<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
<refentry id="systemd.exec" xmlns:xi="http://www.w3.org/2001/XInclude">
<programlisting>BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout</programlisting>
</example>
+ <xi:include href="vpick.xml" xpointer="directory"/>
+
<xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem>
</varlistentry>
<citerefentry><refentrytitle>systemd-soft-reboot.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
in case the service is configured to survive it.</para>
+ <xi:include href="vpick.xml" xpointer="image"/>
+
<xi:include href="system-only.xml" xpointer="singular"/>
<xi:include href="version-info.xml" xpointer="v233"/></listitem>
<para>To make sure making ephemeral copies can be made efficiently, the root directory or root image
should be located on the same filesystem as <filename>/var/lib/systemd/ephemeral-trees/</filename>.
When using <varname>RootEphemeral=</varname> with root directories,
- <citerefentry project='url'><refentrytitle url='https://btrfs.wiki.kernel.org/index.php/Manpage/btrfs(5)'>btrfs</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ <citerefentry project='url'><refentrytitle url='https://btrfs.readthedocs.io/en/latest/btrfs-man5.html'>btrfs</refentrytitle><manvolnum>5</manvolnum></citerefentry>
should be used as the filesystem and the root directory should ideally be a subvolume which
<command>systemd</command> can snapshot to make the ephemeral copy. For root images, a filesystem
with support for reflinks should be used to ensure an efficient ephemeral copy.</para>
<varname>PrivateDevices=</varname> below, as it may change the setting of
<varname>DevicePolicy=</varname>.</para>
+ <xi:include href="vpick.xml" xpointer="image"/>
+
<xi:include href="system-only.xml" xpointer="singular"/>
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
<para>Note that usage from user units requires overlayfs support in unprivileged user namespaces,
which was first introduced in kernel v5.11.</para>
+ <xi:include href="vpick.xml" xpointer="directory"/>
+
<xi:include href="system-or-user-ns.xml" xpointer="singular"/>
<xi:include href="version-info.xml" xpointer="v251"/></listitem>
<varlistentry>
<term><varname>SetLoginEnvironment=</varname></term>
- <listitem><para>Takes a boolean parameter that controls whether to set <varname>$HOME</varname>,
- <varname>$LOGNAME</varname>, and <varname>$SHELL</varname> environment variables. If unset, this is
- controlled by whether <varname>User=</varname> is set. If true, they will always be set for system services,
- i.e. even when the default user <literal>root</literal> is used. If false, the mentioned variables are not set
- by systemd, no matter whether <varname>User=</varname> is used or not. This option normally has no effect
- on user services, since these variables are typically inherited from user manager's own environment anyway.</para>
+ <listitem><para>Takes a boolean parameter that controls whether to set the <varname>$HOME</varname>,
+ <varname>$LOGNAME</varname>, and <varname>$SHELL</varname> environment variables. If not set, this
+ defaults to true if <varname>User=</varname>, <varname>DynamicUser=</varname> or
+ <varname>PAMName=</varname> are set, false otherwise. If set to true, the variables will always be
+ set for system services, i.e. even when the default user <literal>root</literal> is used. If set to
+ false, the mentioned variables are not set by the service manager, no matter whether
+ <varname>User=</varname>, <varname>DynamicUser=</varname>, or <varname>PAMName=</varname> are used or
+ not. This option normally has no effect on services of the per-user service manager, since in that
+ case these variables are typically inherited from user manager's own environment anyway.</para>
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>IgnoreSIGPIPE=</varname></term>
- <listitem><para>Takes a boolean argument. If true, causes <constant>SIGPIPE</constant> to be ignored in the
- executed process. Defaults to true because <constant>SIGPIPE</constant> generally is useful only in shell
- pipelines.</para></listitem>
+ <listitem><para>Takes a boolean argument. If true, <constant>SIGPIPE</constant> is ignored in the
+ executed process. Defaults to true since <constant>SIGPIPE</constant> is generally only useful in
+ shell pipelines.</para></listitem>
</varlistentry>
</variablelist>
permit this. Nest <varname>ReadWritePaths=</varname> inside of <varname>ReadOnlyPaths=</varname> in
order to provide writable subdirectories within read-only directories. Use
<varname>ReadWritePaths=</varname> in order to allow-list specific paths for write access if
- <varname>ProtectSystem=strict</varname> is used.</para>
+ <varname>ProtectSystem=strict</varname> is used. Note that <varname>ReadWritePaths=</varname> cannot
+ be used to gain write access to a file system whose superblock is mounted read-only. On Linux, for
+ each mount point write access is granted only if the mount point itself <emphasis>and</emphasis> the
+ file system superblock backing it are not marked read-only. <varname>ReadWritePaths=</varname> only
+ controls the former, not the latter, hence a read-only file system superblock remains
+ protected.</para>
<para>Paths listed in <varname>InaccessiblePaths=</varname> will be made inaccessible for processes inside
the namespace along with everything below them in the file system hierarchy. This may be more restrictive than
units, it only enables sharing of the <filename>/tmp/</filename> and <filename>/var/tmp/</filename>
directories.</para>
- <para>Other file system namespace unit settings — <varname>PrivateMounts=</varname>,
- <varname>PrivateTmp=</varname>, <varname>PrivateDevices=</varname>, <varname>ProtectSystem=</varname>,
- <varname>ProtectHome=</varname>, <varname>ReadOnlyPaths=</varname>, <varname>InaccessiblePaths=</varname>,
- <varname>ReadWritePaths=</varname>, … — also enable file system namespacing in a fashion equivalent to this
- option. Hence it is primarily useful to explicitly request this behaviour if none of the other settings are
- used.</para>
+ <para>Other file system namespace unit settings — <varname>PrivateTmp=</varname>,
+ <varname>PrivateDevices=</varname>, <varname>ProtectSystem=</varname>,
+ <varname>ProtectHome=</varname>, <varname>ReadOnlyPaths=</varname>,
+ <varname>InaccessiblePaths=</varname>, <varname>ReadWritePaths=</varname>, … — also enable file
+ system namespacing in a fashion equivalent to this option. Hence it is primarily useful to explicitly
+ request this behaviour if none of the other settings are used.</para>
<xi:include href="system-or-user-ns.xml" xpointer="singular"/>
the kernel log buffer, the unit will implicitly gain a dependency of type <varname>After=</varname>
on <filename>systemd-journald.socket</filename> (also see the "Implicit Dependencies" section
above). Also note that in this case stdout (or stderr, see below) will be an
- <constant>AF_UNIX</constant> stream socket, and not a pipe or FIFO that can be re-opened. This means
+ <constant>AF_UNIX</constant> stream socket, and not a pipe or FIFO that can be reopened. This means
when executing shell scripts the construct <command>echo "hello" > /dev/stderr</command> for
writing text to stderr will not work. To mitigate this use the construct <command>echo "hello"
>&2</command> instead, which is mostly equivalent and avoids this pitfall.</para>
<literal>\x7efoobar</literal> would add a pattern matching <literal>~foobar</literal> to the allow list.</para>
<para>Log messages are tested against denied patterns (if any), then against allowed patterns
- (if any). If a log message matches any of the denied patterns, it will be discarded, whatever the
- allowed patterns. Then, remaining log messages are tested against allowed patterns. Messages matching
+ (if any). If a log message matches any of the denied patterns, it is discarded immediately without considering
+ allowed patterns. Remaining log messages are tested against allowed patterns. Messages matching
against none of the allowed pattern are discarded. If no allowed patterns are defined, then all
messages are processed directly after going through denied filters.</para>
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for the details about <varname>DevicePolicy=</varname> or <varname>DeviceAllow=</varname>.</para>
+ <para>Note that encrypted credentials targeted for services of the per-user service manager must be
+ encrypted with <command>systemd-creds encrypt --user</command>, and those for the system service
+ manager without the <option>--user</option> switch. Encrypted credentials are always targeted to a
+ specific user or the system as a whole, and it is ensured that per-user service managers cannot
+ decrypt secrets intended for the system or for other users.</para>
+
<para>The credential files/IPC sockets must be accessible to the service manager, but don't have to
be directly accessible to the unit's processes: the credential data is read and copied into separate,
read-only copies for the unit that are accessible to appropriately privileged processes. This is
<refsect1>
<title>See Also</title>
- <para>
- <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry project='man-pages'><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
- <citerefentry project='man-pages'><refentrytitle>fork</refentrytitle><manvolnum>2</manvolnum></citerefentry>
- </para>
+ <para><simplelist type="inline">
+ <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry project='man-pages'><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
+ <member><citerefentry project='man-pages'><refentrytitle>fork</refentrytitle><manvolnum>2</manvolnum></citerefentry></member>
+ </simplelist></para>
</refsect1>
</refentry>
projects / thirdparty / systemd.git / blobdiff