1 <?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?>
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
6 This file is part of systemd.
8 Copyright 2010 Lennart Poettering
10 systemd is free software; you can redistribute it and/or modify it
11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
13 (at your option) any later version.
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public License
21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 <refentry id="systemd.exec">
26 <title>systemd.exec</title>
27 <productname>systemd</productname>
31 <contrib>Developer</contrib>
32 <firstname>Lennart</firstname>
33 <surname>Poettering</surname>
34 <email>lennart@poettering.net</email>
40 <refentrytitle>systemd.exec</refentrytitle>
41 <manvolnum>5</manvolnum>
45 <refname>systemd.exec</refname>
46 <refpurpose>Execution environment configuration</refpurpose>
50 <para><filename><replaceable>service</replaceable>.service</filename>,
51 <filename><replaceable>socket</replaceable>.socket</filename>,
52 <filename><replaceable>mount</replaceable>.mount</filename>,
53 <filename><replaceable>swap</replaceable>.swap</filename></para>
57 <title>Description</title>
59 <para>Unit configuration files for services, sockets,
60 mount points, and swap devices share a subset of
61 configuration options which define the execution
62 environment of spawned processes.</para>
64 <para>This man page lists the configuration options
65 shared by these four unit types. See
66 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
67 for the common options of all unit configuration
69 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
70 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
71 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
73 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
74 for more information on the specific unit
75 configuration files. The execution specific
76 configuration options are configured in the [Service],
77 [Socket], [Mount], or [Swap] sections, depending on the unit
82 <title>Options</title>
84 <variablelist class='unit-directives'>
87 <term><varname>WorkingDirectory=</varname></term>
89 <listitem><para>Takes an absolute
90 directory path. Sets the working
91 directory for executed processes. If
92 not set, defaults to the root directory
93 when systemd is running as a system
94 instance and the respective user's
95 home directory if run as
96 user.</para></listitem>
100 <term><varname>RootDirectory=</varname></term>
102 <listitem><para>Takes an absolute
103 directory path. Sets the root
104 directory for executed processes, with
106 <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>
107 system call. If this is used, it must
108 be ensured that the process and all
109 its auxiliary files are available in
110 the <function>chroot()</function>
111 jail.</para></listitem>
115 <term><varname>User=</varname></term>
116 <term><varname>Group=</varname></term>
118 <listitem><para>Sets the Unix user
119 or group that the processes are executed
120 as, respectively. Takes a single user or group
121 name or ID as argument. If no group is
122 set, the default group of the user is
123 chosen.</para></listitem>
127 <term><varname>SupplementaryGroups=</varname></term>
129 <listitem><para>Sets the supplementary
130 Unix groups the processes are executed
131 as. This takes a space-separated list
132 of group names or IDs. This option may
133 be specified more than once in which
134 case all listed groups are set as
135 supplementary groups. When the empty
136 string is assigned the list of
137 supplementary groups is reset, and all
138 assignments prior to this one will
139 have no effect. In any way, this
140 option does not override, but extends
141 the list of supplementary groups
142 configured in the system group
144 user.</para></listitem>
148 <term><varname>Nice=</varname></term>
150 <listitem><para>Sets the default nice
151 level (scheduling priority) for
152 executed processes. Takes an integer
153 between -20 (highest priority) and 19
154 (lowest priority). See
155 <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>
156 for details.</para></listitem>
160 <term><varname>OOMScoreAdjust=</varname></term>
162 <listitem><para>Sets the adjustment
163 level for the Out-Of-Memory killer for
164 executed processes. Takes an integer
165 between -1000 (to disable OOM killing
166 for this process) and 1000 (to make
167 killing of this process under memory
168 pressure very likely). See <ulink
169 url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
170 for details.</para></listitem>
174 <term><varname>IOSchedulingClass=</varname></term>
176 <listitem><para>Sets the IO scheduling
177 class for executed processes. Takes an
178 integer between 0 and 3 or one of the
179 strings <option>none</option>,
180 <option>realtime</option>,
181 <option>best-effort</option> or
182 <option>idle</option>. See
183 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
184 for details.</para></listitem>
188 <term><varname>IOSchedulingPriority=</varname></term>
190 <listitem><para>Sets the IO scheduling
191 priority for executed processes. Takes
192 an integer between 0 (highest
193 priority) and 7 (lowest priority). The
194 available priorities depend on the
195 selected IO scheduling class (see
197 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
198 for details.</para></listitem>
202 <term><varname>CPUSchedulingPolicy=</varname></term>
204 <listitem><para>Sets the CPU
205 scheduling policy for executed
206 processes. Takes one of
207 <option>other</option>,
208 <option>batch</option>,
209 <option>idle</option>,
210 <option>fifo</option> or
211 <option>rr</option>. See
212 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
213 for details.</para></listitem>
217 <term><varname>CPUSchedulingPriority=</varname></term>
219 <listitem><para>Sets the CPU
220 scheduling priority for executed
221 processes. The available priority
222 range depends on the selected CPU
223 scheduling policy (see above). For
224 real-time scheduling policies an
225 integer between 1 (lowest priority)
226 and 99 (highest priority) can be used.
227 See <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
233 <term><varname>CPUSchedulingResetOnFork=</varname></term>
235 <listitem><para>Takes a boolean
236 argument. If true, elevated CPU
237 scheduling priorities and policies
238 will be reset when the executed
239 processes fork, and can hence not leak
240 into child processes. See
241 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
242 for details. Defaults to false.</para></listitem>
246 <term><varname>CPUAffinity=</varname></term>
248 <listitem><para>Controls the CPU
249 affinity of the executed
250 processes. Takes a space-separated
251 list of CPU indices. This option may
252 be specified more than once in which
253 case the specificed CPU affinity masks
254 are merged. If the empty string is
255 assigned, the mask is reset, all
256 assignments prior to this will have no
258 <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
259 for details.</para></listitem>
263 <term><varname>UMask=</varname></term>
265 <listitem><para>Controls the file mode
266 creation mask. Takes an access mode in
268 <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
269 for details. Defaults to
270 0022.</para></listitem>
274 <term><varname>Environment=</varname></term>
276 <listitem><para>Sets environment
277 variables for executed
278 processes. Takes a space-separated
279 list of variable assignments. This
280 option may be specified more than once
281 in which case all listed variables
282 will be set. If the same variable is
283 set twice, the later setting will
284 override the earlier setting. If the
285 empty string is assigned to this
286 option, the list of environment
287 variables is reset, all prior
288 assignments have no effect.
289 Variable expansion is not performed
290 inside the strings, however, specifier
291 expansion is possible. The $ character has
293 If you need to assign a value containing spaces
294 to a variable, use double quotes (")
295 for the assignment.</para>
298 <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting>
299 gives three variables <literal>VAR1</literal>,
300 <literal>VAR2</literal>, <literal>VAR3</literal>
301 with the values <literal>word1 word2</literal>,
302 <literal>word3</literal>, <literal>$word 5 6</literal>.
307 <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
308 for details about environment variables.</para></listitem>
311 <term><varname>EnvironmentFile=</varname></term>
312 <listitem><para>Similar to
313 <varname>Environment=</varname> but
314 reads the environment variables from a
315 text file. The text file should
316 contain new-line-separated variable
317 assignments. Empty lines and lines
318 starting with ; or # will be ignored,
319 which may be used for commenting. A line
320 ending with a backslash will be concatenated
321 with the following one, allowing multiline variable
322 definitions. The parser strips leading
323 and trailing whitespace from the values
324 of assignments, unless you use
325 double quotes (").</para>
327 <para>The argument passed should be an
328 absolute filename or wildcard
329 expression, optionally prefixed with
330 <literal>-</literal>, which indicates
331 that if the file does not exist, it
332 will not be read and no error or warning
333 message is logged. This option may be
334 specified more than once in which case
335 all specified files are read. If the
336 empty string is assigned to this
337 option, the list of file to read is
338 reset, all prior assignments have no
341 <para>The files listed with this
342 directive will be read shortly before
343 the process is executed. Settings from
344 these files override settings made
346 <varname>Environment=</varname>. If
347 the same variable is set twice from
348 these files, the files will be read in
349 the order they are specified and the
350 later setting will override the
351 earlier setting.</para></listitem>
355 <term><varname>StandardInput=</varname></term>
356 <listitem><para>Controls where file
357 descriptor 0 (STDIN) of the executed
358 processes is connected to. Takes one
359 of <option>null</option>,
360 <option>tty</option>,
361 <option>tty-force</option>,
362 <option>tty-fail</option> or
363 <option>socket</option>. If
364 <option>null</option> is selected,
365 standard input will be connected to
366 <filename>/dev/null</filename>,
367 i.e. all read attempts by the process
368 will result in immediate EOF. If
369 <option>tty</option> is selected,
370 standard input is connected to a TTY
372 <varname>TTYPath=</varname>, see
373 below) and the executed process
374 becomes the controlling process of the
375 terminal. If the terminal is already
376 being controlled by another process, the
377 executed process waits until the current
378 controlling process releases the
380 <option>tty-force</option>
381 is similar to <option>tty</option>,
382 but the executed process is forcefully
383 and immediately made the controlling
384 process of the terminal, potentially
385 removing previous controlling
387 terminal. <option>tty-fail</option> is
388 similar to <option>tty</option> but if
389 the terminal already has a controlling
390 process start-up of the executed
392 <option>socket</option> option is only
393 valid in socket-activated services,
394 and only when the socket configuration
396 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
397 for details) specifies a single socket
398 only. If this option is set, standard
399 input will be connected to the socket
400 the service was activated from, which
401 is primarily useful for compatibility
402 with daemons designed for use with the
404 <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
405 daemon. This setting defaults to
406 <option>null</option>.</para></listitem>
409 <term><varname>StandardOutput=</varname></term>
410 <listitem><para>Controls where file
411 descriptor 1 (STDOUT) of the executed
412 processes is connected to. Takes one
413 of <option>inherit</option>,
414 <option>null</option>,
415 <option>tty</option>,
416 <option>syslog</option>,
417 <option>kmsg</option>,
418 <option>journal</option>,
419 <option>syslog+console</option>,
420 <option>kmsg+console</option>,
421 <option>journal+console</option> or
422 <option>socket</option>. If set to
423 <option>inherit</option>, the file
424 descriptor of standard input is
425 duplicated for standard output. If set
426 to <option>null</option>, standard
427 output will be connected to
428 <filename>/dev/null</filename>,
429 i.e. everything written to it will be
430 lost. If set to <option>tty</option>,
431 standard output will be connected to a
432 tty (as configured via
433 <varname>TTYPath=</varname>, see
434 below). If the TTY is used for output
435 only, the executed process will not
436 become the controlling process of the
437 terminal, and will not fail or wait
438 for other processes to release the
439 terminal. <option>syslog</option>
440 connects standard output to the
441 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
443 service. <option>kmsg</option>
444 connects it with the kernel log buffer
445 which is accessible via
446 <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>journal</option>
447 connects it with the journal which is
449 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
450 (Note that everything that is written
451 to syslog or kmsg is implicitly stored
452 in the journal as well, those options
453 are hence supersets of this
454 one). <option>syslog+console</option>,
455 <option>journal+console</option> and
456 <option>kmsg+console</option> work
457 similarly but copy the output to the
459 well. <option>socket</option> connects
460 standard output to a socket from
461 socket activation, semantics are
462 similar to the respective option of
463 <varname>StandardInput=</varname>.
464 This setting defaults to the value set
466 <option>DefaultStandardOutput=</option>
468 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
470 <option>journal</option>.</para></listitem>
473 <term><varname>StandardError=</varname></term>
474 <listitem><para>Controls where file
475 descriptor 2 (STDERR) of the
476 executed processes is connected to.
477 The available options are identical to
479 <varname>StandardOutput=</varname>,
480 with one exception: if set to
481 <option>inherit</option> the file
482 descriptor used for standard output is
483 duplicated for standard error. This
484 setting defaults to the value set with
485 <option>DefaultStandardError=</option>
487 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
489 <option>inherit</option>.</para></listitem>
492 <term><varname>TTYPath=</varname></term>
493 <listitem><para>Sets the terminal
494 device node to use if standard input, output,
495 or error are connected to a
496 TTY (see above). Defaults to
497 <filename>/dev/console</filename>.</para></listitem>
500 <term><varname>TTYReset=</varname></term>
501 <listitem><para>Reset the terminal
502 device specified with
503 <varname>TTYPath=</varname> before and
504 after execution. Defaults to
505 <literal>no</literal>.</para></listitem>
508 <term><varname>TTYVHangup=</varname></term>
509 <listitem><para>Disconnect all clients
510 which have opened the terminal device
512 <varname>TTYPath=</varname>
513 before and after execution. Defaults
515 <literal>no</literal>.</para></listitem>
518 <term><varname>TTYVTDisallocate=</varname></term>
519 <listitem><para>If the terminal
520 device specified with
521 <varname>TTYPath=</varname> is a
522 virtual console terminal, try to
523 deallocate the TTY before and after
524 execution. This ensures that the
525 screen and scrollback buffer is
527 <literal>no</literal>.</para></listitem>
530 <term><varname>SyslogIdentifier=</varname></term>
531 <listitem><para>Sets the process name
532 to prefix log lines sent to syslog or
533 the kernel log buffer with. If not set,
534 defaults to the process name of the
535 executed process. This option is only
537 <varname>StandardOutput=</varname> or
538 <varname>StandardError=</varname> are
539 set to <option>syslog</option> or
540 <option>kmsg</option>.</para></listitem>
543 <term><varname>SyslogFacility=</varname></term>
544 <listitem><para>Sets the syslog
545 facility to use when logging to
546 syslog. One of <option>kern</option>,
547 <option>user</option>,
548 <option>mail</option>,
549 <option>daemon</option>,
550 <option>auth</option>,
551 <option>syslog</option>,
552 <option>lpr</option>,
553 <option>news</option>,
554 <option>uucp</option>,
555 <option>cron</option>,
556 <option>authpriv</option>,
557 <option>ftp</option>,
558 <option>local0</option>,
559 <option>local1</option>,
560 <option>local2</option>,
561 <option>local3</option>,
562 <option>local4</option>,
563 <option>local5</option>,
564 <option>local6</option> or
565 <option>local7</option>. See
566 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
567 for details. This option is only
569 <varname>StandardOutput=</varname> or
570 <varname>StandardError=</varname> are
571 set to <option>syslog</option>.
573 <option>daemon</option>.</para></listitem>
576 <term><varname>SyslogLevel=</varname></term>
577 <listitem><para>Default syslog level
578 to use when logging to syslog or the
579 kernel log buffer. One of
580 <option>emerg</option>,
581 <option>alert</option>,
582 <option>crit</option>,
583 <option>err</option>,
584 <option>warning</option>,
585 <option>notice</option>,
586 <option>info</option>,
587 <option>debug</option>. See
588 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
589 for details. This option is only
591 <varname>StandardOutput=</varname> or
592 <varname>StandardError=</varname> are
593 set to <option>syslog</option> or
594 <option>kmsg</option>. Note that
595 individual lines output by the daemon
596 might be prefixed with a different log
597 level which can be used to override
598 the default log level specified
599 here. The interpretation of these
600 prefixes may be disabled with
601 <varname>SyslogLevelPrefix=</varname>,
602 see below. For details see
603 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
606 <option>info</option>.</para></listitem>
610 <term><varname>SyslogLevelPrefix=</varname></term>
611 <listitem><para>Takes a boolean
612 argument. If true and
613 <varname>StandardOutput=</varname> or
614 <varname>StandardError=</varname> are
615 set to <option>syslog</option>,
616 <option>kmsg</option> or
617 <option>journal</option>, log lines
618 written by the executed process that
619 are prefixed with a log level will be
620 passed on to syslog with this log
621 level set but the prefix removed. If
622 set to false, the interpretation of
623 these prefixes is disabled and the
624 logged lines are passed on as-is. For
625 details about this prefixing see
626 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
627 Defaults to true.</para></listitem>
631 <term><varname>TimerSlackNSec=</varname></term>
632 <listitem><para>Sets the timer slack
633 in nanoseconds for the executed
634 processes. The timer slack controls
635 the accuracy of wake-ups triggered by
637 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
638 for more information. Note that in
639 contrast to most other time span
640 definitions this parameter takes an
641 integer value in nano-seconds if no
642 unit is specified. The usual time
644 too.</para></listitem>
648 <term><varname>LimitCPU=</varname></term>
649 <term><varname>LimitFSIZE=</varname></term>
650 <term><varname>LimitDATA=</varname></term>
651 <term><varname>LimitSTACK=</varname></term>
652 <term><varname>LimitCORE=</varname></term>
653 <term><varname>LimitRSS=</varname></term>
654 <term><varname>LimitNOFILE=</varname></term>
655 <term><varname>LimitAS=</varname></term>
656 <term><varname>LimitNPROC=</varname></term>
657 <term><varname>LimitMEMLOCK=</varname></term>
658 <term><varname>LimitLOCKS=</varname></term>
659 <term><varname>LimitSIGPENDING=</varname></term>
660 <term><varname>LimitMSGQUEUE=</varname></term>
661 <term><varname>LimitNICE=</varname></term>
662 <term><varname>LimitRTPRIO=</varname></term>
663 <term><varname>LimitRTTIME=</varname></term>
664 <listitem><para>These settings control
665 various resource limits for executed
667 <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
668 for details. Use the string
669 <varname>infinity</varname> to
670 configure no limit on a specific
671 resource.</para></listitem>
675 <term><varname>PAMName=</varname></term>
676 <listitem><para>Sets the PAM service
677 name to set up a session as. If set,
678 the executed process will be
679 registered as a PAM session under the
680 specified service name. This is only
681 useful in conjunction with the
682 <varname>User=</varname> setting. If
683 not set, no PAM session will be opened
684 for the executed processes. See
685 <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
686 for details.</para></listitem>
690 <term><varname>TCPWrapName=</varname></term>
691 <listitem><para>If this is a
692 socket-activated service, this sets the
693 tcpwrap service name to check the
694 permission for the current connection
695 with. This is only useful in
696 conjunction with socket-activated
697 services, and stream sockets (TCP) in
698 particular. It has no effect on other
699 socket types (e.g. datagram/UDP) and
700 on processes unrelated to socket-based
701 activation. If the tcpwrap
702 verification fails, daemon start-up
703 will fail and the connection is
705 <citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
706 for details. Note that this option may
707 be used to do access control checks
708 only. Shell commands and commands
710 <citerefentry><refentrytitle>hosts_options</refentrytitle><manvolnum>5</manvolnum></citerefentry>
711 are not supported.</para></listitem>
715 <term><varname>CapabilityBoundingSet=</varname></term>
717 <listitem><para>Controls which
718 capabilities to include in the
719 capability bounding set for the
720 executed process. See
721 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
722 for details. Takes a whitespace-separated
723 list of capability names as read by
724 <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
725 e.g. <constant>CAP_SYS_ADMIN</constant>,
726 <constant>CAP_DAC_OVERRIDE</constant>,
727 <constant>CAP_SYS_PTRACE</constant>.
728 Capabilities listed will be included
729 in the bounding set, all others are
730 removed. If the list of capabilities
731 is prefixed with <literal>~</literal>,
732 all but the listed capabilities will
733 be included, the effect of the
734 assignment inverted. Note that this
735 option also affects the respective
736 capabilities in the effective,
737 permitted and inheritable capability
739 <varname>Capabilities=</varname>
740 does. If this option is not used, the
741 capability bounding set is not
742 modified on process execution, hence
743 no limits on the capabilities of the
744 process are enforced. This option may
745 appear more than once in which case
746 the bounding sets are merged. If the
747 empty string is assigned to this
748 option, the bounding set is reset to
749 the empty capability set, and all
750 prior settings have no effect. If set
751 to <literal>~</literal> (without any
752 further argument), the bounding set is
753 reset to the full set of available
754 capabilities, also undoing any
755 previous settings.</para></listitem>
759 <term><varname>SecureBits=</varname></term>
760 <listitem><para>Controls the secure
761 bits set for the executed process. See
762 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
763 for details. Takes a list of strings:
764 <option>keep-caps</option>,
765 <option>keep-caps-locked</option>,
766 <option>no-setuid-fixup</option>,
767 <option>no-setuid-fixup-locked</option>,
768 <option>noroot</option> and/or
769 <option>noroot-locked</option>. This
770 option may appear more than once in
771 which case the secure bits are
772 ORed. If the empty string is assigned
773 to this option, the bits are reset to
778 <term><varname>Capabilities=</varname></term>
779 <listitem><para>Controls the
780 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
781 set for the executed process. Take a
782 capability string describing the
783 effective, permitted and inherited
784 capability sets as documented in
785 <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
786 Note that these capability sets are
787 usually influenced by the capabilities
788 attached to the executed file. Due to
790 <varname>CapabilityBoundingSet=</varname>
791 is probably the much more useful
792 setting.</para></listitem>
796 <term><varname>ReadWriteDirectories=</varname></term>
797 <term><varname>ReadOnlyDirectories=</varname></term>
798 <term><varname>InaccessibleDirectories=</varname></term>
800 <listitem><para>Sets up a new
801 file system namespace for executed
802 processes. These options may be used
803 to limit access a process might have
804 to the main file system
805 hierarchy. Each setting takes a
806 space-separated list of absolute
807 directory paths. Directories listed in
808 <varname>ReadWriteDirectories=</varname>
809 are accessible from within the
810 namespace with the same access rights
811 as from outside. Directories listed in
812 <varname>ReadOnlyDirectories=</varname>
813 are accessible for reading only,
814 writing will be refused even if the
815 usual file access controls would
816 permit this. Directories listed in
817 <varname>InaccessibleDirectories=</varname>
818 will be made inaccessible for
819 processes inside the namespace. Note
820 that restricting access with these
821 options does not extend to submounts
822 of a directory. You must list
823 submounts separately in these settings
824 to ensure the same limited
825 access. These options may be specified
826 more than once in which case all
827 directories listed will have limited
828 access from within the namespace. If
829 the empty string is assigned to this
830 option, the specific list is reset, and
831 all prior assignments have no
834 <varname>ReadOnlyDirectories=</varname>
836 <varname>InaccessibleDirectories=</varname>
838 <literal>-</literal>, in which case
839 they will be ignored when they do not
840 exist. Note that using this
841 setting will disconnect propagation of
842 mounts from the service to the host
843 (propagation in the opposite direction
844 continues to work). This means that
845 this setting may not be used for
846 services which shall be able to
847 install mount points in the main mount
848 namespace.</para></listitem>
852 <term><varname>PrivateTmp=</varname></term>
854 <listitem><para>Takes a boolean
855 argument. If true, sets up a new file
856 system namespace for the executed
857 processes and mounts private
858 <filename>/tmp</filename> and
859 <filename>/var/tmp</filename>
860 directories inside it that is not
861 shared by processes outside of the
862 namespace. This is useful to secure
863 access to temporary files of the
864 process, but makes sharing between
866 <filename>/tmp</filename> or
867 <filename>/var/tmp</filename>
868 impossible. If this is enabled all
869 temporary files created by a service
870 in these directories will be removed
871 after the service is stopped. Defaults
872 to false. It is possible to run two or
873 more units within the same private
874 <filename>/tmp</filename> and
875 <filename>/var/tmp</filename>
876 namespace by using the
877 <varname>JoinsNamespaceOf=</varname>
879 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
880 for details. Note that using this
881 setting will disconnect propagation of
882 mounts from the service to the host
883 (propagation in the opposite direction
884 continues to work). This means that
885 this setting may not be used for
886 services which shall be able to install
887 mount points in the main mount
888 namespace.</para></listitem>
892 <term><varname>PrivateDevices=</varname></term>
894 <listitem><para>Takes a boolean
895 argument. If true, sets up a new /dev
896 namespace for the executed processes
897 and only adds API pseudo devices such
898 as <filename>/dev/null</filename>,
899 <filename>/dev/zero</filename> or
900 <filename>/dev/random</filename> (as
901 well as the pseudo TTY subsystem) to
902 it, but no physical devices such as
903 <filename>/dev/sda</filename>. This is
904 useful to securely turn off physical
905 device access by the executed
906 process. Defaults to false. Enabling
907 this option will also remove
908 <constant>CAP_MKNOD</constant> from
909 the capability bounding set for the
910 unit (see above), and set
911 <varname>DevicePolicy=closed</varname>
913 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
914 for details). Note that using this
915 setting will disconnect propagation of
916 mounts from the service to the host
917 (propagation in the opposite direction
918 continues to work). This means that
919 this setting may not be used for
920 services which shall be able to
921 install mount points in the main mount
922 namespace.</para></listitem>
926 <term><varname>PrivateNetwork=</varname></term>
928 <listitem><para>Takes a boolean
929 argument. If true, sets up a new
930 network namespace for the executed
931 processes and configures only the
932 loopback network device
933 <literal>lo</literal> inside it. No
934 other network devices will be
935 available to the executed process.
936 This is useful to securely turn off
937 network access by the executed
938 process. Defaults to false. It is
939 possible to run two or more units
940 within the same private network
941 namespace by using the
942 <varname>JoinsNamespaceOf=</varname>
944 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
945 for details. Note that this option
946 will disconnect all socket families
947 from the host, this includes
948 AF_NETLINK and AF_UNIX. The latter has
949 the effect that AF_UNIX sockets in the
950 abstract socket namespace will become
951 unavailable to the processes (however,
952 those located in the file system will
954 accessible).</para></listitem>
958 <term><varname>MountFlags=</varname></term>
960 <listitem><para>Takes a mount
962 <option>shared</option>,
963 <option>slave</option> or
964 <option>private</option>, which
965 control whether mounts in the file
966 system namespace set up for this
967 unit's processes will receive or
968 propagate mounts or unmounts. See
969 <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
970 for details. Defaults to
971 <option>shared</option>. Use
972 <option>shared</option> to ensure that
973 mounts and unmounts are propagated
974 from the host to the container and
975 vice versa. Use <option>slave</option>
976 to run processes so that none of their
977 mounts and unmounts will propagate to
978 the host. Use <option>private</option>
979 to also ensure that no mounts and
980 unmounts from the host will propagate
981 into the unit processes'
983 <option>slave</option> means that file
984 systems mounted on the host might stay
985 mounted continously in the unit's
986 namespace, and thus keep the device
987 busy. Note that the file system
988 namespace related options
989 (<varname>PrivateTmp=</varname>,
990 <varname>PrivateDevices=</varname>,
991 <varname>ReadOnlyDirectories=</varname>,
992 <varname>InaccessibleDirectories=</varname>
994 <varname>ReadWriteDirectories=</varname>)
995 require that mount and unmount
996 propagation from the unit's file
997 system namespace is disabled, and
999 <option>shared</option> to
1000 <option>slave</option>.
1005 <term><varname>UtmpIdentifier=</varname></term>
1007 <listitem><para>Takes a four
1008 character identifier string for an
1009 utmp/wtmp entry for this service. This
1010 should only be set for services such
1011 as <command>getty</command>
1012 implementations where utmp/wtmp
1013 entries must be created and cleared
1014 before and after execution. If the
1015 configured string is longer than four
1016 characters, it is truncated and the
1017 terminal four characters are
1018 used. This setting interprets %I style
1019 string replacements. This setting is
1020 unset by default, i.e. no utmp/wtmp
1021 entries are created or cleaned up for
1022 this service.</para></listitem>
1026 <term><varname>SELinuxContext=</varname></term>
1028 <listitem><para>Set the SELinux
1029 security context of the executed
1030 process. If set, this will override
1031 the automated domain
1032 transition. However, the policy still
1033 needs to autorize the transition. This
1034 directive is ignored if SELinux is
1035 disabled. If prefixed by
1036 <literal>-</literal>, all errors will
1038 <citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1039 for details.</para></listitem>
1043 <term><varname>AppArmorProfile=</varname></term>
1045 <listitem><para>Take a profile name as argument.
1046 The process executed by the unit will switch to
1047 this profile when started. Profiles must already
1048 be loaded in the kernel, or the unit will fail.
1049 This result in a non operation if AppArmor is not
1050 enabled. If prefixed by <literal>-</literal>, all errors
1056 <term><varname>IgnoreSIGPIPE=</varname></term>
1058 <listitem><para>Takes a boolean
1059 argument. If true, causes <constant>SIGPIPE</constant> to be
1060 ignored in the executed
1061 process. Defaults to true because
1062 <constant>SIGPIPE</constant> generally is useful only in
1063 shell pipelines.</para></listitem>
1067 <term><varname>NoNewPrivileges=</varname></term>
1069 <listitem><para>Takes a boolean
1070 argument. If true, ensures that the
1071 service process and all its children
1072 can never gain new privileges. This
1073 option is more powerful than the respective
1074 secure bits flags (see above), as it
1075 also prohibits UID changes of any
1076 kind. This is the simplest, most
1077 effective way to ensure that a process
1078 and its children can never elevate
1079 privileges again.</para></listitem>
1083 <term><varname>SystemCallFilter=</varname></term>
1085 <listitem><para>Takes a
1086 space-separated list of system call
1087 names. If this setting is used, all
1088 system calls executed by the unit
1089 processes except for the listed ones
1090 will result in immediate process
1091 termination with the
1092 <constant>SIGSYS</constant> signal
1093 (whitelisting). If the first character
1094 of the list is <literal>~</literal>,
1095 the effect is inverted: only the
1096 listed system calls will result in
1097 immediate process termination
1098 (blacklisting). If running in user
1099 mode and this option is used,
1100 <varname>NoNewPrivileges=yes</varname>
1101 is implied. This feature makes use of the
1102 Secure Computing Mode 2 interfaces of
1103 the kernel ('seccomp filtering') and
1104 is useful for enforcing a minimal
1105 sandboxing environment. Note that the
1106 <function>execve</function>,
1107 <function>rt_sigreturn</function>,
1108 <function>sigreturn</function>,
1109 <function>exit_group</function>,
1110 <function>exit</function> system calls
1111 are implicitly whitelisted and do not
1112 need to be listed explicitly. This
1113 option may be specified more than once
1114 in which case the filter masks are
1115 merged. If the empty string is
1116 assigned, the filter is reset, all
1117 prior assignments will have no
1120 <para>If you specify both types of
1121 this option (i.e. whitelisting and
1122 blacklisting), the first encountered
1123 will take precedence and will dictate
1124 the default action (termination or
1125 approval of a system call). Then the
1126 next occurrences of this option will
1127 add or delete the listed system calls
1128 from the set of the filtered system
1129 calls, depending of its type and the
1130 default action. (For example, if you have started
1131 with a whitelisting of
1132 <function>read</function> and
1133 <function>write</function>, and right
1134 after it add a blacklisting of
1135 <function>write</function>, then
1136 <function>write</function> will be
1137 removed from the set.)
1142 <term><varname>SystemCallErrorNumber=</varname></term>
1144 <listitem><para>Takes an
1145 <literal>errno</literal> error number
1146 name to return when the system call
1147 filter configured with
1148 <varname>SystemCallFilter=</varname>
1149 is triggered, instead of terminating
1150 the process immediately. Takes an
1152 <constant>EPERM</constant>,
1153 <constant>EACCES</constant> or
1154 <constant>EUCLEAN</constant>. When this
1155 setting is not used, or when the empty
1156 string is assigned, the process will be
1157 terminated immediately when the filter
1158 is triggered.</para></listitem>
1162 <term><varname>SystemCallArchitectures=</varname></term>
1164 <listitem><para>Takes a space
1165 separated list of architecture
1166 identifiers to include in the system
1167 call filter. The known architecture
1169 <constant>x86</constant>,
1170 <constant>x86-64</constant>,
1171 <constant>x32</constant>,
1172 <constant>arm</constant> as well as
1173 the special identifier
1174 <constant>native</constant>. Only
1175 system calls of the specified
1176 architectures will be permitted to
1177 processes of this unit. This is an
1178 effective way to disable compatibility
1179 with non-native architectures for
1180 processes, for example to prohibit
1181 execution of 32-bit x86 binaries on
1182 64-bit x86-64 systems. The special
1183 <constant>native</constant> identifier
1184 implicitly maps to the native
1185 architecture of the system (or more
1186 strictly: to the architecture the
1187 system manager is compiled for). If
1188 running in user mode and this option
1190 <varname>NoNewPrivileges=yes</varname>
1191 is implied. Note that setting this
1192 option to a non-empty list implies
1193 that <constant>native</constant> is
1194 included too. By default, this option
1195 is set to the empty list, i.e. no
1196 architecture system call filtering is
1197 applied.</para></listitem>
1201 <term><varname>RestrictAddressFamilies=</varname></term>
1203 <listitem><para>Restricts the set of
1204 socket address families accessible to
1205 the processes of this unit. Takes a
1206 space-separated list of address family
1207 names to whitelist, such as
1208 <constant>AF_UNIX</constant>,
1209 <constant>AF_INET</constant> or
1210 <constant>AF_INET6</constant>. When
1211 prefixed with <constant>~</constant>
1212 the listed address families will be
1213 applied as blacklist, otherwise as
1214 whitelist. Note that this restricts
1216 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1217 system call only. Sockets passed into
1218 the process by other means (for
1219 example, by using socket activation
1220 with socket units, see
1221 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
1222 are unaffected. Also, sockets created
1223 with <function>socketpair()</function>
1224 (which creates connected AF_UNIX
1225 sockets only) are unaffected. Note
1226 that this option has no effect on
1227 32bit x86 and is ignored (but works
1228 correctly on x86-64). If running in user
1229 mode and this option is used,
1230 <varname>NoNewPrivileges=yes</varname>
1231 is implied. By default no
1232 restriction applies, all address
1233 families are accessible to
1234 processes. If assigned the empty
1235 string any previous list changes are
1238 <para>Use this option to limit
1239 exposure of processes to remote
1240 systems, in particular via exotic
1241 network protocols. Note that in most
1243 <constant>AF_UNIX</constant> address
1244 family should be included in the
1245 configured whitelist as it is
1246 frequently used for local
1247 communication, including for
1248 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1249 logging.</para></listitem>
1253 <term><varname>Personality=</varname></term>
1255 <listitem><para>Controls which
1257 <citerefentry><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1258 shall report, when invoked by unit
1259 processes. Takes one of
1260 <constant>x86</constant> and
1261 <constant>x86-64</constant>. This is
1262 useful when running 32bit services on
1263 a 64bit host system. If not specified
1264 the personality is left unmodified and
1265 thus reflects the personality of the
1267 kernel.</para></listitem>
1271 <term><varname>RuntimeDirectory=</varname></term>
1272 <term><varname>RuntimeDirectoryMode=</varname></term>
1274 <listitem><para>Takes a list of
1275 directory names. If set one or more
1276 directories by the specified names
1277 will be created below
1278 <filename>/run</filename> (for system
1280 <varname>$XDG_RUNTIME_DIR</varname>
1281 (for user services) when the unit is
1282 started and removed when the unit is
1283 stopped. The directories will have the
1284 access mode specified in
1285 <varname>RuntimeDirectoryMode=</varname>,
1286 and will be owned by the user and
1288 <varname>User=</varname> and
1289 <varname>Group=</varname>. Use this to
1290 manage one or more runtime directories
1291 of the unit and bind their lifetime to
1292 the daemon runtime. The specified
1293 directory names must be relative, and
1295 <literal>/</literal>, i.e. must refer
1296 to simple directories to create or
1297 remove. This is particularly useful
1298 for unpriviliges daemons that cannot
1299 create runtime directories in
1300 <filename>/run</filename> due to lack
1301 of privileges, and to make sure the
1302 runtime directory is cleaned up
1303 automatically after use. For runtime
1304 directories that require more complex
1305 or different configuration or lifetime
1306 guarantees, please consider using
1307 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem>
1314 <title>Environment variables in spawned processes</title>
1316 <para>Processes started by the system are executed in
1317 a clean environment in which select variables
1318 listed below are set. System processes started by systemd
1319 do not inherit variables from PID 1, but processes
1320 started by user systemd instances inherit all
1321 environment variables from the user systemd instance.
1324 <variablelist class='environment-variables'>
1326 <term><varname>$PATH</varname></term>
1328 <listitem><para>Colon-separated list
1329 of directiories to use when launching
1330 executables. Systemd uses a fixed
1332 <filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename>:<filename>/sbin</filename>:<filename>/bin</filename>.
1337 <term><varname>$LANG</varname></term>
1339 <listitem><para>Locale. Can be set in
1340 <citerefentry><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1341 or on the kernel command line (see
1342 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1344 <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>).
1349 <term><varname>$USER</varname></term>
1350 <term><varname>$LOGNAME</varname></term>
1351 <term><varname>$HOME</varname></term>
1352 <term><varname>$SHELL</varname></term>
1354 <listitem><para>User name (twice), home
1355 directory, and the login shell.
1356 The variables are set for the units that
1357 have <varname>User=</varname> set,
1359 <command>systemd</command> instances.
1361 <citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
1366 <term><varname>$XDG_RUNTIME_DIR</varname></term>
1368 <listitem><para>The directory for volatile
1369 state. Set for the user <command>systemd</command>
1370 instance, and also in user sessions.
1372 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1377 <term><varname>$XDG_SESSION_ID</varname></term>
1378 <term><varname>$XDG_SEAT</varname></term>
1379 <term><varname>$XDG_VTNR</varname></term>
1381 <listitem><para>The identifier of the
1382 session, the seat name, and
1383 virtual terminal of the session. Set
1385 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
1387 <varname>$XDG_SEAT</varname> and
1388 <varname>$XDG_VTNR</varname> will
1389 only be set when attached to a seat and a
1390 tty.</para></listitem>
1394 <term><varname>$MAINPID</varname></term>
1396 <listitem><para>The PID of the units
1397 main process if it is known. This is
1398 only set for control processes as
1400 <varname>ExecReload=</varname> and
1401 similar. </para></listitem>
1405 <term><varname>$MANAGERPID</varname></term>
1407 <listitem><para>The PID of the user
1408 <command>systemd</command> instance,
1409 set for processes spawned by it.
1414 <term><varname>$LISTEN_FDS</varname></term>
1415 <term><varname>$LISTEN_PID</varname></term>
1417 <listitem><para>Information about file
1418 descriptors passed to a service for
1419 socket activation. See
1420 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1425 <term><varname>$TERM</varname></term>
1427 <listitem><para>Terminal type, set
1428 only for units connected to a terminal
1429 (<varname>StandardInput=tty</varname>,
1430 <varname>StandardOutput=tty</varname>,
1432 <varname>StandardError=tty</varname>).
1434 <citerefentry><refentrytitle>termcap</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
1439 <para>Additional variables may be configured by the
1440 following means: for processes spawned in specific
1441 units, use the <varname>Environment=</varname> and
1442 <varname>EnvironmentFile=</varname> options above; to
1443 specify variables globally, use
1444 <varname>DefaultEnvironment=</varname> (see
1445 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
1446 or the kernel option
1447 <varname>systemd.setenv=</varname> (see
1448 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Additional
1449 variables may also be set through PAM,
1450 c.f. <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
1454 <title>See Also</title>
1456 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1457 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1458 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1459 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1460 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1461 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1462 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1463 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1464 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1465 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1466 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
1467 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1468 <citerefentry><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry>