X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=cc5442d45cf17be9b0c29051533cbf2428a44403;hp=d426ac0899a4b146d1967a24f3c9b18018de2fa0;hb=2968644080fd103062f070e83edd620e0a58c44d;hpb=1b8689f94983b47bf190e77ddb03a8fc6af15fb3
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index d426ac089..cc5442d45 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -777,8 +777,8 @@
ReadOnlyDirectories=
InaccessibleDirectories=
- Sets up a new
- file system namespace for executed
+ Sets up a new file
+ system namespace for executed
processes. These options may be used
to limit access a process might have
to the main file system
@@ -799,16 +799,14 @@
processes inside the namespace. Note
that restricting access with these
options does not extend to submounts
- of a directory. You must list
- submounts separately in these settings
- to ensure the same limited
- access. These options may be specified
+ of a directory that are created later
+ on. These options may be specified
more than once in which case all
directories listed will have limited
access from within the namespace. If
the empty string is assigned to this
- option, the specific list is reset, and
- all prior assignments have no
+ option, the specific list is reset,
+ and all prior assignments have no
effect.
Paths in
ReadOnlyDirectories=
@@ -941,11 +939,10 @@
argument or
full. If true,
mounts the /usr
- and /boot
- directories read-only for processes
+ directory read-only for processes
invoked by this unit. If set to
- full the
- /etc is mounted
+ full, the
+ /etc directory is mounted
read-only, too. This setting ensures
that any modification of the vendor
supplied operating system (and
@@ -955,7 +952,7 @@
all long-running services, unless they
are involved with system updates or
need to modify the operating system in
- other ways. Note however, that
+ other ways. Note however that
processes retaining the CAP_SYS_ADMIN
capability can undo the effect of this
setting. This setting is hence
@@ -977,7 +974,7 @@
/run/user are
made inaccessible and empty for
processes invoked by this unit. If set
- to read-only the
+ to read-only, the
two directores are made read-only
instead. It is recommended to enable
this setting for all long-running
@@ -985,7 +982,7 @@
ones), to ensure they cannot get access
to private user data, unless the
services actually require access to
- the user's private data. Note however,
+ the user's private data. Note however
that processes retaining the
CAP_SYS_ADMIN capability can undo the
effect of this setting. This setting