for the assignment.</para>
<para>Example:
- <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"</programlisting>
+ <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting>
gives three variables <literal>VAR1</literal>,
- <literal>VAR2</literal>, <literal>VAR3</literal>.
+ <literal>VAR2</literal>, <literal>VAR3</literal>
+ with the values <literal>word1 word2</literal>,
+ <literal>word3</literal>, <literal>$word 5 6</literal>.
</para>
<para>
processes and mounts private
<filename>/tmp</filename> and
<filename>/var/tmp</filename>
- directories inside it, that are not
+ directories inside it that is not
shared by processes outside of the
namespace. This is useful to secure
access to temporary files of the
<filename>/var/tmp</filename>
impossible. All temporary data created
by service will be removed after
- service is stopped. Defaults to
+ the service is stopped. Defaults to
false. Note that it is possible to run
two or more units within the same
private <filename>/tmp</filename> and
for details.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>PrivateDevices=</varname></term>
+
+ <listitem><para>Takes a boolean
+ argument. If true, sets up a new /dev
+ namespace for the executed processes
+ and only adds API pseudo devices such
+ as <filename>/dev/null</filename>,
+ <filename>/dev/zero</filename> or
+ <filename>/dev/random</filename> to
+ it, but no physical devices such as
+ <filename>/dev/sda</filename>. This is
+ useful to securely turn off physical
+ device access by the executed
+ process. Defaults to
+ false.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>MountFlags=</varname></term>