chiark / gitweb /
~ianmdlvl / elogind.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
resolved: set LLMNR TCP and UDP TTLs to the values suggested by the RFC
[elogind.git] / man / systemd.exec.xml
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 36643034913c91169fcce52b5b29a416ef42dfa3..2f75915c2076d6aa4c31bb65d2020422c99b448e 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -103,7 +103,7 @@
                                 directory path. Sets the root
                                 directory for executed processes, with
                                 the
                                 directory path. Sets the root
                                 directory for executed processes, with
                                 the
-                                <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+                                <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>
                                 system call. If this is used, it must
                                 be ensured that the process and all
                                 its auxiliary files are available in
                                 system call. If this is used, it must
                                 be ensured that the process and all
                                 its auxiliary files are available in
@@ -304,7 +304,7 @@
 
                                 <para>
                                 See
 
                                 <para>
                                 See
-                                <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+                                <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
                                 for details about environment variables.</para></listitem>
                         </varlistentry>
                         <varlistentry>
                                 for details about environment variables.</para></listitem>
                         </varlistentry>
                         <varlistentry>
@@ -443,12 +443,12 @@
                                 for other processes to release the
                                 terminal. <option>syslog</option>
                                 connects standard output to the
                                 for other processes to release the
                                 terminal. <option>syslog</option>
                                 connects standard output to the
-                                <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+                                <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
                                 system syslog
                                 service. <option>kmsg</option>
                                 connects it with the kernel log buffer
                                 which is accessible via
                                 system syslog
                                 service. <option>kmsg</option>
                                 connects it with the kernel log buffer
                                 which is accessible via
-                                <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>journal</option>
+                                <citerefentry project='man-pages'><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>journal</option>
                                 connects it with the journal which is
                                 accessible via
                                 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
                                 connects it with the journal which is
                                 accessible via
                                 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
@@ -568,7 +568,7 @@
                                 <option>local5</option>,
                                 <option>local6</option> or
                                 <option>local7</option>. See
                                 <option>local5</option>,
                                 <option>local6</option> or
                                 <option>local7</option>. See
-                                <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+                                <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
                                 for details. This option is only
                                 useful when
                                 <varname>StandardOutput=</varname> or
                                 for details. This option is only
                                 useful when
                                 <varname>StandardOutput=</varname> or
@@ -590,7 +590,7 @@
                                 <option>notice</option>,
                                 <option>info</option>,
                                 <option>debug</option>. See
                                 <option>notice</option>,
                                 <option>info</option>,
                                 <option>debug</option>. See
-                                <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+                                <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
                                 for details. This option is only
                                 useful when
                                 <varname>StandardOutput=</varname> or
                                 for details. This option is only
                                 useful when
                                 <varname>StandardOutput=</varname> or
@@ -687,7 +687,7 @@
                                 <varname>User=</varname> setting. If
                                 not set, no PAM session will be opened
                                 for the executed processes. See
                                 <varname>User=</varname> setting. If
                                 not set, no PAM session will be opened
                                 for the executed processes. See
-                                <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+                                <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                                 for details.</para></listitem>
                         </varlistentry>
 
                                 for details.</para></listitem>
                         </varlistentry>
 
@@ -698,7 +698,7 @@
                                 capabilities to include in the
                                 capability bounding set for the
                                 executed process. See
                                 capabilities to include in the
                                 capability bounding set for the
                                 executed process. See
-                                <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+                                <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
                                 for details. Takes a whitespace-separated
                                 list of capability names as read by
                                 <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
                                 for details. Takes a whitespace-separated
                                 list of capability names as read by
                                 <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
@@ -739,7 +739,7 @@
                                 <term><varname>SecureBits=</varname></term>
                                 <listitem><para>Controls the secure
                                 bits set for the executed process. See
                                 <term><varname>SecureBits=</varname></term>
                                 <listitem><para>Controls the secure
                                 bits set for the executed process. See
-                                <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+                                <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
                                 for details. Takes a list of strings:
                                 <option>keep-caps</option>,
                                 <option>keep-caps-locked</option>,
                                 for details. Takes a list of strings:
                                 <option>keep-caps</option>,
                                 <option>keep-caps-locked</option>,
@@ -757,7 +757,7 @@
                         <varlistentry>
                                 <term><varname>Capabilities=</varname></term>
                                 <listitem><para>Controls the
                         <varlistentry>
                                 <term><varname>Capabilities=</varname></term>
                                 <listitem><para>Controls the
-                                <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+                                <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
                                 set for the executed process. Take a
                                 capability string describing the
                                 effective, permitted and inherited
                                 set for the executed process. Take a
                                 capability string describing the
                                 effective, permitted and inherited
@@ -777,8 +777,8 @@
                                 <term><varname>ReadOnlyDirectories=</varname></term>
                                 <term><varname>InaccessibleDirectories=</varname></term>
 
                                 <term><varname>ReadOnlyDirectories=</varname></term>
                                 <term><varname>InaccessibleDirectories=</varname></term>
 
-                                <listitem><para>Sets up a new
-                                file system namespace for executed
+                                <listitem><para>Sets up a new file
+                                system namespace for executed
                                 processes. These options may be used
                                 to limit access a process might have
                                 to the main file system
                                 processes. These options may be used
                                 to limit access a process might have
                                 to the main file system
@@ -799,16 +799,14 @@
                                 processes inside the namespace. Note
                                 that restricting access with these
                                 options does not extend to submounts
                                 processes inside the namespace. Note
                                 that restricting access with these
                                 options does not extend to submounts
-                                of a directory. You must list
-                                submounts separately in these settings
-                                to ensure the same limited
-                                access. These options may be specified
+                                of a directory that are created later
+                                on. These options may be specified
                                 more than once in which case all
                                 directories listed will have limited
                                 access from within the namespace. If
                                 the empty string is assigned to this
                                 more than once in which case all
                                 directories listed will have limited
                                 access from within the namespace. If
                                 the empty string is assigned to this
-                                option, the specific list is reset, and
-                                all prior assignments have no
+                                option, the specific list is reset,
+                                and all prior assignments have no
                                 effect.</para>
                                 <para>Paths in
                                 <varname>ReadOnlyDirectories=</varname>
                                 effect.</para>
                                 <para>Paths in
                                 <varname>ReadOnlyDirectories=</varname>
@@ -935,22 +933,26 @@
                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>
-                                <term><varname>ReadOnlySystem=</varname></term>
+                                <term><varname>ProtectSystem=</varname></term>
 
                                 <listitem><para>Takes a boolean
 
                                 <listitem><para>Takes a boolean
-                                argument. If true, mounts the
-                                <filename>/usr</filename> and
-                                <filename>/boot</filename> directories
-                                read-only for processes invoked by
-                                this unit. This setting ensures that
-                                any modification of the vendor
-                                supplied operating system is
+                                argument or
+                                <literal>full</literal>. If true,
+                                mounts the <filename>/usr</filename>
+                                directory read-only for processes
+                                invoked by this unit. If set to
+                                <literal>full</literal>, the
+                                <filename>/etc</filename> directory is mounted
+                                read-only, too. This setting ensures
+                                that any modification of the vendor
+                                supplied operating system (and
+                                optionally its configuration) is
                                 prohibited for the service. It is
                                 recommended to enable this setting for
                                 all long-running services, unless they
                                 are involved with system updates or
                                 need to modify the operating system in
                                 prohibited for the service. It is
                                 recommended to enable this setting for
                                 all long-running services, unless they
                                 are involved with system updates or
                                 need to modify the operating system in
-                                other ways. Note however, that
+                                other ways. Note however that
                                 processes retaining the CAP_SYS_ADMIN
                                 capability can undo the effect of this
                                 setting. This setting is hence
                                 processes retaining the CAP_SYS_ADMIN
                                 capability can undo the effect of this
                                 setting. This setting is hence
@@ -962,7 +964,7 @@
                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>
-                                <term><varname>ProtectedHome=</varname></term>
+                                <term><varname>ProtectHome=</varname></term>
 
                                 <listitem><para>Takes a boolean
                                 argument or
 
                                 <listitem><para>Takes a boolean
                                 argument or
@@ -972,15 +974,15 @@
                                 <filename>/run/user</filename> are
                                 made inaccessible and empty for
                                 processes invoked by this unit. If set
                                 <filename>/run/user</filename> are
                                 made inaccessible and empty for
                                 processes invoked by this unit. If set
-                                to <literal>read-only</literal> the
+                                to <literal>read-only</literal>, the
                                 two directores are made read-only
                                 instead. It is recommended to enable
                                 this setting for all long-running
                                 services (in particular network-facing
                                 two directores are made read-only
                                 instead. It is recommended to enable
                                 this setting for all long-running
                                 services (in particular network-facing
-                                one), to ensure they cannot get access
+                                ones), to ensure they cannot get access
                                 to private user data, unless the
                                 services actually require access to
                                 to private user data, unless the
                                 services actually require access to
-                                the user's private data. Note however,
+                                the user's private data. Note however
                                 that processes retaining the
                                 CAP_SYS_ADMIN capability can undo the
                                 effect of this setting. This setting
                                 that processes retaining the
                                 CAP_SYS_ADMIN capability can undo the
                                 effect of this setting. This setting
@@ -1470,7 +1472,7 @@
                                 or
                                 <varname>StandardError=tty</varname>).
                                 See
                                 or
                                 <varname>StandardError=tty</varname>).
                                 See
-                                <citerefentry><refentrytitle>termcap</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+                                <citerefentry project='man-pages'><refentrytitle>termcap</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
                                 </para></listitem>
                         </varlistentry>
                 </variablelist>
                                 </para></listitem>
                         </varlistentry>
                 </variablelist>
@@ -1486,7 +1488,7 @@
                 <varname>systemd.setenv=</varname> (see
                 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Additional
                 variables may also be set through PAM,
                 <varname>systemd.setenv=</varname> (see
                 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Additional
                 variables may also be set through PAM,
-                cf. <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+                cf. <citerefentry project='man-pages'><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
         </refsect1>
 
         <refsect1>
         </refsect1>
 
         <refsect1>
@@ -1504,7 +1506,7 @@
                           <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                           <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
                           <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                           <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                           <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
                           <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
-                          <citerefentry><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+                          <citerefentry project='man-pages'><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry>
                   </para>
         </refsect1>
 
                   </para>
         </refsect1>
 
Unnamed repository; edit this file 'description' to name the repository.