X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=b9a37da38e061c3874caf61f287e1ac17fbea2d0;hp=f96d181a9e83ad82358dfe510f8a5955df70b674;hb=0843f2d65ea978b09f12da9ba61ee157d39ee237;hpb=f1779fd27b49d7ac9e04e0e83daf5f5f3efd9d8a diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index f96d181a9..b9a37da38 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -57,13 +57,13 @@ Description - Unit configuration files for services, sockets + Unit configuration files for services, sockets, mount points and swap devices share a subset of configuration options which define the execution environment of spawned processes. This man page lists the configuration options - shared by these three unit types. See + shared by these four unit types. See systemd.unit5 for the common options of all unit configuration files, and @@ -421,6 +421,36 @@ TTY (see above). Defaults to /dev/console. + + TTYReset= + Reset the terminal + device specified with + TTYPath= before and + after execution. Defaults to + no. + + + TTYVHangup= + Disconnect all clients + which have opened the terminal device + specified with + TTYPath= + before and after execution. Defaults + to + no. + + + TTYVTDisallocate= + If the the terminal + device specified with + TTYPath= is a + virtual console terminal try to + deallocate the TTY before and after + execution. This ensures that the + screen and scrollback buffer is + cleared. Defaults to + no. + SyslogIdentifier= Sets the process name @@ -558,7 +588,10 @@ various resource limits for executed processes. See setrlimit2 - for details. + for details. Use the string + infinity to + configure no limit on a specific + resource. @@ -597,16 +630,46 @@ - Capabilities= - Controls the + ControlGroupModify= + Takes a boolean + argument. If true, the control groups + created for this unit will be owned by + ther user specified with + User= (and the + configured group), and he can create + subgroups as well as add processes to + the group. + + + + CapabilityBoundingSet= + + Controls which + capabilities to include in the + capability bounding set for the + executed process. See capabilities7 - set for the executed process. Take a - capability string as described in - cap_from_text3. - Note that this capability set is - usually influenced by the capabilities - attached to the executed - file. + for details. Takes a whitespace + separated list of capability names as + read by + cap_from_name3. + Capabilities listed will be included + in the bounding set, all others are + removed. If the list of capabilities + is prefixed with ~ all but the listed + capabilities will be included, the + effect of the assignment + inverted. Note that this option does + not actually set or unset any + capabilities in the effective, + permitted or inherited capability + sets. That's what + Capabilities= is + for. If this option is not used the + capability bounding set is not + modified on process execution, hence + no limits on the capabilities of the + process are enforced. @@ -625,16 +688,21 @@ - CapabilityBoundingSetDrop= - + Capabilities= Controls the - capability bounding set drop set for - the executed process. See capabilities7 - for details. Takes a list of - capability names as read by - cap_from_name3. - + set for the executed process. Take a + capability string describing the + effective, permitted and inherited + capability sets as documented in + cap_from_text3. + Note that these capability sets are + usually influenced by the capabilities + attached to the executed file. Due to + that + CapabilityBoundingSet= + is probably the much more useful + setting. @@ -659,7 +727,7 @@ path for this unit is implied. This option may be used to place executed processes in arbitrary groups in - arbitrary hierachies -- which can be + arbitrary hierarchies -- which can be configured externally with additional execution limits. By default systemd will place all executed processes in separate per-unit control @@ -697,7 +765,7 @@ usual file access controls would permit this. Directories listed in InaccessibleDirectories= - will be made inaccesible for processes + will be made inaccessible for processes inside the namespace. Note that restricting access with these options does not extend to submounts of a