X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=11b160e58f2ffe2fb3fc96116d3b52127b999d36;hp=1bc6bafa473dd79b88b8e79fe90ab0c326c2200a;hb=754061ce7173fd8cb66ade1a48381e2cead35522;hpb=b8825fff7bf153ea9f17c46a40278df2e780829d diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 1bc6bafa4..11b160e58 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1,6 +1,5 @@ - + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> - - systemd.exec - systemd - - - - Developer - Lennart - Poettering - lennart@poettering.net - - - - - - systemd.exec - 5 - - - - systemd.exec - Execution environment configuration - - - - service.service, - socket.socket, - mount.mount, - swap.swap - - - - Description - - Unit configuration files for services, sockets, - mount points, and swap devices share a subset of - configuration options which define the execution - environment of spawned processes. - - This man page lists the configuration options - shared by these four unit types. See - systemd.unit5 - for the common options of all unit configuration - files, and - systemd.service5, - systemd.socket5, - systemd.swap5, - and - systemd.mount5 - for more information on the specific unit - configuration files. The execution specific - configuration options are configured in the [Service], - [Socket], [Mount], or [Swap] sections, depending on the unit - type. - - - - Options - - - - - WorkingDirectory= - - Takes an absolute - directory path. Sets the working - directory for executed processes. If - not set, defaults to the root directory - when systemd is running as a system - instance and the respective user's - home directory if run as - user. - - - - RootDirectory= - - Takes an absolute - directory path. Sets the root - directory for executed processes, with - the - chroot2 - system call. If this is used, it must - be ensured that the process and all - its auxiliary files are available in - the chroot() - jail. - - - - User= - Group= - - Sets the Unix user - or group that the processes are executed - as, respectively. Takes a single user or group - name or ID as argument. If no group is - set, the default group of the user is - chosen. - - - - SupplementaryGroups= - - Sets the supplementary - Unix groups the processes are executed - as. This takes a space-separated list - of group names or IDs. This option may - be specified more than once in which - case all listed groups are set as - supplementary groups. When the empty - string is assigned the list of - supplementary groups is reset, and all - assignments prior to this one will - have no effect. In any way, this - option does not override, but extends - the list of supplementary groups - configured in the system group - database for the - user. - - - - Nice= - - Sets the default nice - level (scheduling priority) for - executed processes. Takes an integer - between -20 (highest priority) and 19 - (lowest priority). See - setpriority2 - for details. - - - - OOMScoreAdjust= - - Sets the adjustment - level for the Out-Of-Memory killer for - executed processes. Takes an integer - between -1000 (to disable OOM killing - for this process) and 1000 (to make - killing of this process under memory - pressure very likely). See proc.txt - for details. - - - - IOSchedulingClass= - - Sets the IO scheduling - class for executed processes. Takes an - integer between 0 and 3 or one of the - strings , - , - or - . See - ioprio_set2 - for details. - - - - IOSchedulingPriority= - - Sets the IO scheduling - priority for executed processes. Takes - an integer between 0 (highest - priority) and 7 (lowest priority). The - available priorities depend on the - selected IO scheduling class (see - above). See - ioprio_set2 - for details. - - - - CPUSchedulingPolicy= - - Sets the CPU - scheduling policy for executed - processes. Takes one of - , - , - , - or - . See - sched_setscheduler2 - for details. - - - - CPUSchedulingPriority= - - Sets the CPU - scheduling priority for executed - processes. The available priority - range depends on the selected CPU - scheduling policy (see above). For - real-time scheduling policies an - integer between 1 (lowest priority) - and 99 (highest priority) can be used. - See sched_setscheduler2 - for details. - - - - - CPUSchedulingResetOnFork= - - Takes a boolean - argument. If true, elevated CPU - scheduling priorities and policies - will be reset when the executed - processes fork, and can hence not leak - into child processes. See - sched_setscheduler2 - for details. Defaults to false. - - - - CPUAffinity= - - Controls the CPU - affinity of the executed - processes. Takes a space-separated - list of CPU indices. This option may - be specified more than once in which - case the specificed CPU affinity masks - are merged. If the empty string is - assigned, the mask is reset, all - assignments prior to this will have no - effect. See - sched_setaffinity2 - for details. - - - - UMask= - - Controls the file mode - creation mask. Takes an access mode in - octal notation. See - umask2 - for details. Defaults to - 0022. - - - - Environment= - - Sets environment - variables for executed - processes. Takes a space-separated - list of variable assignments. This - option may be specified more than once - in which case all listed variables - will be set. If the same variable is - set twice, the later setting will - override the earlier setting. If the - empty string is assigned to this - option, the list of environment - variables is reset, all prior - assignments have no effect. - Variable expansion is not performed - inside the strings, however, specifier - expansion is possible. The $ character has - no special meaning. - If you need to assign a value containing spaces - to a variable, use double quotes (") - for the assignment. - - Example: - Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6" - gives three variables VAR1, - VAR2, VAR3 - with the values word1 word2, - word3, $word 5 6. - - - - See - environ7 - for details about environment variables. - - - EnvironmentFile= - Similar to - Environment= but - reads the environment variables from a - text file. The text file should - contain new-line-separated variable - assignments. Empty lines and lines - starting with ; or # will be ignored, - which may be used for commenting. A line - ending with a backslash will be concatenated - with the following one, allowing multiline variable - definitions. The parser strips leading - and trailing whitespace from the values - of assignments, unless you use - double quotes ("). - - The argument passed should be an - absolute filename or wildcard - expression, optionally prefixed with - -, which indicates - that if the file does not exist, it - will not be read and no error or warning - message is logged. This option may be - specified more than once in which case - all specified files are read. If the - empty string is assigned to this - option, the list of file to read is - reset, all prior assignments have no - effect. - - The files listed with this - directive will be read shortly before - the process is executed (more - specifically, after all - processes from a previous unit state - terminated. This means you can - generate these files in one unit - state, and read it with this option in - the next). Settings from these files - override settings made with - Environment=. If - the same variable is set twice from - these files, the files will be read in - the order they are specified and the - later setting will override the - earlier setting. - - - - StandardInput= - Controls where file - descriptor 0 (STDIN) of the executed - processes is connected to. Takes one - of , - , - , - or - . - - If is - selected, standard input will be - connected to - /dev/null, - i.e. all read attempts by the process - will result in immediate EOF. - - If is - selected, standard input is connected - to a TTY (as configured by - TTYPath=, see - below) and the executed process - becomes the controlling process of the - terminal. If the terminal is already - being controlled by another process, - the executed process waits until the - current controlling process releases - the terminal. - - is similar - to , but the - executed process is forcefully and - immediately made the controlling - process of the terminal, potentially - removing previous controlling - processes from the - terminal. - - is - similar to but if - the terminal already has a controlling - process start-up of the executed - process fails. - - The - option is only valid in - socket-activated services, and only - when the socket configuration file - (see - systemd.socket5 - for details) specifies a single socket - only. If this option is set, standard - input will be connected to the socket - the service was activated from, which - is primarily useful for compatibility - with daemons designed for use with the - traditional - inetd8 - daemon. - - This setting defaults to - . - - - StandardOutput= - Controls where file - descriptor 1 (STDOUT) of the executed - processes is connected to. Takes one - of , - , - , - , - , - , - , - , - or - . - - - duplicates the file descriptor of - standard input for standard - output. - - connects - standard output to - /dev/null, - i.e. everything written to it will be - lost. - - connects - standard output to a tty (as - configured via - TTYPath=, see - below). If the TTY is used for output - only, the executed process will not - become the controlling process of the - terminal, and will not fail or wait - for other processes to release the - terminal. - - - connects standard output with the - journal which is accessible via - journalctl1. - Note that everything that is written - to syslog or kmsg (see below) is - implicitly stored in the journal as - well, the specific two options listed - below are hence supersets of this - one. - - connects - standard output to the syslog3 - system syslog service, in addition to - the journal. Note that the journal - daemon is usually configured to - forward everything it receives to - syslog anyway, in which case this - option is no different from - . - - connects - standard output with the kernel log - buffer which is accessible via - dmesg1, - in addition to the journal. The - journal daemon might be configured to - send all logs to kmsg anyway, in which - case this option is no different from - . - - , - and - work in - a similar way as the three options - above but copy the output to the - system console as well. - - connects - standard output to a socket acquired - via socket activation. The semantics - are similar to the same option of - StandardInput=. - - This setting defaults to the - value set with - - in - systemd-system.conf5, - which defaults to - . - - - StandardError= - Controls where file - descriptor 2 (STDERR) of the - executed processes is connected to. - The available options are identical to - those of - StandardOutput=, - with one exception: if set to - the file - descriptor used for standard output is - duplicated for standard error. This - setting defaults to the value set with - - in - systemd-system.conf5, - which defaults to - . - - - TTYPath= - Sets the terminal - device node to use if standard input, output, - or error are connected to a - TTY (see above). Defaults to - /dev/console. - - - TTYReset= - Reset the terminal - device specified with - TTYPath= before and - after execution. Defaults to - no. - - - TTYVHangup= - Disconnect all clients - which have opened the terminal device - specified with - TTYPath= - before and after execution. Defaults - to - no. - - - TTYVTDisallocate= - If the terminal - device specified with - TTYPath= is a - virtual console terminal, try to - deallocate the TTY before and after - execution. This ensures that the - screen and scrollback buffer is - cleared. Defaults to - no. - - - SyslogIdentifier= - Sets the process name - to prefix log lines sent to the - logging system or the kernel log - buffer with. If not set, defaults to - the process name of the executed - process. This option is only useful - when - StandardOutput= or - StandardError= are - set to , - or - (or to the same - settings in combination with - ). - - - SyslogFacility= - Sets the syslog - facility to use when logging to - syslog. One of , - , - , - , - , - , - , - , - , - , - , - , - , - , - , - , - , - , - or - . See - syslog3 - for details. This option is only - useful when - StandardOutput= or - StandardError= are - set to . - Defaults to - . - - - SyslogLevel= - Default syslog level - to use when logging to syslog or the - kernel log buffer. One of - , - , - , - , - , - , - , - . See - syslog3 - for details. This option is only - useful when - StandardOutput= or - StandardError= are - set to or - . Note that - individual lines output by the daemon - might be prefixed with a different log - level which can be used to override - the default log level specified - here. The interpretation of these - prefixes may be disabled with - SyslogLevelPrefix=, - see below. For details see - sd-daemon3. - - Defaults to - . - - - - SyslogLevelPrefix= - Takes a boolean - argument. If true and - StandardOutput= or - StandardError= are - set to , - or - , log lines - written by the executed process that - are prefixed with a log level will be - passed on to syslog with this log - level set but the prefix removed. If - set to false, the interpretation of - these prefixes is disabled and the - logged lines are passed on as-is. For - details about this prefixing see - sd-daemon3. - Defaults to true. - - - - TimerSlackNSec= - Sets the timer slack - in nanoseconds for the executed - processes. The timer slack controls - the accuracy of wake-ups triggered by - timers. See - prctl2 - for more information. Note that in - contrast to most other time span - definitions this parameter takes an - integer value in nano-seconds if no - unit is specified. The usual time - units are understood - too. - - - - LimitCPU= - LimitFSIZE= - LimitDATA= - LimitSTACK= - LimitCORE= - LimitRSS= - LimitNOFILE= - LimitAS= - LimitNPROC= - LimitMEMLOCK= - LimitLOCKS= - LimitSIGPENDING= - LimitMSGQUEUE= - LimitNICE= - LimitRTPRIO= - LimitRTTIME= - These settings control - various resource limits for executed - processes. See - setrlimit2 - for details. Use the string - infinity to - configure no limit on a specific - resource. - - - Limit directives and their equivalent with ulimit - - - - - - - Directive - ulimit equivalent - - - - - LimitCPU - ulimit -t - - - LimitFSIZE - ulimit -f - - - LimitDATA - ulimit -d - - - LimitSTACK - ulimit -s - - - LimitCORE - ulimit -c - - - LimitRSS - ulimit -m - - - LimitNOFILE - ulimit -n - - - LimitAS - ulimit -v - - - LimitNPROC - ulimit -u - - - LimitMEMLOCK - ulimit -l - - - LimitLOCKS - ulimit -x - - - LimitSIGPENDING - ulimit -i - - - LimitMSGQUEUE - ulimit -q - - - LimitNICE - ulimit -e - - - LimitRTPRIO - ulimit -r - - - LimitRTTIME - No equivalent - - - -
- - - - PAMName= - Sets the PAM service - name to set up a session as. If set, - the executed process will be - registered as a PAM session under the - specified service name. This is only - useful in conjunction with the - User= setting. If - not set, no PAM session will be opened - for the executed processes. See - pam8 - for details. - - - - CapabilityBoundingSet= - - Controls which - capabilities to include in the - capability bounding set for the - executed process. See - capabilities7 - for details. Takes a whitespace-separated - list of capability names as read by - cap_from_name3, - e.g. CAP_SYS_ADMIN, - CAP_DAC_OVERRIDE, - CAP_SYS_PTRACE. - Capabilities listed will be included - in the bounding set, all others are - removed. If the list of capabilities - is prefixed with ~, - all but the listed capabilities will - be included, the effect of the - assignment inverted. Note that this - option also affects the respective - capabilities in the effective, - permitted and inheritable capability - sets, on top of what - Capabilities= - does. If this option is not used, the - capability bounding set is not - modified on process execution, hence - no limits on the capabilities of the - process are enforced. This option may - appear more than once in which case - the bounding sets are merged. If the - empty string is assigned to this - option, the bounding set is reset to - the empty capability set, and all - prior settings have no effect. If set - to ~ (without any - further argument), the bounding set is - reset to the full set of available - capabilities, also undoing any - previous settings. - - - - SecureBits= - Controls the secure - bits set for the executed process. - Takes a space-separated combination of - options from the following list: - , - , - , - , - , and - . This - option may appear more than once in - which case the secure bits are ORed. - If the empty string is assigned to - this option, the bits are reset to 0. - See capabilities7 - for details. - - - - Capabilities= - Controls the - capabilities7 - set for the executed process. Take a - capability string describing the - effective, permitted and inherited - capability sets as documented in - cap_from_text3. - Note that these capability sets are - usually influenced (and filtered) by the capabilities - attached to the executed file. Due to - that - CapabilityBoundingSet= - is probably a much more useful - setting. - - - - ReadWriteDirectories= - ReadOnlyDirectories= - InaccessibleDirectories= - - Sets up a new file - system namespace for executed - processes. These options may be used - to limit access a process might have - to the main file system - hierarchy. Each setting takes a - space-separated list of absolute - directory paths. Directories listed in - ReadWriteDirectories= - are accessible from within the - namespace with the same access rights - as from outside. Directories listed in - ReadOnlyDirectories= - are accessible for reading only, - writing will be refused even if the - usual file access controls would - permit this. Directories listed in - InaccessibleDirectories= - will be made inaccessible for - processes inside the namespace. Note - that restricting access with these - options does not extend to submounts - of a directory that are created later - on. These options may be specified - more than once in which case all - directories listed will have limited - access from within the namespace. If - the empty string is assigned to this - option, the specific list is reset, - and all prior assignments have no - effect. - Paths in - ReadOnlyDirectories= - and - InaccessibleDirectories= - may be prefixed with - -, in which case - they will be ignored when they do not - exist. Note that using this - setting will disconnect propagation of - mounts from the service to the host - (propagation in the opposite direction - continues to work). This means that - this setting may not be used for - services which shall be able to - install mount points in the main mount - namespace. - - - - PrivateTmp= - - Takes a boolean - argument. If true, sets up a new file - system namespace for the executed - processes and mounts private - /tmp and - /var/tmp - directories inside it that is not - shared by processes outside of the - namespace. This is useful to secure - access to temporary files of the - process, but makes sharing between - processes via - /tmp or - /var/tmp - impossible. If this is enabled, all - temporary files created by a service - in these directories will be removed - after the service is stopped. Defaults - to false. It is possible to run two or - more units within the same private - /tmp and - /var/tmp - namespace by using the - JoinsNamespaceOf= - directive, see - systemd.unit5 - for details. Note that using this - setting will disconnect propagation of - mounts from the service to the host - (propagation in the opposite direction - continues to work). This means that - this setting may not be used for - services which shall be able to install - mount points in the main mount - namespace. - - - - PrivateDevices= - - Takes a boolean - argument. If true, sets up a new /dev - namespace for the executed processes - and only adds API pseudo devices such - as /dev/null, - /dev/zero or - /dev/random (as - well as the pseudo TTY subsystem) to - it, but no physical devices such as - /dev/sda. This is - useful to securely turn off physical - device access by the executed - process. Defaults to false. Enabling - this option will also remove - CAP_MKNOD from - the capability bounding set for the - unit (see above), and set - DevicePolicy=closed - (see - systemd.resource-control5 - for details). Note that using this - setting will disconnect propagation of - mounts from the service to the host - (propagation in the opposite direction - continues to work). This means that - this setting may not be used for - services which shall be able to - install mount points in the main mount - namespace. - - - - PrivateNetwork= - - Takes a boolean - argument. If true, sets up a new - network namespace for the executed - processes and configures only the - loopback network device - lo inside it. No - other network devices will be - available to the executed process. - This is useful to securely turn off - network access by the executed - process. Defaults to false. It is - possible to run two or more units - within the same private network - namespace by using the - JoinsNamespaceOf= - directive, see - systemd.unit5 - for details. Note that this option - will disconnect all socket families - from the host, this includes - AF_NETLINK and AF_UNIX. The latter has - the effect that AF_UNIX sockets in the - abstract socket namespace will become - unavailable to the processes (however, - those located in the file system will - continue to be - accessible). - - - - ProtectSystem= - - Takes a boolean - argument or - full. If true, - mounts the /usr - directory read-only for processes - invoked by this unit. If set to - full, the - /etc directory is mounted - read-only, too. This setting ensures - that any modification of the vendor - supplied operating system (and - optionally its configuration) is - prohibited for the service. It is - recommended to enable this setting for - all long-running services, unless they - are involved with system updates or - need to modify the operating system in - other ways. Note however that - processes retaining the CAP_SYS_ADMIN - capability can undo the effect of this - setting. This setting is hence - particularly useful for daemons which - have this capability removed, for - example with - CapabilityBoundingSet=. Defaults - to off. - - - - ProtectHome= - - Takes a boolean - argument or - read-only. If true, - the directories - /home and - /run/user are - made inaccessible and empty for - processes invoked by this unit. If set - to read-only, the - two directories are made read-only - instead. It is recommended to enable - this setting for all long-running - services (in particular network-facing - ones), to ensure they cannot get access - to private user data, unless the - services actually require access to - the user's private data. Note however - that processes retaining the - CAP_SYS_ADMIN capability can undo the - effect of this setting. This setting - is hence particularly useful for - daemons which have this capability - removed, for example with - CapabilityBoundingSet=. Defaults - to off. - - - - MountFlags= - - Takes a mount - propagation flag: - , - or - , which - control whether mounts in the file - system namespace set up for this - unit's processes will receive or - propagate mounts or unmounts. See - mount2 - for details. Defaults to - . Use - to ensure that - mounts and unmounts are propagated - from the host to the container and - vice versa. Use - to run processes so that none of their - mounts and unmounts will propagate to - the host. Use - to also ensure that no mounts and - unmounts from the host will propagate - into the unit processes' - namespace. Note that - means that file - systems mounted on the host might stay - mounted continuously in the unit's - namespace, and thus keep the device - busy. Note that the file system - namespace related options - (PrivateTmp=, - PrivateDevices=, - ProtectSystem=, - ProtectHome=, - ReadOnlyDirectories=, - InaccessibleDirectories= - and - ReadWriteDirectories=) - require that mount and unmount - propagation from the unit's file - system namespace is disabled, and - hence downgrade - to - . - - - - - UtmpIdentifier= - - Takes a four - character identifier string for an - utmp/wtmp entry for this service. This - should only be set for services such - as getty - implementations where utmp/wtmp - entries must be created and cleared - before and after execution. If the - configured string is longer than four - characters, it is truncated and the - terminal four characters are - used. This setting interprets %I style - string replacements. This setting is - unset by default, i.e. no utmp/wtmp - entries are created or cleaned up for - this service. - - - - SELinuxContext= - - Set the SELinux - security context of the executed - process. If set, this will override - the automated domain - transition. However, the policy still - needs to autorize the transition. This - directive is ignored if SELinux is - disabled. If prefixed by - -, all errors will - be ignored. See - setexeccon3 - for details. - - - - AppArmorProfile= - - Takes a profile name as argument. - The process executed by the unit will switch to - this profile when started. Profiles must already - be loaded in the kernel, or the unit will fail. - This result in a non operation if AppArmor is not - enabled. If prefixed by -, all errors - will be ignored. - - - - - SmackProcessLabel= - - Takes a - security - label as argument. The process - executed by the unit will be started - under this label and SMACK will decide - whether the processes is allowed to - run or not based on it. The process - will continue to run under the label - specified here unless the executable - has its own - label, in - which case the process will transition - to run under that label. When not - specified, the label that systemd is - running under is used. This directive - is ignored if SMACK is - disabled. - - The value may be prefixed by - -, in which case - all errors will be ignored. An empty - value may be specified to unset - previous assignments. - - - - - IgnoreSIGPIPE= - - Takes a boolean - argument. If true, causes SIGPIPE to be - ignored in the executed - process. Defaults to true because - SIGPIPE generally is useful only in - shell pipelines. - - - - NoNewPrivileges= - - Takes a boolean - argument. If true, ensures that the - service process and all its children - can never gain new privileges. This - option is more powerful than the respective - secure bits flags (see above), as it - also prohibits UID changes of any - kind. This is the simplest, most - effective way to ensure that a process - and its children can never elevate - privileges again. - - - - SystemCallFilter= - - Takes a - space-separated list of system call - names. If this setting is used, all - system calls executed by the unit - processes except for the listed ones - will result in immediate process - termination with the - SIGSYS signal - (whitelisting). If the first character - of the list is ~, - the effect is inverted: only the - listed system calls will result in - immediate process termination - (blacklisting). If running in user - mode and this option is used, - NoNewPrivileges=yes - is implied. This feature makes use of the - Secure Computing Mode 2 interfaces of - the kernel ('seccomp filtering') and - is useful for enforcing a minimal - sandboxing environment. Note that the - execve, - rt_sigreturn, - sigreturn, - exit_group, - exit system calls - are implicitly whitelisted and do not - need to be listed explicitly. This - option may be specified more than once - in which case the filter masks are - merged. If the empty string is - assigned, the filter is reset, all - prior assignments will have no - effect. - - If you specify both types of - this option (i.e. whitelisting and - blacklisting), the first encountered - will take precedence and will dictate - the default action (termination or - approval of a system call). Then the - next occurrences of this option will - add or delete the listed system calls - from the set of the filtered system - calls, depending of its type and the - default action. (For example, if you have started - with a whitelisting of - read and - write, and right - after it add a blacklisting of - write, then - write will be - removed from the set.) - - - - - SystemCallErrorNumber= - - Takes an - errno error number - name to return when the system call - filter configured with - SystemCallFilter= - is triggered, instead of terminating - the process immediately. Takes an - error name such as - EPERM, - EACCES or - EUCLEAN. When this - setting is not used, or when the empty - string is assigned, the process will be - terminated immediately when the filter - is triggered. - - - - SystemCallArchitectures= - - Takes a space - separated list of architecture - identifiers to include in the system - call filter. The known architecture - identifiers are - x86, - x86-64, - x32, - arm as well as - the special identifier - native. Only - system calls of the specified - architectures will be permitted to - processes of this unit. This is an - effective way to disable compatibility - with non-native architectures for - processes, for example to prohibit - execution of 32-bit x86 binaries on - 64-bit x86-64 systems. The special - native identifier - implicitly maps to the native - architecture of the system (or more - strictly: to the architecture the - system manager is compiled for). If - running in user mode and this option - is used, - NoNewPrivileges=yes - is implied. Note that setting this - option to a non-empty list implies - that native is - included too. By default, this option - is set to the empty list, i.e. no - architecture system call filtering is - applied. - - - - RestrictAddressFamilies= - - Restricts the set of - socket address families accessible to - the processes of this unit. Takes a - space-separated list of address family - names to whitelist, such as - AF_UNIX, - AF_INET or - AF_INET6. When - prefixed with ~ - the listed address families will be - applied as blacklist, otherwise as - whitelist. Note that this restricts - access to the - socket2 - system call only. Sockets passed into - the process by other means (for - example, by using socket activation - with socket units, see - systemd.socket5) - are unaffected. Also, sockets created - with socketpair() - (which creates connected AF_UNIX - sockets only) are unaffected. Note - that this option has no effect on - 32-bit x86 and is ignored (but works - correctly on x86-64). If running in user - mode and this option is used, - NoNewPrivileges=yes - is implied. By default, no - restriction applies, all address - families are accessible to - processes. If assigned the empty - string, any previous list changes are - undone. - - Use this option to limit - exposure of processes to remote - systems, in particular via exotic - network protocols. Note that in most - cases, the local - AF_UNIX address - family should be included in the - configured whitelist as it is - frequently used for local - communication, including for - syslog2 - logging. - - - - Personality= - - Controls which - kernel architecture - uname2 - shall report, when invoked by unit - processes. Takes one of - x86 and - x86-64. This is - useful when running 32-bit services on - a 64-bit host system. If not specified, - the personality is left unmodified and - thus reflects the personality of the - host system's - kernel. - - - - RuntimeDirectory= - RuntimeDirectoryMode= - - Takes a list of - directory names. If set, one or more - directories by the specified names - will be created below - /run (for system - services) or below - $XDG_RUNTIME_DIR - (for user services) when the unit is - started, and removed when the unit is - stopped. The directories will have the - access mode specified in - RuntimeDirectoryMode=, - and will be owned by the user and - group specified in - User= and - Group=. Use this to - manage one or more runtime directories - of the unit and bind their lifetime to - the daemon runtime. The specified - directory names must be relative, and - may not include a - /, i.e. must refer - to simple directories to create or - remove. This is particularly useful - for unprivileged daemons that cannot - create runtime directories in - /run due to lack - of privileges, and to make sure the - runtime directory is cleaned up - automatically after use. For runtime - directories that require more complex - or different configuration or lifetime - guarantees, please consider using - tmpfiles.d5. - - - - - - - Environment variables in spawned processes - - Processes started by the system are executed in - a clean environment in which select variables - listed below are set. System processes started by systemd - do not inherit variables from PID 1, but processes - started by user systemd instances inherit all - environment variables from the user systemd instance. - - - - - $PATH - - Colon-separated list - of directiories to use when launching - executables. Systemd uses a fixed - value of - /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin. - - - - - $LANG - - Locale. Can be set in - locale.conf5 - or on the kernel command line (see - systemd1 - and - kernel-command-line7). - - - - - $USER - $LOGNAME - $HOME - $SHELL - - User name (twice), home - directory, and the login shell. - The variables are set for the units that - have User= set, - which includes user - systemd instances. - See - passwd5. - - - - - $XDG_RUNTIME_DIR - - The directory for volatile - state. Set for the user systemd - instance, and also in user sessions. - See - pam_systemd8. - - - - - $XDG_SESSION_ID - $XDG_SEAT - $XDG_VTNR - - The identifier of the - session, the seat name, and - virtual terminal of the session. Set - by - pam_systemd8 - for login sessions. - $XDG_SEAT and - $XDG_VTNR will - only be set when attached to a seat and a - tty. - - - - $MAINPID - - The PID of the units - main process if it is known. This is - only set for control processes as - invoked by - ExecReload= and - similar. - - - - $MANAGERPID - - The PID of the user - systemd instance, - set for processes spawned by it. - - - - - $LISTEN_FDS - $LISTEN_PID - - Information about file - descriptors passed to a service for - socket activation. See - sd_listen_fds3. - - - - - $TERM - - Terminal type, set - only for units connected to a terminal - (StandardInput=tty, - StandardOutput=tty, - or - StandardError=tty). - See - termcap5. - - - - - Additional variables may be configured by the - following means: for processes spawned in specific - units, use the Environment= and - EnvironmentFile= options above; to - specify variables globally, use - DefaultEnvironment= (see - systemd-system.conf5) - or the kernel option - systemd.setenv= (see - systemd1). Additional - variables may also be set through PAM, - cf. pam_env8. - - - - See Also - - systemd1, - systemctl1, - journalctl8, - systemd.unit5, - systemd.service5, - systemd.socket5, - systemd.swap5, - systemd.mount5, - systemd.kill5, - systemd.resource-control5, - systemd.directives7, - tmpfiles.d5, - exec3 - - + + systemd.exec + systemd + + + + Developer + Lennart + Poettering + lennart@poettering.net + + + + + + systemd.exec + 5 + + + + systemd.exec + Execution environment configuration + + + + service.service, + socket.socket, + mount.mount, + swap.swap + + + + Description + + Unit configuration files for services, sockets, mount + points, and swap devices share a subset of configuration options + which define the execution environment of spawned + processes. + + This man page lists the configuration options shared by + these four unit types. See + systemd.unit5 + for the common options of all unit configuration files, and + systemd.service5, + systemd.socket5, + systemd.swap5, + and + systemd.mount5 + for more information on the specific unit configuration files. The + execution specific configuration options are configured in the + [Service], [Socket], [Mount], or [Swap] sections, depending on the + unit type. + + + + Options + + + + + WorkingDirectory= + + Takes an absolute directory path. Sets the + working directory for executed processes. If not set, defaults + to the root directory when systemd is running as a system + instance and the respective user's home directory if run as + user. + + + + RootDirectory= + + Takes an absolute directory path. Sets the + root directory for executed processes, with the + chroot2 + system call. If this is used, it must be ensured that the + process and all its auxiliary files are available in the + chroot() jail. + + + + User= + Group= + + Sets the Unix user or group that the processes + are executed as, respectively. Takes a single user or group + name or ID as argument. If no group is set, the default group + of the user is chosen. + + + + SupplementaryGroups= + + Sets the supplementary Unix groups the + processes are executed as. This takes a space-separated list + of group names or IDs. This option may be specified more than + once in which case all listed groups are set as supplementary + groups. When the empty string is assigned the list of + supplementary groups is reset, and all assignments prior to + this one will have no effect. In any way, this option does not + override, but extends the list of supplementary groups + configured in the system group database for the + user. + + + + Nice= + + Sets the default nice level (scheduling + priority) for executed processes. Takes an integer between -20 + (highest priority) and 19 (lowest priority). See + setpriority2 + for details. + + + + OOMScoreAdjust= + + Sets the adjustment level for the + Out-Of-Memory killer for executed processes. Takes an integer + between -1000 (to disable OOM killing for this process) and + 1000 (to make killing of this process under memory pressure + very likely). See proc.txt + for details. + + + + IOSchedulingClass= + + Sets the IO scheduling class for executed + processes. Takes an integer between 0 and 3 or one of the + strings , , + or . See + ioprio_set2 + for details. + + + + IOSchedulingPriority= + + Sets the IO scheduling priority for executed + processes. Takes an integer between 0 (highest priority) and 7 + (lowest priority). The available priorities depend on the + selected IO scheduling class (see above). See + ioprio_set2 + for details. + + + + CPUSchedulingPolicy= + + Sets the CPU scheduling policy for executed + processes. Takes one of + , + , + , + or + . See + sched_setscheduler2 + for details. + + + + CPUSchedulingPriority= + + Sets the CPU scheduling priority for executed + processes. The available priority range depends on the + selected CPU scheduling policy (see above). For real-time + scheduling policies an integer between 1 (lowest priority) and + 99 (highest priority) can be used. See + sched_setscheduler2 + for details. + + + + CPUSchedulingResetOnFork= + + Takes a boolean argument. If true, elevated + CPU scheduling priorities and policies will be reset when the + executed processes fork, and can hence not leak into child + processes. See + sched_setscheduler2 + for details. Defaults to false. + + + + CPUAffinity= + + Controls the CPU affinity of the executed + processes. Takes a space-separated list of CPU indices. This + option may be specified more than once in which case the + specified CPU affinity masks are merged. If the empty string + is assigned, the mask is reset, all assignments prior to this + will have no effect. See + sched_setaffinity2 + for details. + + + + UMask= + + Controls the file mode creation mask. Takes an + access mode in octal notation. See + umask2 + for details. Defaults to 0022. + + + + Environment= + + Sets environment variables for executed + processes. Takes a space-separated list of variable + assignments. This option may be specified more than once in + which case all listed variables will be set. If the same + variable is set twice, the later setting will override the + earlier setting. If the empty string is assigned to this + option, the list of environment variables is reset, all prior + assignments have no effect. Variable expansion is not + performed inside the strings, however, specifier expansion is + possible. The $ character has no special meaning. If you need + to assign a value containing spaces to a variable, use double + quotes (") for the assignment. + + Example: + Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6" + gives three variables VAR1, + VAR2, VAR3 + with the values word1 word2, + word3, $word 5 6. + + + + See + environ7 + for details about environment variables. + + + EnvironmentFile= + Similar to Environment= but + reads the environment variables from a text file. The text + file should contain new-line-separated variable assignments. + Empty lines and lines starting with ; or # will be ignored, + which may be used for commenting. A line ending with a + backslash will be concatenated with the following one, + allowing multiline variable definitions. The parser strips + leading and trailing whitespace from the values of + assignments, unless you use double quotes ("). + + The argument passed should be an absolute filename or + wildcard expression, optionally prefixed with + -, which indicates that if the file does + not exist, it will not be read and no error or warning message + is logged. This option may be specified more than once in + which case all specified files are read. If the empty string + is assigned to this option, the list of file to read is reset, + all prior assignments have no effect. + + The files listed with this directive will be read + shortly before the process is executed (more specifically, + after all processes from a previous unit state terminated. + This means you can generate these files in one unit state, and + read it with this option in the next). Settings from these + files override settings made with + Environment=. If the same variable is set + twice from these files, the files will be read in the order + they are specified and the later setting will override the + earlier setting. + + + + StandardInput= + Controls where file descriptor 0 (STDIN) of + the executed processes is connected to. Takes one of + , + , + , + or + . + + If is selected, standard input + will be connected to /dev/null, i.e. all + read attempts by the process will result in immediate + EOF. + + If is selected, standard input is + connected to a TTY (as configured by + TTYPath=, see below) and the executed + process becomes the controlling process of the terminal. If + the terminal is already being controlled by another process, + the executed process waits until the current controlling + process releases the terminal. + + is similar to + , but the executed process is forcefully + and immediately made the controlling process of the terminal, + potentially removing previous controlling processes from the + terminal. + + is similar to + but if the terminal already has a + controlling process start-up of the executed process + fails. + + The option is only valid in + socket-activated services, and only when the socket + configuration file (see + systemd.socket5 + for details) specifies a single socket only. If this option is + set, standard input will be connected to the socket the + service was activated from, which is primarily useful for + compatibility with daemons designed for use with the + traditional + inetd8 + daemon. + + This setting defaults to + . + + + StandardOutput= + Controls where file descriptor 1 (STDOUT) of + the executed processes is connected to. Takes one of + , + , + , + , + , + , + , + , + or + . + + duplicates the file descriptor + of standard input for standard output. + + connects standard output to + /dev/null, i.e. everything written to it + will be lost. + + connects standard output to a tty + (as configured via TTYPath=, see below). If + the TTY is used for output only, the executed process will not + become the controlling process of the terminal, and will not + fail or wait for other processes to release the + terminal. + + connects standard output with + the journal which is accessible via + journalctl1. + Note that everything that is written to syslog or kmsg (see + below) is implicitly stored in the journal as well, the + specific two options listed below are hence supersets of this + one. + + connects standard output to the + syslog3 + system syslog service, in addition to the journal. Note that + the journal daemon is usually configured to forward everything + it receives to syslog anyway, in which case this option is no + different from . + + connects standard output with the + kernel log buffer which is accessible via + dmesg1, + in addition to the journal. The journal daemon might be + configured to send all logs to kmsg anyway, in which case this + option is no different from . + + , + and + work in a similar way as the + three options above but copy the output to the system console + as well. + + connects standard output to a + socket acquired via socket activation. The semantics are + similar to the same option of + StandardInput=. + + This setting defaults to the value set with + in + systemd-system.conf5, + which defaults to . + + + StandardError= + Controls where file descriptor 2 (STDERR) of + the executed processes is connected to. The available options + are identical to those of StandardOutput=, + with one exception: if set to the + file descriptor used for standard output is duplicated for + standard error. This setting defaults to the value set with + in + systemd-system.conf5, + which defaults to . + + + TTYPath= + Sets the terminal device node to use if + standard input, output, or error are connected to a TTY (see + above). Defaults to + /dev/console. + + + TTYReset= + Reset the terminal device specified with + TTYPath= before and after execution. + Defaults to no. + + + TTYVHangup= + Disconnect all clients which have opened the + terminal device specified with TTYPath= + before and after execution. Defaults to + no. + + + TTYVTDisallocate= + If the terminal device specified with + TTYPath= is a virtual console terminal, try + to deallocate the TTY before and after execution. This ensures + that the screen and scrollback buffer is cleared. Defaults to + no. + + + SyslogIdentifier= + Sets the process name to prefix log lines sent + to the logging system or the kernel log buffer with. If not + set, defaults to the process name of the executed process. + This option is only useful when + StandardOutput= or + StandardError= are set to + , or + (or to the same settings in combination + with ). + + + SyslogFacility= + Sets the syslog facility to use when logging + to syslog. One of , + , , + , , + , , + , , + , , + , , + , , + , , + , or + . See + syslog3 + for details. This option is only useful when + StandardOutput= or + StandardError= are set to + . Defaults to + . + + + SyslogLevel= + Default syslog level to use when logging to + syslog or the kernel log buffer. One of + , + , + , + , + , + , + , + . See + syslog3 + for details. This option is only useful when + StandardOutput= or + StandardError= are set to + or . Note that + individual lines output by the daemon might be prefixed with a + different log level which can be used to override the default + log level specified here. The interpretation of these prefixes + may be disabled with SyslogLevelPrefix=, + see below. For details see + sd-daemon3. + + Defaults to + . + + + + SyslogLevelPrefix= + Takes a boolean argument. If true and + StandardOutput= or + StandardError= are set to + , or + , log lines written by the executed + process that are prefixed with a log level will be passed on + to syslog with this log level set but the prefix removed. If + set to false, the interpretation of these prefixes is disabled + and the logged lines are passed on as-is. For details about + this prefixing see + sd-daemon3. + Defaults to true. + + + + TimerSlackNSec= + Sets the timer slack in nanoseconds for the + executed processes. The timer slack controls the accuracy of + wake-ups triggered by timers. See + prctl2 + for more information. Note that in contrast to most other time + span definitions this parameter takes an integer value in + nano-seconds if no unit is specified. The usual time units are + understood too. + + + + LimitCPU= + LimitFSIZE= + LimitDATA= + LimitSTACK= + LimitCORE= + LimitRSS= + LimitNOFILE= + LimitAS= + LimitNPROC= + LimitMEMLOCK= + LimitLOCKS= + LimitSIGPENDING= + LimitMSGQUEUE= + LimitNICE= + LimitRTPRIO= + LimitRTTIME= + These settings set both soft and hard limits + of various resources for executed processes. See + setrlimit2 + for details. Use the string infinity to + configure no limit on a specific resource. + + + Limit directives and their equivalent with ulimit + + + + + + + Directive + ulimit equivalent + + + + + LimitCPU + ulimit -t + + + LimitFSIZE + ulimit -f + + + LimitDATA + ulimit -d + + + LimitSTACK + ulimit -s + + + LimitCORE + ulimit -c + + + LimitRSS + ulimit -m + + + LimitNOFILE + ulimit -n + + + LimitAS + ulimit -v + + + LimitNPROC + ulimit -u + + + LimitMEMLOCK + ulimit -l + + + LimitLOCKS + ulimit -x + + + LimitSIGPENDING + ulimit -i + + + LimitMSGQUEUE + ulimit -q + + + LimitNICE + ulimit -e + + + LimitRTPRIO + ulimit -r + + + LimitRTTIME + No equivalent + + + +
+ + + + PAMName= + Sets the PAM service name to set up a session + as. If set, the executed process will be registered as a PAM + session under the specified service name. This is only useful + in conjunction with the User= setting. If + not set, no PAM session will be opened for the executed + processes. See + pam8 + for details. + + + + CapabilityBoundingSet= + + Controls which capabilities to include in the + capability bounding set for the executed process. See + capabilities7 + for details. Takes a whitespace-separated list of capability + names as read by + cap_from_name3, + e.g. CAP_SYS_ADMIN, + CAP_DAC_OVERRIDE, + CAP_SYS_PTRACE. Capabilities listed will + be included in the bounding set, all others are removed. If + the list of capabilities is prefixed with + ~, all but the listed capabilities will be + included, the effect of the assignment inverted. Note that + this option also affects the respective capabilities in the + effective, permitted and inheritable capability sets, on top + of what Capabilities= does. If this option + is not used, the capability bounding set is not modified on + process execution, hence no limits on the capabilities of the + process are enforced. This option may appear more than once in + which case the bounding sets are merged. If the empty string + is assigned to this option, the bounding set is reset to the + empty capability set, and all prior settings have no effect. + If set to ~ (without any further argument), + the bounding set is reset to the full set of available + capabilities, also undoing any previous + settings. + + + + SecureBits= + Controls the secure bits set for the executed + process. Takes a space-separated combination of options from + the following list: + , + , + , + , + , and + . + This option may appear more than once in which case the secure + bits are ORed. If the empty string is assigned to this option, + the bits are reset to 0. See + capabilities7 + for details. + + + + Capabilities= + Controls the + capabilities7 + set for the executed process. Take a capability string + describing the effective, permitted and inherited capability + sets as documented in + cap_from_text3. + Note that these capability sets are usually influenced (and + filtered) by the capabilities attached to the executed file. + Due to that CapabilityBoundingSet= is + probably a much more useful setting. + + + + ReadWriteDirectories= + ReadOnlyDirectories= + InaccessibleDirectories= + + Sets up a new file system namespace for + executed processes. These options may be used to limit access + a process might have to the main file system hierarchy. Each + setting takes a space-separated list of absolute directory + paths. Directories listed in + ReadWriteDirectories= are accessible from + within the namespace with the same access rights as from + outside. Directories listed in + ReadOnlyDirectories= are accessible for + reading only, writing will be refused even if the usual file + access controls would permit this. Directories listed in + InaccessibleDirectories= will be made + inaccessible for processes inside the namespace. Note that + restricting access with these options does not extend to + submounts of a directory that are created later on. These + options may be specified more than once in which case all + directories listed will have limited access from within the + namespace. If the empty string is assigned to this option, the + specific list is reset, and all prior assignments have no + effect. + Paths in + ReadOnlyDirectories= + and + InaccessibleDirectories= + may be prefixed with + -, in which case + they will be ignored when they do not + exist. Note that using this + setting will disconnect propagation of + mounts from the service to the host + (propagation in the opposite direction + continues to work). This means that + this setting may not be used for + services which shall be able to + install mount points in the main mount + namespace. + + + + PrivateTmp= + + Takes a boolean argument. If true, sets up a + new file system namespace for the executed processes and + mounts private /tmp and + /var/tmp directories inside it that is + not shared by processes outside of the namespace. This is + useful to secure access to temporary files of the process, but + makes sharing between processes via /tmp + or /var/tmp impossible. If this is + enabled, all temporary files created by a service in these + directories will be removed after the service is stopped. + Defaults to false. It is possible to run two or more units + within the same private /tmp and + /var/tmp namespace by using the + JoinsNamespaceOf= directive, see + systemd.unit5 + for details. Note that using this setting will disconnect + propagation of mounts from the service to the host + (propagation in the opposite direction continues to work). + This means that this setting may not be used for services + which shall be able to install mount points in the main mount + namespace. + + + + PrivateDevices= + + Takes a boolean argument. If true, sets up a + new /dev namespace for the executed processes and only adds + API pseudo devices such as /dev/null, + /dev/zero or + /dev/random (as well as the pseudo TTY + subsystem) to it, but no physical devices such as + /dev/sda. This is useful to securely turn + off physical device access by the executed process. Defaults + to false. Enabling this option will also remove + CAP_MKNOD from the capability bounding + set for the unit (see above), and set + DevicePolicy=closed (see + systemd.resource-control5 + for details). Note that using this setting will disconnect + propagation of mounts from the service to the host + (propagation in the opposite direction continues to work). + This means that this setting may not be used for services + which shall be able to install mount points in the main mount + namespace. + + + + PrivateNetwork= + + Takes a boolean argument. If true, sets up a + new network namespace for the executed processes and + configures only the loopback network device + lo inside it. No other network devices will + be available to the executed process. This is useful to + securely turn off network access by the executed process. + Defaults to false. It is possible to run two or more units + within the same private network namespace by using the + JoinsNamespaceOf= directive, see + systemd.unit5 + for details. Note that this option will disconnect all socket + families from the host, this includes AF_NETLINK and AF_UNIX. + The latter has the effect that AF_UNIX sockets in the abstract + socket namespace will become unavailable to the processes + (however, those located in the file system will continue to be + accessible). + + + + ProtectSystem= + + Takes a boolean argument or + full. If true, mounts the + /usr and /boot + directories read-only for processes invoked by this unit. If + set to full, the /etc + directory is mounted read-only, too. This setting ensures that + any modification of the vendor supplied operating system (and + optionally its configuration) is prohibited for the service. + It is recommended to enable this setting for all long-running + services, unless they are involved with system updates or need + to modify the operating system in other ways. Note however + that processes retaining the CAP_SYS_ADMIN capability can undo + the effect of this setting. This setting is hence particularly + useful for daemons which have this capability removed, for + example with CapabilityBoundingSet=. + Defaults to off. + + + + ProtectHome= + + Takes a boolean argument or + read-only. If true, the directories + /home and /run/user + are made inaccessible and empty for processes invoked by this + unit. If set to read-only, the two + directories are made read-only instead. It is recommended to + enable this setting for all long-running services (in + particular network-facing ones), to ensure they cannot get + access to private user data, unless the services actually + require access to the user's private data. Note however that + processes retaining the CAP_SYS_ADMIN capability can undo the + effect of this setting. This setting is hence particularly + useful for daemons which have this capability removed, for + example with CapabilityBoundingSet=. + Defaults to off. + + + + MountFlags= + + Takes a mount propagation flag: + , or + , which control whether mounts in the + file system namespace set up for this unit's processes will + receive or propagate mounts or unmounts. See + mount2 + for details. Defaults to . Use + to ensure that mounts and unmounts are + propagated from the host to the container and vice versa. Use + to run processes so that none of their + mounts and unmounts will propagate to the host. Use + to also ensure that no mounts and + unmounts from the host will propagate into the unit processes' + namespace. Note that means that file + systems mounted on the host might stay mounted continuously in + the unit's namespace, and thus keep the device busy. Note that + the file system namespace related options + (PrivateTmp=, + PrivateDevices=, + ProtectSystem=, + ProtectHome=, + ReadOnlyDirectories=, + InaccessibleDirectories= and + ReadWriteDirectories=) require that mount + and unmount propagation from the unit's file system namespace + is disabled, and hence downgrade to + . + + + + UtmpIdentifier= + + Takes a four character identifier string for + an utmp/wtmp entry for this service. This should only be set + for services such as getty implementations + where utmp/wtmp entries must be created and cleared before and + after execution. If the configured string is longer than four + characters, it is truncated and the terminal four characters + are used. This setting interprets %I style string + replacements. This setting is unset by default, i.e. no + utmp/wtmp entries are created or cleaned up for this + service. + + + + SELinuxContext= + + Set the SELinux security context of the + executed process. If set, this will override the automated + domain transition. However, the policy still needs to + authorize the transition. This directive is ignored if SELinux + is disabled. If prefixed by -, all errors + will be ignored. See + setexeccon3 + for details. + + + + AppArmorProfile= + + Takes a profile name as argument. The process + executed by the unit will switch to this profile when started. + Profiles must already be loaded in the kernel, or the unit + will fail. This result in a non operation if AppArmor is not + enabled. If prefixed by -, all errors will + be ignored. + + + + SmackProcessLabel= + + Takes a security + label as argument. The process executed by the unit will be + started under this label and SMACK will decide whether the + processes is allowed to run or not based on it. The process + will continue to run under the label specified here unless the + executable has its own label, in + which case the process will transition to run under that + label. When not specified, the label that systemd is running + under is used. This directive is ignored if SMACK is + disabled. + + The value may be prefixed by -, in + which case all errors will be ignored. An empty value may be + specified to unset previous assignments. + + + + + IgnoreSIGPIPE= + + Takes a boolean argument. If true, causes + SIGPIPE to be ignored in the executed + process. Defaults to true because SIGPIPE + generally is useful only in shell pipelines. + + + + NoNewPrivileges= + + Takes a boolean argument. If true, ensures + that the service process and all its children can never gain + new privileges. This option is more powerful than the + respective secure bits flags (see above), as it also prohibits + UID changes of any kind. This is the simplest, most effective + way to ensure that a process and its children can never + elevate privileges again. + + + + SystemCallFilter= + + Takes a space-separated list of system call + names. If this setting is used, all system calls executed by + the unit processes except for the listed ones will result in + immediate process termination with the + SIGSYS signal (whitelisting). If the + first character of the list is ~, the + effect is inverted: only the listed system calls will result + in immediate process termination (blacklisting). If running in + user mode and this option is used, + NoNewPrivileges=yes is implied. This + feature makes use of the Secure Computing Mode 2 interfaces of + the kernel ('seccomp filtering') and is useful for enforcing a + minimal sandboxing environment. Note that the + execve, + rt_sigreturn, + sigreturn, + exit_group, exit + system calls are implicitly whitelisted and do not need to be + listed explicitly. This option may be specified more than once + in which case the filter masks are merged. If the empty string + is assigned, the filter is reset, all prior assignments will + have no effect. + + If you specify both types of this option (i.e. + whitelisting and blacklisting), the first encountered will + take precedence and will dictate the default action + (termination or approval of a system call). Then the next + occurrences of this option will add or delete the listed + system calls from the set of the filtered system calls, + depending of its type and the default action. (For example, if + you have started with a whitelisting of + read and write, and + right after it add a blacklisting of + write, then write + will be removed from the set.) + + + + SystemCallErrorNumber= + + Takes an errno error number + name to return when the system call filter configured with + SystemCallFilter= is triggered, instead of + terminating the process immediately. Takes an error name such + as EPERM, EACCES or + EUCLEAN. When this setting is not used, + or when the empty string is assigned, the process will be + terminated immediately when the filter is + triggered. + + + + SystemCallArchitectures= + + Takes a space separated list of architecture + identifiers to include in the system call filter. The known + architecture identifiers are x86, + x86-64, x32, + arm as well as the special identifier + native. Only system calls of the + specified architectures will be permitted to processes of this + unit. This is an effective way to disable compatibility with + non-native architectures for processes, for example to + prohibit execution of 32-bit x86 binaries on 64-bit x86-64 + systems. The special native identifier + implicitly maps to the native architecture of the system (or + more strictly: to the architecture the system manager is + compiled for). If running in user mode and this option is + used, NoNewPrivileges=yes is implied. Note + that setting this option to a non-empty list implies that + native is included too. By default, this + option is set to the empty list, i.e. no architecture system + call filtering is applied. + + + + RestrictAddressFamilies= + + Restricts the set of socket address families + accessible to the processes of this unit. Takes a + space-separated list of address family names to whitelist, + such as + AF_UNIX, + AF_INET or + AF_INET6. When + prefixed with ~ the listed address + families will be applied as blacklist, otherwise as whitelist. + Note that this restricts access to the + socket2 + system call only. Sockets passed into the process by other + means (for example, by using socket activation with socket + units, see + systemd.socket5) + are unaffected. Also, sockets created with + socketpair() (which creates connected + AF_UNIX sockets only) are unaffected. Note that this option + has no effect on 32-bit x86 and is ignored (but works + correctly on x86-64). If running in user mode and this option + is used, NoNewPrivileges=yes is implied. By + default, no restriction applies, all address families are + accessible to processes. If assigned the empty string, any + previous list changes are undone. + + Use this option to limit exposure of processes to remote + systems, in particular via exotic network protocols. Note that + in most cases, the local AF_UNIX address + family should be included in the configured whitelist as it is + frequently used for local communication, including for + syslog2 + logging. + + + + Personality= + + Controls which kernel architecture + uname2 + shall report, when invoked by unit processes. Takes one of + x86 and x86-64. This + is useful when running 32-bit services on a 64-bit host + system. If not specified, the personality is left unmodified + and thus reflects the personality of the host system's + kernel. + + + + RuntimeDirectory= + RuntimeDirectoryMode= + + Takes a list of directory names. If set, one + or more directories by the specified names will be created + below /run (for system services) or below + $XDG_RUNTIME_DIR (for user services) when + the unit is started, and removed when the unit is stopped. The + directories will have the access mode specified in + RuntimeDirectoryMode=, and will be owned by + the user and group specified in User= and + Group=. Use this to manage one or more + runtime directories of the unit and bind their lifetime to the + daemon runtime. The specified directory names must be + relative, and may not include a /, i.e. + must refer to simple directories to create or remove. This is + particularly useful for unprivileged daemons that cannot + create runtime directories in /run due to + lack of privileges, and to make sure the runtime directory is + cleaned up automatically after use. For runtime directories + that require more complex or different configuration or + lifetime guarantees, please consider using + tmpfiles.d5. + + + + + + + Environment variables in spawned processes + + Processes started by the system are executed in a clean + environment in which select variables listed below are set. System + processes started by systemd do not inherit variables from PID 1, + but processes started by user systemd instances inherit all + environment variables from the user systemd instance. + + + + + $PATH + + Colon-separated list of directories to use + when launching executables. Systemd uses a fixed value of + /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin. + + + + + $LANG + + Locale. Can be set in + locale.conf5 + or on the kernel command line (see + systemd1 + and + kernel-command-line7). + + + + + $USER + $LOGNAME + $HOME + $SHELL + + User name (twice), home directory, and the + login shell. The variables are set for the units that have + User= set, which includes user + systemd instances. See + passwd5. + + + + + $XDG_RUNTIME_DIR + + The directory for volatile state. Set for the + user systemd instance, and also in user + sessions. See + pam_systemd8. + + + + + $XDG_SESSION_ID + $XDG_SEAT + $XDG_VTNR + + The identifier of the session, the seat name, + and virtual terminal of the session. Set by + pam_systemd8 + for login sessions. $XDG_SEAT and + $XDG_VTNR will only be set when attached to + a seat and a tty. + + + + $MAINPID + + The PID of the units main process if it is + known. This is only set for control processes as invoked by + ExecReload= and similar. + + + + $MANAGERPID + + The PID of the user systemd + instance, set for processes spawned by it. + + + + $LISTEN_FDS + $LISTEN_PID + + Information about file descriptors passed to a + service for socket activation. See + sd_listen_fds3. + + + + + $TERM + + Terminal type, set only for units connected to + a terminal (StandardInput=tty, + StandardOutput=tty, or + StandardError=tty). See + termcap5. + + + + + Additional variables may be configured by the following + means: for processes spawned in specific units, use the + Environment= and + EnvironmentFile= options above; to specify + variables globally, use DefaultEnvironment= + (see + systemd-system.conf5) + or the kernel option systemd.setenv= (see + systemd1). + Additional variables may also be set through PAM, + cf. pam_env8. + + + + See Also + + systemd1, + systemctl1, + journalctl8, + systemd.unit5, + systemd.service5, + systemd.socket5, + systemd.swap5, + systemd.mount5, + systemd.kill5, + systemd.resource-control5, + systemd.directives7, + tmpfiles.d5, + exec3 + +