X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=cfcf996dab8e9d7b1661a60f61b3fdb762248d1b;hp=5d39bd1a142f49c7e6e87a600eb5e6d673816bd8;hb=79c1afc67f973eaece8f1b7016e016bb33c256a7;hpb=905826156de95d173b26e7a57df29188a1020cd0
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 5d39bd1a1..cfcf996da 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -103,7 +103,7 @@
directory path. Sets the root
directory for executed processes, with
the
- chroot2
+ chroot2
system call. If this is used, it must
be ensured that the process and all
its auxiliary files are available in
@@ -304,7 +304,7 @@
See
- environ7
+ environ7
for details about environment variables.
@@ -341,7 +341,7 @@
The files listed with this
directive will be read shortly before
the process is executed (more
- specifically, this means after all
+ specifically, after all
processes from a previous unit state
terminated. This means you can
generate these files in one unit
@@ -365,39 +365,47 @@
,
,
or
- . If
- is selected,
- standard input will be connected to
+ .
+
+ If is
+ selected, standard input will be
+ connected to
/dev/null,
i.e. all read attempts by the process
- will result in immediate EOF. If
- is selected,
- standard input is connected to a TTY
- (as configured by
+ will result in immediate EOF.
+
+ If is
+ selected, standard input is connected
+ to a TTY (as configured by
TTYPath=, see
below) and the executed process
becomes the controlling process of the
terminal. If the terminal is already
- being controlled by another process, the
- executed process waits until the current
- controlling process releases the
- terminal.
-
- is similar to ,
- but the executed process is forcefully
- and immediately made the controlling
+ being controlled by another process,
+ the executed process waits until the
+ current controlling process releases
+ the terminal.
+
+ is similar
+ to , but the
+ executed process is forcefully and
+ immediately made the controlling
process of the terminal, potentially
removing previous controlling
processes from the
- terminal. is
+ terminal.
+
+ is
similar to but if
the terminal already has a controlling
process start-up of the executed
- process fails. The
- option is only
- valid in socket-activated services,
- and only when the socket configuration
- file (see
+ process fails.
+
+ The
+ option is only valid in
+ socket-activated services, and only
+ when the socket configuration file
+ (see
systemd.socket5
for details) specifies a single socket
only. If this option is set, standard
@@ -407,7 +415,9 @@
with daemons designed for use with the
traditional
inetd8
- daemon. This setting defaults to
+ daemon.
+
+ This setting defaults to
.
@@ -418,56 +428,84 @@
of ,
,
,
+ ,
,
,
- ,
+ ,
,
- ,
- or
- . If set to
- , the file
- descriptor of standard input is
- duplicated for standard output. If set
- to , standard
- output will be connected to
+ or
+ .
+
+
+ duplicates the file descriptor of
+ standard input for standard
+ output.
+
+ connects
+ standard output to
/dev/null,
i.e. everything written to it will be
- lost. If set to ,
- standard output will be connected to a
- tty (as configured via
+ lost.
+
+ connects
+ standard output to a tty (as
+ configured via
TTYPath=, see
below). If the TTY is used for output
only, the executed process will not
become the controlling process of the
terminal, and will not fail or wait
for other processes to release the
- terminal.
- connects standard output to the
- syslog3
- system syslog
- service.
- connects it with the kernel log buffer
- which is accessible via
- dmesg1.
- connects it with the journal which is
- accessible via
- journalctl1
- (Note that everything that is written
- to syslog or kmsg is implicitly stored
- in the journal as well, those options
- are hence supersets of this
- one). ,
- and
- work
- similarly but copy the output to the
- system console as
- well. connects
- standard output to a socket from
- socket activation, semantics are
- similar to the respective option of
- StandardInput=.
- This setting defaults to the value set
- with
+ terminal.
+
+
+ connects standard output with the
+ journal which is accessible via
+ journalctl1.
+ Note that everything that is written
+ to syslog or kmsg (see below) is
+ implicitly stored in the journal as
+ well, the specific two options listed
+ below are hence supersets of this
+ one.
+
+ connects
+ standard output to the syslog3
+ system syslog service, in addition to
+ the journal. Note that the journal
+ daemon is usually configured to
+ forward everything it receives to
+ syslog anyway, in which case this
+ option is no different from
+ .
+
+ connects
+ standard output with the kernel log
+ buffer which is accessible via
+ dmesg1,
+ in addition to the journal. The
+ journal daemon might be configured to
+ send all logs to kmsg anyway, in which
+ case this option is no different from
+ .
+
+ ,
+ and
+ work in
+ a similar way as the three options
+ above but copy the output to the
+ system console as well.
+
+ connects
+ standard output to a socket acquired
+ via socket activation. The semantics
+ are similar to the same option of
+ StandardInput=.
+
+ This setting defaults to the
+ value set with
in
systemd-system.conf5,
@@ -568,7 +606,7 @@
,
or
. See
- syslog3
+ syslog3
for details. This option is only
useful when
StandardOutput= or
@@ -590,7 +628,7 @@
,
,
. See
- syslog3
+ syslog3
for details. This option is only
useful when
StandardOutput= or
@@ -687,7 +725,7 @@
User= setting. If
not set, no PAM session will be opened
for the executed processes. See
- pam8
+ pam8
for details.
@@ -698,7 +736,7 @@
capabilities to include in the
capability bounding set for the
executed process. See
- capabilities7
+ capabilities7
for details. Takes a whitespace-separated
list of capability names as read by
cap_from_name3,
@@ -739,7 +777,7 @@
SecureBits=Controls the secure
bits set for the executed process. See
- capabilities7
+ capabilities7
for details. Takes a list of strings:
,
,
@@ -757,14 +795,14 @@
Capabilities=Controls the
- capabilities7
+ capabilities7
set for the executed process. Take a
capability string describing the
effective, permitted and inherited
capability sets as documented in
cap_from_text3.
Note that these capability sets are
- usually influenced by the capabilities
+ usually influenced (and filtered) by the capabilities
attached to the executed file. Due to
that
CapabilityBoundingSet=
@@ -777,8 +815,8 @@
ReadOnlyDirectories=InaccessibleDirectories=
- Sets up a new
- file system namespace for executed
+ Sets up a new file
+ system namespace for executed
processes. These options may be used
to limit access a process might have
to the main file system
@@ -799,16 +837,14 @@
processes inside the namespace. Note
that restricting access with these
options does not extend to submounts
- of a directory. You must list
- submounts separately in these settings
- to ensure the same limited
- access. These options may be specified
+ of a directory that are created later
+ on. These options may be specified
more than once in which case all
directories listed will have limited
access from within the namespace. If
the empty string is assigned to this
- option, the specific list is reset, and
- all prior assignments have no
+ option, the specific list is reset,
+ and all prior assignments have no
effect.Paths in
ReadOnlyDirectories=
@@ -845,7 +881,7 @@
processes via
/tmp or
/var/tmp
- impossible. If this is enabled all
+ impossible. If this is enabled, all
temporary files created by a service
in these directories will be removed
after the service is stopped. Defaults
@@ -934,6 +970,67 @@
accessible).
+
+ ProtectSystem=
+
+ Takes a boolean
+ argument or
+ full. If true,
+ mounts the /usr
+ directory read-only for processes
+ invoked by this unit. If set to
+ full, the
+ /etc directory is mounted
+ read-only, too. This setting ensures
+ that any modification of the vendor
+ supplied operating system (and
+ optionally its configuration) is
+ prohibited for the service. It is
+ recommended to enable this setting for
+ all long-running services, unless they
+ are involved with system updates or
+ need to modify the operating system in
+ other ways. Note however that
+ processes retaining the CAP_SYS_ADMIN
+ capability can undo the effect of this
+ setting. This setting is hence
+ particularly useful for daemons which
+ have this capability removed, for
+ example with
+ CapabilityBoundingSet=. Defaults
+ to off.
+
+
+
+ ProtectHome=
+
+ Takes a boolean
+ argument or
+ read-only. If true,
+ the directories
+ /home and
+ /run/user are
+ made inaccessible and empty for
+ processes invoked by this unit. If set
+ to read-only, the
+ two directores are made read-only
+ instead. It is recommended to enable
+ this setting for all long-running
+ services (in particular network-facing
+ ones), to ensure they cannot get access
+ to private user data, unless the
+ services actually require access to
+ the user's private data. Note however
+ that processes retaining the
+ CAP_SYS_ADMIN capability can undo the
+ effect of this setting. This setting
+ is hence particularly useful for
+ daemons which have this capability
+ removed, for example with
+ CapabilityBoundingSet=. Defaults
+ to off.
+
+
MountFlags=
@@ -968,6 +1065,8 @@
namespace related options
(PrivateTmp=,
PrivateDevices=,
+ ProtectSystem=,
+ ProtectHome=,
ReadOnlyDirectories=,
InaccessibleDirectories=
and
@@ -1022,7 +1121,7 @@
AppArmorProfile=
- Take a profile name as argument.
+ Takes a profile name as argument.
The process executed by the unit will switch to
this profile when started. Profiles must already
be loaded in the kernel, or the unit will fail.
@@ -1204,22 +1303,22 @@
(which creates connected AF_UNIX
sockets only) are unaffected. Note
that this option has no effect on
- 32bit x86 and is ignored (but works
+ 32-bit x86 and is ignored (but works
correctly on x86-64). If running in user
mode and this option is used,
NoNewPrivileges=yes
- is implied. By default no
+ is implied. By default, no
restriction applies, all address
families are accessible to
processes. If assigned the empty
- string any previous list changes are
+ string, any previous list changes are
undone.Use this option to limit
exposure of processes to remote
systems, in particular via exotic
network protocols. Note that in most
- cases the local
+ cases, the local
AF_UNIX address
family should be included in the
configured whitelist as it is
@@ -1239,8 +1338,8 @@
processes. Takes one of
x86 and
x86-64. This is
- useful when running 32bit services on
- a 64bit host system. If not specified
+ useful when running 32-bit services on
+ a 64-bit host system. If not specified,
the personality is left unmodified and
thus reflects the personality of the
host system's
@@ -1252,14 +1351,14 @@
RuntimeDirectoryMode=Takes a list of
- directory names. If set one or more
+ directory names. If set, one or more
directories by the specified names
will be created below
/run (for system
services) or below
$XDG_RUNTIME_DIR
(for user services) when the unit is
- started and removed when the unit is
+ started, and removed when the unit is
stopped. The directories will have the
access mode specified in
RuntimeDirectoryMode=,
@@ -1275,7 +1374,7 @@
/, i.e. must refer
to simple directories to create or
remove. This is particularly useful
- for unpriviliges daemons that cannot
+ for unprivileged daemons that cannot
create runtime directories in
/run due to lack
of privileges, and to make sure the
@@ -1411,7 +1510,7 @@
or
StandardError=tty).
See
- termcap5.
+ termcap5.
@@ -1427,7 +1526,7 @@
systemd.setenv= (see
systemd1). Additional
variables may also be set through PAM,
- c.f. pam_env8.
+ cf. pam_env8.
@@ -1445,7 +1544,7 @@
systemd.resource-control5,
systemd.directives7,
tmpfiles.d5,
- exec3
+ exec3