X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=2f75915c2076d6aa4c31bb65d2020422c99b448e;hp=d206d4f64564210aa0cedf913f263a5da0bc1caf;hb=bf3f1271e2cc0c22b11c8a805a997578dabe9191;hpb=70a44afee385c4afadaab9a002b3f9dd44aedf4a
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index d206d4f64..2f75915c2 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -103,7 +103,7 @@
directory path. Sets the root
directory for executed processes, with
the
- chroot2
+ chroot2
system call. If this is used, it must
be ensured that the process and all
its auxiliary files are available in
@@ -304,7 +304,7 @@
See
- environ7
+ environ7
for details about environment variables.
@@ -341,7 +341,7 @@
The files listed with this
directive will be read shortly before
the process is executed (more
- specifically, this means after all
+ specifically, after all
processes from a previous unit state
terminated. This means you can
generate these files in one unit
@@ -443,12 +443,12 @@
for other processes to release the
terminal.
connects standard output to the
- syslog3
+ syslog3
system syslog
service.
connects it with the kernel log buffer
which is accessible via
- dmesg1.
+ dmesg1.
connects it with the journal which is
accessible via
journalctl1
@@ -568,7 +568,7 @@
,
or
. See
- syslog3
+ syslog3
for details. This option is only
useful when
StandardOutput= or
@@ -590,7 +590,7 @@
,
,
. See
- syslog3
+ syslog3
for details. This option is only
useful when
StandardOutput= or
@@ -687,7 +687,7 @@
User= setting. If
not set, no PAM session will be opened
for the executed processes. See
- pam8
+ pam8
for details.
@@ -698,7 +698,7 @@
capabilities to include in the
capability bounding set for the
executed process. See
- capabilities7
+ capabilities7
for details. Takes a whitespace-separated
list of capability names as read by
cap_from_name3,
@@ -739,7 +739,7 @@
SecureBits=Controls the secure
bits set for the executed process. See
- capabilities7
+ capabilities7
for details. Takes a list of strings:
,
,
@@ -757,14 +757,14 @@
Capabilities=Controls the
- capabilities7
+ capabilities7
set for the executed process. Take a
capability string describing the
effective, permitted and inherited
capability sets as documented in
cap_from_text3.
Note that these capability sets are
- usually influenced by the capabilities
+ usually influenced (and filtered) by the capabilities
attached to the executed file. Due to
that
CapabilityBoundingSet=
@@ -777,8 +777,8 @@
ReadOnlyDirectories=InaccessibleDirectories=
- Sets up a new
- file system namespace for executed
+ Sets up a new file
+ system namespace for executed
processes. These options may be used
to limit access a process might have
to the main file system
@@ -799,16 +799,14 @@
processes inside the namespace. Note
that restricting access with these
options does not extend to submounts
- of a directory. You must list
- submounts separately in these settings
- to ensure the same limited
- access. These options may be specified
+ of a directory that are created later
+ on. These options may be specified
more than once in which case all
directories listed will have limited
access from within the namespace. If
the empty string is assigned to this
- option, the specific list is reset, and
- all prior assignments have no
+ option, the specific list is reset,
+ and all prior assignments have no
effect.Paths in
ReadOnlyDirectories=
@@ -845,7 +843,7 @@
processes via
/tmp or
/var/tmp
- impossible. If this is enabled all
+ impossible. If this is enabled, all
temporary files created by a service
in these directories will be removed
after the service is stopped. Defaults
@@ -934,6 +932,67 @@
accessible).
+
+ ProtectSystem=
+
+ Takes a boolean
+ argument or
+ full. If true,
+ mounts the /usr
+ directory read-only for processes
+ invoked by this unit. If set to
+ full, the
+ /etc directory is mounted
+ read-only, too. This setting ensures
+ that any modification of the vendor
+ supplied operating system (and
+ optionally its configuration) is
+ prohibited for the service. It is
+ recommended to enable this setting for
+ all long-running services, unless they
+ are involved with system updates or
+ need to modify the operating system in
+ other ways. Note however that
+ processes retaining the CAP_SYS_ADMIN
+ capability can undo the effect of this
+ setting. This setting is hence
+ particularly useful for daemons which
+ have this capability removed, for
+ example with
+ CapabilityBoundingSet=. Defaults
+ to off.
+
+
+
+ ProtectHome=
+
+ Takes a boolean
+ argument or
+ read-only. If true,
+ the directories
+ /home and
+ /run/user are
+ made inaccessible and empty for
+ processes invoked by this unit. If set
+ to read-only, the
+ two directores are made read-only
+ instead. It is recommended to enable
+ this setting for all long-running
+ services (in particular network-facing
+ ones), to ensure they cannot get access
+ to private user data, unless the
+ services actually require access to
+ the user's private data. Note however
+ that processes retaining the
+ CAP_SYS_ADMIN capability can undo the
+ effect of this setting. This setting
+ is hence particularly useful for
+ daemons which have this capability
+ removed, for example with
+ CapabilityBoundingSet=. Defaults
+ to off.
+
+
MountFlags=
@@ -968,6 +1027,8 @@
namespace related options
(PrivateTmp=,
PrivateDevices=,
+ ReadOnlySystem=,
+ ProtectedHome=,
ReadOnlyDirectories=,
InaccessibleDirectories=
and
@@ -1022,7 +1083,7 @@
AppArmorProfile=
- Take a profile name as argument.
+ Takes a profile name as argument.
The process executed by the unit will switch to
this profile when started. Profiles must already
be loaded in the kernel, or the unit will fail.
@@ -1208,18 +1269,18 @@
correctly on x86-64). If running in user
mode and this option is used,
NoNewPrivileges=yes
- is implied. By default no
+ is implied. By default, no
restriction applies, all address
families are accessible to
processes. If assigned the empty
- string any previous list changes are
+ string, any previous list changes are
undone.Use this option to limit
exposure of processes to remote
systems, in particular via exotic
network protocols. Note that in most
- cases the local
+ cases, the local
AF_UNIX address
family should be included in the
configured whitelist as it is
@@ -1240,7 +1301,7 @@
x86 and
x86-64. This is
useful when running 32-bit services on
- a 64-bit host system. If not specified
+ a 64-bit host system. If not specified,
the personality is left unmodified and
thus reflects the personality of the
host system's
@@ -1252,14 +1313,14 @@
RuntimeDirectoryMode=Takes a list of
- directory names. If set one or more
+ directory names. If set, one or more
directories by the specified names
will be created below
/run (for system
services) or below
$XDG_RUNTIME_DIR
(for user services) when the unit is
- started and removed when the unit is
+ started, and removed when the unit is
stopped. The directories will have the
access mode specified in
RuntimeDirectoryMode=,
@@ -1275,7 +1336,7 @@
/, i.e. must refer
to simple directories to create or
remove. This is particularly useful
- for unpriviliges daemons that cannot
+ for unprivileged daemons that cannot
create runtime directories in
/run due to lack
of privileges, and to make sure the
@@ -1411,7 +1472,7 @@
or
StandardError=tty).
See
- termcap5.
+ termcap5.
@@ -1427,7 +1488,7 @@
systemd.setenv= (see
systemd1). Additional
variables may also be set through PAM,
- c.f. pam_env8.
+ cf. pam_env8.
@@ -1445,7 +1506,7 @@
systemd.resource-control5,
systemd.directives7,
tmpfiles.d5,
- exec3
+ exec3