X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=4294e54a5505c0a4bb339cda7123e5a9cedb41bd;hp=c25d96e9fdde0c9aa4fb0dbfb6a1d809d937b85e;hb=1fda0ab5fc9cf7454c8da32941e433dc38ba9991;hpb=fbc15b7663730fd8c8c5cfcd54878a2e764c46ea diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index c25d96e9f..4294e54a5 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -129,7 +129,7 @@ Sets the supplementary Unix groups the processes are executed - as. This takes a space separated list + as. This takes a space-separated list of group names or IDs. This option may be specified more than once in which case all listed groups are set as @@ -288,8 +288,9 @@ variables is reset, all prior assignments have no effect. Variable expansion is not performed - inside the strings, and $ has no special - meaning. + inside the strings, however, specifier + expansion is possible. $ character has + no special meaning. If you need to assign a value containing spaces to a variable, use double quotes (") for the assignment. @@ -311,7 +312,7 @@ Environment= but reads the environment variables from a text file. The text file should - contain new-line separated variable + contain new-line-separated variable assignments. Empty lines and lines starting with ; or # will be ignored, which may be used for commenting. A line @@ -323,17 +324,18 @@ double quotes ("). The argument passed should be an - absolute file name or wildcard + absolute filename or wildcard expression, optionally prefixed with - "-", which indicates that if the file - does not exist it won't be read and no - error or warning message is logged. - This option may be specified more than - once in which case all specified files - are read. If the empty string is - assigned to this option the list of - file to read is reset, all prior - assignments have no effect. + -, which indicates + that if the file does not exist it + won't be read and no error or warning + message is logged. This option may be + specified more than once in which case + all specified files are read. If the + empty string is assigned to this + option the list of file to read is + reset, all prior assignments have no + effect. The files listed with this directive will be read shortly before @@ -716,13 +718,12 @@ capability bounding set for the executed process. See capabilities7 - for details. Takes a whitespace - separated list of capability names as - read by + for details. Takes a whitespace-separated + list of capability names as read by cap_from_name3, - e.g. CAP_SYS_ADMIN - CAP_DAC_OVERRIDE - CAP_SYS_PTRACE. + e.g. CAP_SYS_ADMIN, + CAP_DAC_OVERRIDE, + CAP_SYS_PTRACE. Capabilities listed will be included in the bounding set, all others are removed. If the list of capabilities @@ -799,10 +800,10 @@ space-separated list of cgroup identifiers. A cgroup identifier is formatted like - cpu:/foo/bar, + cpu:/foo/bar, where "cpu" indicates the kernel control group controller used, and - /foo/bar is the + /foo/bar is the control group path. The controller name and ":" may be omitted in which case the named systemd control group @@ -985,7 +986,7 @@ Control access to specific device nodes by the executed processes. Takes two - space separated strings: a device node + space-separated strings: a device node path (such as /dev/null) followed by a combination of r, w, m @@ -1010,7 +1011,7 @@ processes. Takes either a single weight value (between 10 and 1000) to set the default block IO weight, or a - space separated pair of a file path + space-separated pair of a file path and a weight value to specify the device specific weight value (Example: "/dev/sda 500"). The file path may be @@ -1036,8 +1037,8 @@ Set the per-device overall block IO bandwidth limit for - the executed processes. Takes a space - separated pair of a file path and a + the executed processes. Takes a + space-separated pair of a file path and a bandwidth value (in bytes per second) to specify the device specific bandwidth. The file path may be @@ -1068,10 +1069,10 @@ InaccessibleDirectories= Sets up a new - file-system name space for executed + file system namespace for executed processes. These options may be used to limit access a process might have - to the main file-system + to the main file system hierarchy. Each setting takes a space-separated list of absolute directory paths. Directories listed in @@ -1184,10 +1185,10 @@ IgnoreSIGPIPE= Takes a boolean - argument. If true causes SIGPIPE to be + argument. If true, causes SIGPIPE to be ignored in the executed - process. Defaults to true, since - SIGPIPE generally is useful only in + process. Defaults to true because + SIGPIPE generally is useful only in shell pipelines. @@ -1195,7 +1196,7 @@ NoNewPrivileges= Takes a boolean - argument. If true ensures that the + argument. If true, ensures that the service process and all its children can never gain new privileges. This option is more powerful than the respective @@ -1210,13 +1211,14 @@ SystemCallFilter= - Takes a space - separated list of system call - names. If this setting is used all + Takes a space-separated + list of system call + names. If this setting is used, all system calls executed by the unit process except for the listed ones will result in immediate process - termination with the SIGSYS signal + termination with the + SIGSYS signal (whitelisting). If the first character of the list is ~ the effect is inverted: only the