit. Takes a
1070 space-separated list of address family names to whitelist,
1072 <constant>AF_UNIX</constant>,
1073 <constant>AF_INET</constant> or
1074 <constant>AF_INET6</constant>. When
1075 prefixed with <constant>~</constant> the listed address
1076 families will be applied as blacklist, otherwise as whitelist.
1077 Note that this restricts access to the
1078 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1079 system call only. Sockets passed into the process by other
1080 means (for example, by using socket activation with socket
1082 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
1083 are unaffected. Also, sockets created with
1084 <function>socketpair()</function> (which creates connected
1085 AF_UNIX sockets only) are unaffected. Note that this option
1086 has no effect on 32-bit x86 and is ignored (but works
1087 correctly on x86-64). If running in user mode and this option
1088 is used, <varname>NoNewPrivileges=yes</varname> is implied. By
1089 default, no restriction applies, all address families are
1090 accessible to processes. If assigned the empty string, any
1091 previous list changes are undone.</para>
1093 <para>Use this option to limit exposure of processes to remote
1094 systems, in particular via exotic network protocols. Note that
1095 in most cases, the local <constant>AF_UNIX</constant> address
1096 family should be included in the configured whitelist as it is
1097 frequently used for local communication, including for
1098 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1099 logging.</para></listitem>
1103 <term><varname>Personality=</varname></term>
1105 <listitem><para>Controls which kernel architecture
1106 <citerefentry><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1107 shall report, when invoked by unit processes. Takes one of
1108 <constant>x86</constant> and <constant>x86-64</constant>. This
1109 is useful when running 32-bit services on a 64-bit host
1110 system. If not specified, the personality is left unmodified
1111 and thus reflects the personality of the host system's
1112 kernel.</para></listitem>
1116 <term><varname>RuntimeDirectory=</varname></term>
1117 <term><varname>RuntimeDirectoryMode=</varname></term>
1119 <listitem><para>Takes a list of directory names. If set, one
1120 or more directories by the specified names will be created
1121 below <filename>/run</filename> (for system services) or below
1122 <varname>$XDG_RUNTIME_DIR</varname> (for user services) when
1123 the unit is started, and removed when the unit is stopped. The
1124 directories will have the access mode specified in
1125 <varname>RuntimeDirectoryMode=</varname>, and will be owned by
1126 the user and group specified in <varname>User=</varname> and
1127 <varname>Group=</varname>. Use this to manage one or more
1128 runtime directories of the unit and bind their lifetime to the
1129 daemon runtime. The specified directory names must be
1130 relative, and may not include a <literal>/</literal>, i.e.
1131 must refer to simple directories to create or remove. This is
1132 particularly useful for unprivileged daemons that cannot
1133 create runtime directories in <filename>/run</filename> due to
1134 lack of privileges, and to make sure the runtime directory is
1135 cleaned up automatically after use. For runtime directories
1136 that require more complex or different configuration or
1137 lifetime guarantees, please consider using
1138 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem>
1145 <title>Environment variables in spawned processes</title>
1147 <para>Processes started by the system are executed in a clean
1148 environment in which select variables listed below are set. System
1149 processes started by systemd do not inherit variables from PID 1,
1150 but processes started by user systemd instances inherit all
1151 environment variables from the user systemd instance.
1154 <variablelist class='environment-variables'>
1156 <term><varname>$PATH</varname></term>
1158 <listitem><para>Colon-separated list of directories to use
1159 when launching executables. Systemd uses a fixed value of
1160 <filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename>:<filename>/sbin</filename>:<filename>/bin</filename>.
1165 <term><varname>$LANG</varname></term>
1167 <listitem><para>Locale. Can be set in
1168 <citerefentry><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1169 or on the kernel command line (see
1170 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1172 <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>).
1177 <term><varname>$USER</varname></term>
1178 <term><varname>$LOGNAME</varname></term>
1179 <term><varname>$HOME</varname></term>
1180 <term><varname>$SHELL</varname></term>
1182 <listitem><para>User name (twice), home directory, and the
1183 login shell. The variables are set for the units that have
1184 <varname>User=</varname> set, which includes user
1185 <command>systemd</command> instances. See
1186 <citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
1191 <term><varname>$XDG_RUNTIME_DIR</varname></term>
1193 <listitem><para>The directory for volatile state. Set for the
1194 user <command>systemd</command> instance, and also in user
1196 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1201 <term><varname>$XDG_SESSION_ID</varname></term>
1202 <term><varname>$XDG_SEAT</varname></term>
1203 <term><varname>$XDG_VTNR</varname></term>
1205 <listitem><para>The identifier of the session, the seat name,
1206 and virtual terminal of the session. Set by
1207 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
1208 for login sessions. <varname>$XDG_SEAT</varname> and
1209 <varname>$XDG_VTNR</varname> will only be set when attached to
1210 a seat and a tty.</para></listitem>
1214 <term><varname>$MAINPID</varname></term>
1216 <listitem><para>The PID of the units main process if it is
1217 known. This is only set for control processes as invoked by
1218 <varname>ExecReload=</varname> and similar. </para></listitem>
1222 <term><varname>$MANAGERPID</varname></term>
1224 <listitem><para>The PID of the user <command>systemd</command>
1225 instance, set for processes spawned by it. </para></listitem>
1229 <term><varname>$LISTEN_FDS</varname></term>
1230 <term><varname>$LISTEN_PID</varname></term>
1232 <listitem><para>Information about file descriptors passed to a
1233 service for socket activation. See
1234 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1239 <term><varname>$TERM</varname></term>
1241 <listitem><para>Terminal type, set only for units connected to
1242 a terminal (<varname>StandardInput=tty</varname>,
1243 <varname>StandardOutput=tty</varname>, or
1244 <varname>StandardError=tty</varname>). See
1245 <citerefentry project='man-pages'><refentrytitle>termcap</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
1250 <para>Additional variables may be configured by the following
1251 means: for processes spawned in specific units, use the
1252 <varname>Environment=</varname> and
1253 <varname>EnvironmentFile=</varname> options above; to specify
1254 variables globally, use <varname>DefaultEnvironment=</varname>
1256 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
1257 or the kernel option <varname>systemd.setenv=</varname> (see
1258 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).
1259 Additional variables may also be set through PAM,
1260 cf. <citerefentry project='man-pages'><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
1264 <title>See Also</title>
1266 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1267 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1268 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1269 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1270 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1271 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1272 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1273 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1274 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1275 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1276 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
1277 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1278 <citerefentry project='man-pages'><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry>