"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
+ SPDX-License-Identifier: LGPL-2.1+
+
This file is part of systemd.
Copyright 2010 Lennart Poettering
enabled for a unit, the name of the dynamic user/group is implicitly derived from the unit name. If the unit
name without the type suffix qualifies as valid user name it is used directly, otherwise a name incorporating a
hash of it is used. If a statically allocated user or group of the configured name already exists, it is used
- and no dynamic user/group is allocated. Dynamic users/groups are allocated from the UID/GID range
+ and no dynamic user/group is allocated. Note that if <varname>User=</varname> is specified and the static group
+ with the name exists, then it is required that the static user with the name already exists. Similarly,
+ if <varname>Group=</varname> is specified and the static user with the name exists, then it is required that
+ the static group with the name already exists. Dynamic users/groups are allocated from the UID/GID range
61184…65519. It is recommended to avoid this range for regular system or login users. At any point in time
each UID/GID from this range is only assigned to zero or one dynamically allocated users/groups in
use. However, UID/GIDs are recycled after a unit is terminated. Care should be taken that any processes running
cannot leave files around after unit termination. Moreover <varname>ProtectSystem=strict</varname> and
<varname>ProtectHome=read-only</varname> are implied, thus prohibiting the service to write to arbitrary file
system locations. In order to allow the service to write to certain directories, they have to be whitelisted
- using <varname>ReadWritePaths=</varname>, but care must be taken so that UID/GID recycling doesn't
- create security issues involving files created by the service. Use <varname>RuntimeDirectory=</varname> (see
- below) in order to assign a writable runtime directory to a service, owned by the dynamic user/group and
- removed automatically when the unit is terminated. Defaults to off.</para></listitem>
+ using <varname>ReadWritePaths=</varname>, but care must be taken so that UID/GID recycling doesn't create
+ security issues involving files created by the service. Use <varname>RuntimeDirectory=</varname> (see below) in
+ order to assign a writable runtime directory to a service, owned by the dynamic user/group and removed
+ automatically when the unit is terminated. Use <varname>StateDirectory=</varname>,
+ <varname>CacheDirectory=</varname> and <varname>LogsDirectory=</varname> in order to assign a set of writable
+ directories for specific purposes to the service in a way that they are protected from vulnerabilities due to
+ UID reuse (see below). Defaults to off.</para></listitem>
</varlistentry>
<varlistentry>
<para>If the standard output (or error output, see below) of a unit is connected to the journal, syslog or the
kernel log buffer, the unit will implicitly gain a dependency of type <varname>After=</varname> on
- <filename>systemd-journald.socket</filename> (also see the "Implicit Dependencies" section above).</para>
+ <filename>systemd-journald.socket</filename> (also see the "Implicit Dependencies" section above). Also note
+ that in this case stdout (or stderr, see below) will be an <constant>AF_UNIX</constant> stream socket, and not
+ a pipe or FIFO that can be re-opened. This means when executing shell scripts the construct <command>echo
+ "hello" > /dev/stderr</command> for writing text to stderr will not work. To mitigate this use the construct
+ <command>echo "hello" >&2</command> instead, which is mostly equivalent and avoids this pitfall.</para>
<para>This setting defaults to the value set with
- <option>DefaultStandardOutput=</option> in
+ <varname>DefaultStandardOutput=</varname> in
<citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
which defaults to <option>journal</option>. Note that setting
this parameter might result in additional dependencies to be
- added to the unit (see above).</para></listitem>
+ added to the unit (see above).</para>
+ </listitem>
</varlistentry>
<varlistentry>
<literal>stderr</literal>.</para>
<para>This setting defaults to the value set with
- <option>DefaultStandardError=</option> in
+ <varname>DefaultStandardError=</varname> in
<citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
which defaults to <option>inherit</option>. Note that setting
this parameter might result in additional dependencies to be
that the screen and scrollback buffer is cleared. Defaults to
<literal>no</literal>.</para></listitem>
</varlistentry>
+
<varlistentry>
<term><varname>SyslogIdentifier=</varname></term>
- <listitem><para>Sets the process name to prefix log lines sent
- to the logging system or the kernel log buffer with. If not
- set, defaults to the process name of the executed process.
- This option is only useful when
- <varname>StandardOutput=</varname> or
- <varname>StandardError=</varname> are set to
- <option>syslog</option>, <option>journal</option> or
- <option>kmsg</option> (or to the same settings in combination
- with <option>+console</option>).</para></listitem>
+ <listitem><para>Sets the process name ("<command>syslog</command> tag") to prefix log lines sent to the logging
+ system or the kernel log buffer with. If not set, defaults to the process name of the executed process. This
+ option is only useful when <varname>StandardOutput=</varname> or <varname>StandardError=</varname> are set to
+ <option>journal</option>, <option>syslog</option> or <option>kmsg</option> (or to the same settings in
+ combination with <option>+console</option>) and only applies to log messages written to stdout or
+ stderr.</para></listitem>
</varlistentry>
+
<varlistentry>
<term><varname>SyslogFacility=</varname></term>
- <listitem><para>Sets the syslog facility to use when logging
- to syslog. One of <option>kern</option>,
- <option>user</option>, <option>mail</option>,
- <option>daemon</option>, <option>auth</option>,
- <option>syslog</option>, <option>lpr</option>,
- <option>news</option>, <option>uucp</option>,
- <option>cron</option>, <option>authpriv</option>,
- <option>ftp</option>, <option>local0</option>,
- <option>local1</option>, <option>local2</option>,
- <option>local3</option>, <option>local4</option>,
- <option>local5</option>, <option>local6</option> or
- <option>local7</option>. See
+ <listitem><para>Sets the <command>syslog</command> facility identifier to use when logging. One of
+ <option>kern</option>, <option>user</option>, <option>mail</option>, <option>daemon</option>,
+ <option>auth</option>, <option>syslog</option>, <option>lpr</option>, <option>news</option>,
+ <option>uucp</option>, <option>cron</option>, <option>authpriv</option>, <option>ftp</option>,
+ <option>local0</option>, <option>local1</option>, <option>local2</option>, <option>local3</option>,
+ <option>local4</option>, <option>local5</option>, <option>local6</option> or <option>local7</option>. See
<citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
- for details. This option is only useful when
- <varname>StandardOutput=</varname> or
- <varname>StandardError=</varname> are set to
- <option>syslog</option>. Defaults to
- <option>daemon</option>.</para></listitem>
+ for details. This option is only useful when <varname>StandardOutput=</varname> or
+ <varname>StandardError=</varname> are set to <option>journal</option>, <option>syslog</option> or
+ <option>kmsg</option> (or to the same settings in combination with <option>+console</option>), and only applies
+ to log messages written to stdout or stderr. Defaults to <option>daemon</option>.</para></listitem>
</varlistentry>
+
<varlistentry>
<term><varname>SyslogLevel=</varname></term>
- <listitem><para>The default syslog level to use when logging to
- syslog or the kernel log buffer. One of
- <option>emerg</option>,
- <option>alert</option>,
- <option>crit</option>,
- <option>err</option>,
- <option>warning</option>,
- <option>notice</option>,
- <option>info</option>,
- <option>debug</option>. See
- <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
- for details. This option is only useful when
- <varname>StandardOutput=</varname> or
- <varname>StandardError=</varname> are set to
- <option>syslog</option> or <option>kmsg</option>. Note that
- individual lines output by the daemon might be prefixed with a
- different log level which can be used to override the default
- log level specified here. The interpretation of these prefixes
- may be disabled with <varname>SyslogLevelPrefix=</varname>,
- see below. For details, see
- <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ <listitem><para>The default <command>syslog</command> log level to use when logging to the logging system or
+ the kernel log buffer. One of <option>emerg</option>, <option>alert</option>, <option>crit</option>,
+ <option>err</option>, <option>warning</option>, <option>notice</option>, <option>info</option>,
+ <option>debug</option>. See <citerefentry
+ project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
+ details. This option is only useful when <varname>StandardOutput=</varname> or
+ <varname>StandardError=</varname> are set to <option>journal</option>, <option>syslog</option> or
+ <option>kmsg</option> (or to the same settings in combination with <option>+console</option>), and only applies
+ to log messages written to stdout or stderr. Note that individual lines output by executed processes may be
+ prefixed with a different log level which can be used to override the default log level specified here. The
+ interpretation of these prefixes may be disabled with <varname>SyslogLevelPrefix=</varname>, see below. For
+ details, see <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
- Defaults to
- <option>info</option>.</para></listitem>
+ Defaults to <option>info</option>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>SyslogLevelPrefix=</varname></term>
- <listitem><para>Takes a boolean argument. If true and
- <varname>StandardOutput=</varname> or
- <varname>StandardError=</varname> are set to
- <option>syslog</option>, <option>kmsg</option> or
- <option>journal</option>, log lines written by the executed
- process that are prefixed with a log level will be passed on
- to syslog with this log level set but the prefix removed. If
- set to false, the interpretation of these prefixes is disabled
- and the logged lines are passed on as-is. For details about
- this prefixing see
- <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
- Defaults to true.</para></listitem>
+ <listitem><para>Takes a boolean argument. If true and <varname>StandardOutput=</varname> or
+ <varname>StandardError=</varname> are set to <option>journal</option>, <option>syslog</option> or
+ <option>kmsg</option> (or to the same settings in combination with <option>+console</option>), log lines
+ written by the executed process that are prefixed with a log level will be processed with this log level set
+ but the prefix removed. If set to false, the interpretation of these prefixes is disabled and the logged lines
+ are passed on as-is. This only applies to log messages written to stdout or stderr. For details
+ about this prefixing see
+ <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>. Defaults to
+ true.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>LogLevelMax=</varname></term>
+ <listitem><para>Configures filtering by log level of log messages generated by this unit. Takes a
+ <command>syslog</command> log level, one of <option>emerg</option> (lowest log level, only highest priority
+ messages), <option>alert</option>, <option>crit</option>, <option>err</option>, <option>warning</option>,
+ <option>notice</option>, <option>info</option>, <option>debug</option> (highest log level, also lowest priority
+ messages). See <citerefentry
+ project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
+ details. By default no filtering is applied (i.e. the default maximum log level is <option>debug</option>). Use
+ this option to configure the logging system to drop log messages of a specific service above the specified
+ level. For example, set <varname>LogLevelMax=</varname><option>info</option> in order to turn off debug logging
+ of a particularly chatty unit. Note that the the configured level is applied to any log messages written by any
+ of the processes belonging to this unit, sent via any supported logging protocol. The filtering is applied
+ early in the logging pipeline, before any kind of further processing is done. Moreover, messages which pass
+ through this filter successfully might still be dropped by filters applied at a later stage in the logging
+ subsystem. For example, <varname>MaxLevelStore=</varname> configured in
+ <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> might
+ prohibit messages of higher log levels to be stored on disk, even though the per-unit
+ <varname>LogLevelMax=</varname> permitted it to be processed.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>LogExtraFields=</varname></term>
+ <listitem><para>Configures additional log metadata fields to include in all log records generated by processes
+ associated with this unit. This setting takes one or more journal field assignments in the format
+ <literal>FIELD=VALUE</literal> separated by whitespace. See
+ <citerefentry><refentrytitle>systemd.journal-fields</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
+ details on the journal field concept. Even though the underlying journal implementation permits binary field
+ values, this setting accepts only valid UTF-8 values. To include space characters in a journal field value,
+ enclose the assignment in double quotes ("). The usual specifiers are expanded in all assignments (see
+ below). Note that this setting is not only useful for attaching additional metadata to log records of a unit,
+ but given that all fields and values are indexed may also be used to implement cross-unit log record
+ matching. Assign an empty string to reset the list.</para></listitem>
</varlistentry>
<varlistentry>
<citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details on
the resource limit concept. Resource limits may be specified in two formats: either as single value to set a
specific soft and hard limit to the same value, or as colon-separated pair <option>soft:hard</option> to set
- both limits individually (e.g. <literal>LimitAS=4G:16G</literal>). Use the string <varname>infinity</varname>
+ both limits individually (e.g. <literal>LimitAS=4G:16G</literal>). Use the string <option>infinity</option>
to configure no limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base
1024) may be used for resource limits measured in bytes (e.g. LimitAS=16G). For the limits referring to time
values, the usual time units ms, s, min, h and so on may be used (see
<varname>RestrictAddressFamilies=</varname>, <varname>RestrictNamespaces=</varname>,
<varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>,
<varname>ProtectKernelModules=</varname>, <varname>MemoryDenyWriteExecute=</varname>, or
- <varname>RestrictRealtime=</varname> are specified.</para></listitem>
+ <varname>RestrictRealtime=</varname> are specified.</para>
+
+ <para>Also see
+ <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New Privileges Flag</ulink>.
+ </para></listitem>
</varlistentry>
<varlistentry>
executed by the unit processes except for the listed ones will result in immediate process termination with the
<constant>SIGSYS</constant> signal (whitelisting). If the first character of the list is <literal>~</literal>,
the effect is inverted: only the listed system calls will result in immediate process termination
- (blacklisting). If running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
+ (blacklisting). Blacklisted system calls and system call groups may optionally be suffixed with a colon
+ (<literal>:</literal>) and <literal>errno</literal> error number (between 0 and 4095) or errno name such as
+ <constant>EPERM</constant>, <constant>EACCES</constant> or <constant>EUCLEAN</constant>. This value will be
+ returned when a blacklisted system call is triggered, instead of terminating the processes immediately.
+ This value takes precedence over the one given in <varname>SystemCallErrorNumber=</varname>.
+ If running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
capability (e.g. setting <varname>User=nobody</varname>), <varname>NoNewPrivileges=yes</varname> is
implied. This feature makes use of the Secure Computing Mode 2 interfaces of the kernel ('seccomp filtering')
and is useful for enforcing a minimal sandboxing environment. Note that the <function>execve</function>,
</row>
</thead>
<tbody>
+ <row>
+ <entry>@aio</entry>
+ <entry>Asynchronous I/O (<citerefentry project='man-pages'><refentrytitle>io_setup</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>io_submit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
+ </row>
<row>
<entry>@basic-io</entry>
<entry>System calls for basic I/O: reading, writing, seeking, file descriptor duplication and closing (<citerefentry project='man-pages'><refentrytitle>read</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>write</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
</row>
+ <row>
+ <entry>@chown</entry>
+ <entry>Changing file ownership (<citerefentry project='man-pages'><refentrytitle>chown</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>fchownat</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
+ </row>
<row>
<entry>@clock</entry>
<entry>System calls for changing the system clock (<citerefentry project='man-pages'><refentrytitle>adjtimex</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>settimeofday</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
<entry>@cpu-emulation</entry>
<entry>System calls for CPU emulation functionality (<citerefentry project='man-pages'><refentrytitle>vm86</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
</row>
- <row>
- <entry>@credentials</entry>
- <entry>System calls for querying process credentials (<citerefentry project='man-pages'><refentrytitle>getuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>capget</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
- </row>
<row>
<entry>@debug</entry>
<entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
<entry>@swap</entry>
<entry>System calls for enabling/disabling swap devices (<citerefentry project='man-pages'><refentrytitle>swapon</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>swapoff</refentrytitle><manvolnum>2</manvolnum></citerefentry>)</entry>
</row>
+ <row>
+ <entry>@sync</entry>
+ <entry>Synchronizing files and memory to disk: (<citerefentry project='man-pages'><refentrytitle>fsync</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>msync</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
+ </row>
<row>
<entry>@timer</entry>
<entry>System calls for scheduling operations by time (<citerefentry project='man-pages'><refentrytitle>alarm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>timer_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
<varlistentry>
<term><varname>SystemCallErrorNumber=</varname></term>
- <listitem><para>Takes an <literal>errno</literal> error number
- name to return when the system call filter configured with
- <varname>SystemCallFilter=</varname> is triggered, instead of
- terminating the process immediately. Takes an error name such
- as <constant>EPERM</constant>, <constant>EACCES</constant> or
- <constant>EUCLEAN</constant>. When this setting is not used,
- or when the empty string is assigned, the process will be
- terminated immediately when the filter is
- triggered.</para></listitem>
+ <listitem><para>Takes an <literal>errno</literal> error number (between 1 and 4095) or errno name such as
+ <constant>EPERM</constant>, <constant>EACCES</constant> or <constant>EUCLEAN</constant>, to return when the
+ system call filter configured with <varname>SystemCallFilter=</varname> is triggered, instead of terminating
+ the process immediately. When this setting is not used, or when the empty string is assigned, the process
+ will be terminated immediately when the filter is triggered.</para></listitem>
</varlistentry>
<varlistentry>
<varlistentry>
<term><varname>RuntimeDirectory=</varname></term>
+ <term><varname>StateDirectory=</varname></term>
+ <term><varname>CacheDirectory=</varname></term>
+ <term><varname>LogsDirectory=</varname></term>
+ <term><varname>ConfigurationDirectory=</varname></term>
- <listitem><para>Takes a whitespace-separated list of directory names. The specified directory names must be
- relative, and may not include <literal>.</literal> or <literal>..</literal>. If set, one or more directories
- including their parents by the specified names will be created below <filename>/run</filename> (for system
- services) or below <varname>$XDG_RUNTIME_DIR</varname> (for user services) when the unit is started. The
- lowest subdirectories are removed when the unit is stopped. It is possible to preserve the directories if
- <varname>RuntimeDirectoryPreserve=</varname> is configured to <option>restart</option> or <option>yes</option>.
- The lowest subdirectories will have the access mode specified in <varname>RuntimeDirectoryMode=</varname>,
- and be owned by the user and group specified in <varname>User=</varname> and <varname>Group=</varname>.
- This implies <varname>ReadWritePaths=</varname>, that is, the directories specified
- in this option are accessible with the access mode specified in <varname>RuntimeDirectoryMode=</varname>
- even if <varname>ProtectSystem=</varname> is set to <option>strict</option>.
- Use this to manage one or more runtime directories of the unit and bind their
- lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create
+ <listitem><para>These options take a whitespace-separated list of directory names. The specified directory
+ names must be relative, and may not include <literal>.</literal> or <literal>..</literal>. If set, one or more
+ directories by the specified names will be created (including their parents) below <filename>/run</filename>
+ (or <varname>$XDG_RUNTIME_DIR</varname> for user services), <filename>/var/lib</filename> (or
+ <varname>$XDG_CONFIG_HOME</varname> for user services), <filename>/var/cache</filename> (or
+ <varname>$XDG_CACHE_HOME</varname> for user services), <filename>/var/log</filename> (or
+ <varname>$XDG_CONFIG_HOME</varname><filename>/log</filename> for user services), or <filename>/etc</filename>
+ (or <varname>$XDG_CONFIG_HOME</varname> for user services), respectively, when the unit is started.</para>
+
+ <para>In case of <varname>RuntimeDirectory=</varname> the lowest subdirectories are removed when the unit is
+ stopped. It is possible to preserve the specified directories in this case if
+ <varname>RuntimeDirectoryPreserve=</varname> is configured to <option>restart</option> or <option>yes</option>
+ (see below). The directories specified with <varname>StateDirectory=</varname>,
+ <varname>CacheDirectory=</varname>, <varname>LogsDirectory=</varname>,
+ <varname>ConfigurationDirectory=</varname> are not removed when the unit is stopped.</para>
+
+ <para>Except in case of <varname>ConfigurationDirectory=</varname>, the innermost specified directories will be
+ owned by the user and group specified in <varname>User=</varname> and <varname>Group=</varname>. If the
+ specified directories already exist and their owning user or group do not match the configured ones, all files
+ and directories below the specified directories as well as the directories themselves will have their file
+ ownership recursively changed to match what is configured. As an optimization, if the specified directories are
+ already owned by the right user and group, files and directories below of them are left as-is, even if they do
+ not match what is requested. The innermost specified directories will have their access mode adjusted to the
+ what is specified in <varname>RuntimeDirectoryMode=</varname>, <varname>StateDirectoryMode=</varname>,
+ <varname>CacheDirectoryMode=</varname>, <varname>LogsDirectoryMode=</varname> and
+ <varname>ConfigurationDirectoryMode=</varname>.</para>
+
+ <para>These options imply <varname>BindPaths=</varname> for the specified paths. When combined with
+ <varname>RootDirectory=</varname> or <varname>RootImage=</varname> these paths always reside on the host and
+ are mounted from there into the unit's file system namespace.</para>
+
+ <para>If <varname>DynamicUser=</varname> is used in conjunction with <varname>StateDirectory=</varname>,
+ <varname>CacheDirectory=</varname> and <varname>LogsDirectory=</varname> is slightly altered: the directories
+ are created below <filename>/var/lib/private</filename>, <filename>/var/cache/private</filename> and
+ <filename>/var/log/private</filename>, respectively, which are host directories made inaccessible to
+ unprivileged users, which ensures that access to these directories cannot be gained through dynamic user ID
+ recycling. Symbolic links are created to hide this difference in behaviour. Both from perspective of the host
+ and from inside the unit, the relevant directories hence always appear directly below
+ <filename>/var/lib</filename>, <filename>/var/cache</filename> and <filename>/var/log</filename>.</para>
+
+ <para>Use <varname>RuntimeDirectory=</varname> to manage one or more runtime directories for the unit and bind
+ their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create
runtime directories in <filename>/run</filename> due to lack of privileges, and to make sure the runtime
- directory is cleaned up automatically after use. For runtime directories that require more complex or
- different configuration or lifetime guarantees, please consider using
+ directory is cleaned up automatically after use. For runtime directories that require more complex or different
+ configuration or lifetime guarantees, please consider using
<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
<para>Example: if a system service unit has the following,
except <filename>/run/foo</filename> are owned by the user and group specified in <varname>User=</varname> and
<varname>Group=</varname>, and removed when the service is stopped.
</para></listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>StateDirectory=</varname></term>
- <term><varname>CacheDirectory=</varname></term>
- <term><varname>LogsDirectory=</varname></term>
- <term><varname>ConfigurationDirectory=</varname></term>
-
- <listitem><para>Takes a whitespace-separated list of directory names. If set, as similar to
- <varname>RuntimeDirectory=</varname>, one or more directories including their parents by the specified names
- will be created below <filename>/var/lib</filename>, <filename>/var/cache</filename>, <filename>/var/log</filename>,
- or <filename>/etc</filename>, respectively, when the unit is started.
- Unlike <varname>RuntimeDirectory=</varname>, the directories are not removed when the unit is stopped.
- The lowest subdirectories will be owned by the user and group specified in <varname>User=</varname>
- and <varname>Group=</varname>. The options imply <varname>ReadWritePaths=</varname>.
- </para></listitem>
</varlistentry>
<varlistentry>
memory segments as executable are prohibited. Specifically, a system call filter is added that rejects
<citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with both
<constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set,
- <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with
- <constant>PROT_EXEC</constant> set and
+ <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ or <citerefentry><refentrytitle>pkey_mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ system calls with <constant>PROT_EXEC</constant> set and
<citerefentry><refentrytitle>shmat</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with
<constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs and libraries that
generate program code dynamically at runtime, including JIT execution engines, executable stacks, and code
<row>
<entry>205</entry>
<entry><constant>EXIT_LIMITS</constant></entry>
- <entry>Failed to adjust resoure limits. See <varname>LimitCPU=</varname> and related settings above.</entry>
+ <entry>Failed to adjust resource limits. See <varname>LimitCPU=</varname> and related settings above.</entry>
</row>
<row>
<entry>206</entry>
<row>
<entry>227</entry>
<entry><constant>EXIT_NO_NEW_PRIVILEGES</constant></entry>
- <entry>Failed to disable new priviliges. See <varname>NoNewPrivileges=yes</varname> above.</entry>
+ <entry>Failed to disable new privileges. See <varname>NoNewPrivileges=yes</varname> above.</entry>
</row>
<row>
<entry>228</entry>
<row>
<entry>230</entry>
<entry><constant>EXIT_PERSONALITY</constant></entry>
- <entry>Failed to set up a execution domain (personality). See <varname>Personality=</varname> above.</entry>
+ <entry>Failed to set up an execution domain (personality). See <varname>Personality=</varname> above.</entry>
</row>
<row>
<entry>231</entry>
<row>
<entry>238</entry>
<entry><constant>EXIT_STATE_DIRECTORY</constant></entry>
- <entry>Failed to set up a the unit's state directory. See <varname>StateDirectory=</varname> above.</entry>
+ <entry>Failed to set up unit's state directory. See <varname>StateDirectory=</varname> above.</entry>
</row>
<row>
<entry>239</entry>
<entry><constant>EXIT_CACHE_DIRECTORY</constant></entry>
- <entry>Failed to set up a the unit's cache directory. See <varname>CacheDirectory=</varname> above.</entry>
+ <entry>Failed to set up unit's cache directory. See <varname>CacheDirectory=</varname> above.</entry>
</row>
<row>
<entry>240</entry>
<entry><constant>EXIT_LOGS_DIRECTORY</constant></entry>
- <entry>Failed to set up a the unit's logging directory. See <varname>LogsDirectory=</varname> above.</entry>
+ <entry>Failed to set up unit's logging directory. See <varname>LogsDirectory=</varname> above.</entry>
</row>
<row>
<entry>241</entry>
<entry><constant>EXIT_CONFIGURATION_DIRECTORY</constant></entry>
- <entry>Failed to set up a the unit's configuration directory. See <varname>ConfigurationDirectory=</varname> above.</entry>
+ <entry>Failed to set up unit's configuration directory. See <varname>ConfigurationDirectory=</varname> above.</entry>
</row>
</tbody>
</tgroup>