X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=b338899d81f7bc0665dba7350e747ebab7638bb4;hp=11ad7f6605df0d92da9f7505ebc4c609b34082e6;hb=9b15b7846d4de01bb5d9700a24077787e984e8ab;hpb=7f8aa67131cfc03ddcbd31c0420754864fc122f0 diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 11ad7f660..b338899d8 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -103,7 +103,7 @@ directory path. Sets the root directory for executed processes, with the - chroot2 + chroot2 system call. If this is used, it must be ensured that the process and all its auxiliary files are available in @@ -250,7 +250,7 @@ processes. Takes a space-separated list of CPU indices. This option may be specified more than once in which - case the specificed CPU affinity masks + case the specified CPU affinity masks are merged. If the empty string is assigned, the mask is reset, all assignments prior to this will have no @@ -304,7 +304,7 @@ See - environ7 + environ7 for details about environment variables. @@ -340,9 +340,14 @@ The files listed with this directive will be read shortly before - the process is executed. Settings from - these files override settings made - with + the process is executed (more + specifically, after all + processes from a previous unit state + terminated. This means you can + generate these files in one unit + state, and read it with this option in + the next). Settings from these files + override settings made with Environment=. If the same variable is set twice from these files, the files will be read in @@ -360,39 +365,47 @@ , , or - . If - is selected, - standard input will be connected to + . + + If is + selected, standard input will be + connected to /dev/null, i.e. all read attempts by the process - will result in immediate EOF. If - is selected, - standard input is connected to a TTY - (as configured by + will result in immediate EOF. + + If is + selected, standard input is connected + to a TTY (as configured by TTYPath=, see below) and the executed process becomes the controlling process of the terminal. If the terminal is already - being controlled by another process, the - executed process waits until the current - controlling process releases the - terminal. - - is similar to , - but the executed process is forcefully - and immediately made the controlling + being controlled by another process, + the executed process waits until the + current controlling process releases + the terminal. + + is similar + to , but the + executed process is forcefully and + immediately made the controlling process of the terminal, potentially removing previous controlling processes from the - terminal. is + terminal. + + is similar to but if the terminal already has a controlling process start-up of the executed - process fails. The - option is only - valid in socket-activated services, - and only when the socket configuration - file (see + process fails. + + The + option is only valid in + socket-activated services, and only + when the socket configuration file + (see systemd.socket5 for details) specifies a single socket only. If this option is set, standard @@ -402,7 +415,9 @@ with daemons designed for use with the traditional inetd8 - daemon. This setting defaults to + daemon. + + This setting defaults to . @@ -413,56 +428,84 @@ of , , , + , , , - , + , , - , - or - . If set to - , the file - descriptor of standard input is - duplicated for standard output. If set - to , standard - output will be connected to + or + . + + + duplicates the file descriptor of + standard input for standard + output. + + connects + standard output to /dev/null, i.e. everything written to it will be - lost. If set to , - standard output will be connected to a - tty (as configured via + lost. + + connects + standard output to a tty (as + configured via TTYPath=, see below). If the TTY is used for output only, the executed process will not become the controlling process of the terminal, and will not fail or wait for other processes to release the - terminal. - connects standard output to the - syslog3 - system syslog - service. - connects it with the kernel log buffer - which is accessible via - dmesg1. - connects it with the journal which is - accessible via - journalctl1 - (Note that everything that is written - to syslog or kmsg is implicitly stored - in the journal as well, those options - are hence supersets of this - one). , - and - work - similarly but copy the output to the - system console as - well. connects - standard output to a socket from - socket activation, semantics are - similar to the respective option of - StandardInput=. - This setting defaults to the value set - with + terminal. + + + connects standard output with the + journal which is accessible via + journalctl1. + Note that everything that is written + to syslog or kmsg (see below) is + implicitly stored in the journal as + well, the specific two options listed + below are hence supersets of this + one. + + connects + standard output to the syslog3 + system syslog service, in addition to + the journal. Note that the journal + daemon is usually configured to + forward everything it receives to + syslog anyway, in which case this + option is no different from + . + + connects + standard output with the kernel log + buffer which is accessible via + dmesg1, + in addition to the journal. The + journal daemon might be configured to + send all logs to kmsg anyway, in which + case this option is no different from + . + + , + and + work in + a similar way as the three options + above but copy the output to the + system console as well. + + connects + standard output to a socket acquired + via socket activation. The semantics + are similar to the same option of + StandardInput=. + + This setting defaults to the + value set with in systemd-system.conf5, @@ -529,15 +572,19 @@ SyslogIdentifier= Sets the process name - to prefix log lines sent to syslog or - the kernel log buffer with. If not set, - defaults to the process name of the - executed process. This option is only - useful when + to prefix log lines sent to the + logging system or the kernel log + buffer with. If not set, defaults to + the process name of the executed + process. This option is only useful + when StandardOutput= or StandardError= are - set to or - . + set to , + or + (or to the same + settings in combination with + ). SyslogFacility= @@ -563,7 +610,7 @@ , or . See - syslog3 + syslog3 for details. This option is only useful when StandardOutput= or @@ -585,7 +632,7 @@ , , . See - syslog3 + syslog3 for details. This option is only useful when StandardOutput= or @@ -661,14 +708,95 @@ LimitNICE= LimitRTPRIO= LimitRTTIME= - These settings control - various resource limits for executed - processes. See + These settings set both + soft and hard limits of various resources for + executed processes. See setrlimit2 for details. Use the string infinity to configure no limit on a specific resource. + + + Limit directives and their equivalent with ulimit + + + + + + + Directive + ulimit equivalent + + + + + LimitCPU + ulimit -t + + + LimitFSIZE + ulimit -f + + + LimitDATA + ulimit -d + + + LimitSTACK + ulimit -s + + + LimitCORE + ulimit -c + + + LimitRSS + ulimit -m + + + LimitNOFILE + ulimit -n + + + LimitAS + ulimit -v + + + LimitNPROC + ulimit -u + + + LimitMEMLOCK + ulimit -l + + + LimitLOCKS + ulimit -x + + + LimitSIGPENDING + ulimit -i + + + LimitMSGQUEUE + ulimit -q + + + LimitNICE + ulimit -e + + + LimitRTPRIO + ulimit -r + + + LimitRTTIME + No equivalent + + + +
@@ -682,7 +810,7 @@ User= setting. If not set, no PAM session will be opened for the executed processes. See - pam8 + pam8 for details. @@ -693,7 +821,7 @@ capabilities to include in the capability bounding set for the executed process. See - capabilities7 + capabilities7 for details. Takes a whitespace-separated list of capability names as read by cap_from_name3, @@ -733,37 +861,39 @@ SecureBits= Controls the secure - bits set for the executed process. See - capabilities7 - for details. Takes a list of strings: + bits set for the executed process. + Takes a space-separated combination of + options from the following list: , , , , - and/or + , and . This option may appear more than once in - which case the secure bits are - ORed. If the empty string is assigned - to this option, the bits are reset to - 0. + which case the secure bits are ORed. + If the empty string is assigned to + this option, the bits are reset to 0. + See capabilities7 + for details. Capabilities= Controls the - capabilities7 + capabilities7 set for the executed process. Take a capability string describing the effective, permitted and inherited capability sets as documented in cap_from_text3. Note that these capability sets are - usually influenced by the capabilities + usually influenced (and filtered) by the capabilities attached to the executed file. Due to that CapabilityBoundingSet= - is probably the much more useful + is probably a much more useful setting. @@ -772,8 +902,8 @@ ReadOnlyDirectories= InaccessibleDirectories= - Sets up a new - file system namespace for executed + Sets up a new file + system namespace for executed processes. These options may be used to limit access a process might have to the main file system @@ -794,16 +924,14 @@ processes inside the namespace. Note that restricting access with these options does not extend to submounts - of a directory. You must list - submounts separately in these settings - to ensure the same limited - access. These options may be specified + of a directory that are created later + on. These options may be specified more than once in which case all directories listed will have limited access from within the namespace. If the empty string is assigned to this - option, the specific list is reset, and - all prior assignments have no + option, the specific list is reset, + and all prior assignments have no effect. Paths in ReadOnlyDirectories= @@ -840,7 +968,7 @@ processes via /tmp or /var/tmp - impossible. If this is enabled all + impossible. If this is enabled, all temporary files created by a service in these directories will be removed after the service is stopped. Defaults @@ -929,6 +1057,67 @@ accessible). + + ProtectSystem= + + Takes a boolean + argument or + full. If true, + mounts the /usr + directory read-only for processes + invoked by this unit. If set to + full, the + /etc directory is mounted + read-only, too. This setting ensures + that any modification of the vendor + supplied operating system (and + optionally its configuration) is + prohibited for the service. It is + recommended to enable this setting for + all long-running services, unless they + are involved with system updates or + need to modify the operating system in + other ways. Note however that + processes retaining the CAP_SYS_ADMIN + capability can undo the effect of this + setting. This setting is hence + particularly useful for daemons which + have this capability removed, for + example with + CapabilityBoundingSet=. Defaults + to off. + + + + ProtectHome= + + Takes a boolean + argument or + read-only. If true, + the directories + /home and + /run/user are + made inaccessible and empty for + processes invoked by this unit. If set + to read-only, the + two directories are made read-only + instead. It is recommended to enable + this setting for all long-running + services (in particular network-facing + ones), to ensure they cannot get access + to private user data, unless the + services actually require access to + the user's private data. Note however + that processes retaining the + CAP_SYS_ADMIN capability can undo the + effect of this setting. This setting + is hence particularly useful for + daemons which have this capability + removed, for example with + CapabilityBoundingSet=. Defaults + to off. + + MountFlags= @@ -957,12 +1146,14 @@ namespace. Note that means that file systems mounted on the host might stay - mounted continously in the unit's + mounted continuously in the unit's namespace, and thus keep the device busy. Note that the file system namespace related options (PrivateTmp=, PrivateDevices=, + ProtectSystem=, + ProtectHome=, ReadOnlyDirectories=, InaccessibleDirectories= and @@ -1005,7 +1196,7 @@ process. If set, this will override the automated domain transition. However, the policy still - needs to autorize the transition. This + needs to authorize the transition. This directive is ignored if SELinux is disabled. If prefixed by -, all errors will @@ -1017,7 +1208,7 @@ AppArmorProfile= - Take a profile name as argument. + Takes a profile name as argument. The process executed by the unit will switch to this profile when started. Profiles must already be loaded in the kernel, or the unit will fail. @@ -1027,6 +1218,35 @@ + + SmackProcessLabel= + + Takes a + security + label as argument. The process + executed by the unit will be started + under this label and SMACK will decide + whether the processes is allowed to + run or not based on it. The process + will continue to run under the label + specified here unless the executable + has its own + label, in + which case the process will transition + to run under that label. When not + specified, the label that systemd is + running under is used. This directive + is ignored if SMACK is + disabled. + + The value may be prefixed by + -, in which case + all errors will be ignored. An empty + value may be specified to unset + previous assignments. + + + IgnoreSIGPIPE= @@ -1199,22 +1419,22 @@ (which creates connected AF_UNIX sockets only) are unaffected. Note that this option has no effect on - 32bit x86 and is ignored (but works + 32-bit x86 and is ignored (but works correctly on x86-64). If running in user mode and this option is used, NoNewPrivileges=yes - is implied. By default no + is implied. By default, no restriction applies, all address families are accessible to processes. If assigned the empty - string any previous list changes are + string, any previous list changes are undone. Use this option to limit exposure of processes to remote systems, in particular via exotic network protocols. Note that in most - cases the local + cases, the local AF_UNIX address family should be included in the configured whitelist as it is @@ -1234,8 +1454,8 @@ processes. Takes one of x86 and x86-64. This is - useful when running 32bit services on - a 64bit host system. If not specified + useful when running 32-bit services on + a 64-bit host system. If not specified, the personality is left unmodified and thus reflects the personality of the host system's @@ -1247,14 +1467,14 @@ RuntimeDirectoryMode= Takes a list of - directory names. If set one or more + directory names. If set, one or more directories by the specified names will be created below /run (for system services) or below $XDG_RUNTIME_DIR (for user services) when the unit is - started and removed when the unit is + started, and removed when the unit is stopped. The directories will have the access mode specified in RuntimeDirectoryMode=, @@ -1270,7 +1490,7 @@ /, i.e. must refer to simple directories to create or remove. This is particularly useful - for unpriviliges daemons that cannot + for unprivileged daemons that cannot create runtime directories in /run due to lack of privileges, and to make sure the @@ -1301,7 +1521,7 @@ $PATH Colon-separated list - of directiories to use when launching + of directories to use when launching executables. Systemd uses a fixed value of /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin. @@ -1406,7 +1626,7 @@ or StandardError=tty). See - termcap5. + termcap5. @@ -1422,14 +1642,14 @@ systemd.setenv= (see systemd1). Additional variables may also be set through PAM, - c.f. pam_env8. + cf. pam_env8. See Also systemd1, - systemctl8, + systemctl1, journalctl8, systemd.unit5, systemd.service5, @@ -1440,7 +1660,7 @@ systemd.resource-control5, systemd.directives7, tmpfiles.d5, - exec3 + exec3