]>
Commit | Line | Data |
---|---|---|
dd1eb43b LP |
1 | <?xml version='1.0'?> <!--*-nxml-*--> |
2 | <?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?> | |
3 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" | |
4 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
5 | ||
6 | <!-- | |
7 | This file is part of systemd. | |
8 | ||
9 | Copyright 2010 Lennart Poettering | |
10 | ||
11 | systemd is free software; you can redistribute it and/or modify it | |
12 | under the terms of the GNU General Public License as published by | |
13 | the Free Software Foundation; either version 2 of the License, or | |
14 | (at your option) any later version. | |
15 | ||
16 | systemd is distributed in the hope that it will be useful, but | |
17 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
18 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
19 | General Public License for more details. | |
20 | ||
21 | You should have received a copy of the GNU General Public License | |
22 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
23 | --> | |
24 | ||
25 | <refentry id="systemd.exec"> | |
26 | <refentryinfo> | |
27 | <title>systemd.exec</title> | |
28 | <productname>systemd</productname> | |
29 | ||
30 | <authorgroup> | |
31 | <author> | |
32 | <contrib>Developer</contrib> | |
33 | <firstname>Lennart</firstname> | |
34 | <surname>Poettering</surname> | |
35 | <email>lennart@poettering.net</email> | |
36 | </author> | |
37 | </authorgroup> | |
38 | </refentryinfo> | |
39 | ||
40 | <refmeta> | |
41 | <refentrytitle>systemd.exec</refentrytitle> | |
42 | <manvolnum>5</manvolnum> | |
43 | </refmeta> | |
44 | ||
45 | <refnamediv> | |
46 | <refname>systemd.exec</refname> | |
47 | <refpurpose>systemd execution environment configuration</refpurpose> | |
48 | </refnamediv> | |
49 | ||
50 | <refsynopsisdiv> | |
51 | <para><filename>systemd.service</filename>, | |
52 | <filename>systemd.socket</filename>, | |
53 | <filename>systemd.mount</filename></para> | |
54 | </refsynopsisdiv> | |
55 | ||
56 | <refsect1> | |
57 | <title>Description</title> | |
58 | ||
59 | <para>Unit configuration files for services, sockets | |
60 | and mount points share a subset of configuration | |
61 | options which define the execution environment of | |
62 | spawned processes.</para> | |
63 | ||
64 | <para>This man page lists the configuration options | |
65 | shared by these three unit types. See | |
66 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
67 | for the common options of all unit configuration | |
68 | files, and | |
69 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
70 | and | |
71 | <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
72 | for more information on the specific unit | |
73 | configuration files. The execution specific | |
74 | configuration options are configured in the [Service], | |
75 | [Socket] resp. [Mount] section, depending on the unit | |
76 | type.</para> | |
77 | </refsect1> | |
78 | ||
79 | <refsect1> | |
80 | <title>Options</title> | |
81 | ||
82 | <variablelist> | |
83 | ||
84 | <varlistentry> | |
85 | <term><varname>WorkingDirectory=</varname></term> | |
86 | ||
87 | <listitem><para>Takes an absolute | |
88 | directory path. Sets the working | |
89 | directory for executed | |
90 | processes.</para></listitem> | |
91 | </varlistentry> | |
92 | ||
93 | <varlistentry> | |
94 | <term><varname>RootDirectory=</varname></term> | |
95 | ||
96 | <listitem><para>Takes an absolute | |
97 | directory path. Sets the root | |
98 | directory for executed processes, with | |
99 | the | |
100 | <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
101 | system call. If this is used it must | |
102 | be ensured that the process and all | |
103 | its auxiliary files are available in | |
104 | the <function>chroot()</function> | |
105 | jail.</para></listitem> | |
106 | </varlistentry> | |
107 | ||
108 | <varlistentry> | |
109 | <term><varname>User=</varname></term> | |
110 | <term><varname>Group=</varname></term> | |
111 | ||
112 | <listitem><para>Sets the Unix user | |
113 | resp. group the processes are executed | |
114 | as. Takes a single user resp. group | |
115 | name or ID as argument. If no group is | |
116 | set the default group of the user is | |
117 | chosen.</para></listitem> | |
118 | </varlistentry> | |
119 | ||
120 | <varlistentry> | |
121 | <term><varname>SupplementaryGroups=</varname></term> | |
122 | ||
123 | <listitem><para>Sets the supplementary | |
124 | Unix groups the processes are executed | |
96d4ce01 | 125 | as. This takes a space separated list |
dd1eb43b LP |
126 | of group names or IDs. This option may |
127 | be specified more than once in which | |
128 | case all listed groups are set as | |
129 | supplementary groups. This option does | |
f8553ccb | 130 | not override but extends the list of |
dd1eb43b LP |
131 | supplementary groups configured in the |
132 | system group database for the | |
133 | user.</para></listitem> | |
134 | </varlistentry> | |
135 | ||
136 | <varlistentry> | |
137 | <term><varname>Nice=</varname></term> | |
138 | ||
139 | <listitem><para>Sets the default nice | |
140 | level (scheduling priority) for | |
141 | executed processes. Takes an integer | |
142 | between -20 (highest priority) and 19 | |
143 | (lowest priority). See | |
144 | <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
145 | for details.</para></listitem> | |
146 | </varlistentry> | |
147 | ||
148 | <varlistentry> | |
dd6c17b1 | 149 | <term><varname>OOMScoreAdjust=</varname></term> |
dd1eb43b LP |
150 | |
151 | <listitem><para>Sets the adjustment | |
152 | level for the Out-Of-Memory killer for | |
153 | executed processes. Takes an integer | |
dd6c17b1 LP |
154 | between -1000 (to disable OOM killing |
155 | for this process) and 1000 (to make | |
dd1eb43b LP |
156 | killing of this process under memory |
157 | pressure very likely). See <ulink | |
158 | url="http://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink> | |
159 | for details.</para></listitem> | |
160 | </varlistentry> | |
161 | ||
162 | <varlistentry> | |
163 | <term><varname>IOSchedulingClass=</varname></term> | |
164 | ||
165 | <listitem><para>Sets the IO scheduling | |
166 | class for executed processes. Takes an | |
167 | integer between 0 and 3 or one of the | |
168 | strings <option>none</option>, | |
169 | <option>realtime</option>, | |
170 | <option>best-effort</option> or | |
171 | <option>idle</option>. See | |
172 | <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
173 | for details.</para></listitem> | |
174 | </varlistentry> | |
175 | ||
176 | <varlistentry> | |
177 | <term><varname>IOSchedulingPriority=</varname></term> | |
178 | ||
179 | <listitem><para>Sets the IO scheduling | |
180 | priority for executed processes. Takes | |
181 | an integer between 0 (highest | |
182 | priority) and 7 (lowest priority). The | |
183 | available priorities depend on the | |
184 | selected IO scheduling class (see | |
185 | above). See | |
186 | <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
187 | for details.</para></listitem> | |
188 | </varlistentry> | |
189 | ||
190 | <varlistentry> | |
191 | <term><varname>CPUSchedulingPolicy=</varname></term> | |
192 | ||
193 | <listitem><para>Sets the CPU | |
194 | scheduling policy for executed | |
195 | processes. Takes one of | |
196 | <option>other</option>, | |
197 | <option>batch</option>, | |
198 | <option>idle</option>, | |
199 | <option>fifo</option> or | |
200 | <option>rr</option>. See | |
201 | <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
202 | for details.</para></listitem> | |
203 | </varlistentry> | |
204 | ||
205 | <varlistentry> | |
206 | <term><varname>CPUSchedulingPriority=</varname></term> | |
207 | ||
208 | <listitem><para>Sets the CPU | |
209 | scheduling priority for executed | |
210 | processes. Takes an integer between 1 | |
211 | (lowest priority) and 99 (highest | |
212 | priority). The available priority | |
213 | range depends on the selected CPU | |
214 | scheduling policy (see above). See | |
215 | <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
216 | for details.</para></listitem> | |
217 | </varlistentry> | |
218 | ||
219 | <varlistentry> | |
220 | <term><varname>CPUSchedulingResetOnFork=</varname></term> | |
221 | ||
222 | <listitem><para>Takes a boolean | |
223 | argument. If true elevated CPU | |
224 | scheduling priorities and policies | |
225 | will be reset when the executed | |
226 | processes fork, and can hence not leak | |
227 | into child processes. See | |
228 | <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
229 | for details. Defaults to false.</para></listitem> | |
230 | </varlistentry> | |
231 | ||
232 | <varlistentry> | |
233 | <term><varname>CPUAffinity=</varname></term> | |
234 | ||
235 | <listitem><para>Controls the CPU | |
236 | affinity of the executed | |
96d4ce01 | 237 | processes. Takes a space-separated |
dd1eb43b LP |
238 | list of CPU indexes. See |
239 | <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
240 | for details.</para></listitem> | |
241 | </varlistentry> | |
242 | ||
243 | <varlistentry> | |
244 | <term><varname>UMask=</varname></term> | |
245 | ||
246 | <listitem><para>Controls the file mode | |
247 | creation mask. Takes an access mode in | |
248 | octal notation. See | |
249 | <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
250 | for details. Defaults to | |
251 | 0002.</para></listitem> | |
252 | </varlistentry> | |
253 | ||
254 | <varlistentry> | |
255 | <term><varname>Environment=</varname></term> | |
256 | ||
257 | <listitem><para>Sets environment | |
258 | variables for executed | |
96d4ce01 | 259 | processes. Takes a space-separated |
dd1eb43b LP |
260 | list of variable assignments. This |
261 | option may be specified more than once | |
262 | in which case all listed variables | |
263 | will be set. If the same variable is | |
264 | set twice the later setting will | |
265 | override the earlier setting. See | |
266 | <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
267 | for details.</para></listitem> | |
268 | </varlistentry> | |
269 | <varlistentry> | |
270 | <term><varname>EnvironmentFile=</varname></term> | |
271 | <listitem><para>Similar to | |
272 | <varname>Environment=</varname> but | |
273 | reads the environment variables from a | |
274 | text file. The text file should | |
96d4ce01 | 275 | contain new-line separated variable |
dd1eb43b LP |
276 | assignments. Empty lines and lines |
277 | starting with ; or # will be ignored, | |
278 | which may be used for | |
279 | commenting.</para></listitem> | |
280 | </varlistentry> | |
281 | ||
282 | <varlistentry> | |
283 | <term><varname>StandardInput=</varname></term> | |
284 | <listitem><para>Controls where file | |
285 | descriptor 0 (STDIN) of the executed | |
286 | processes is connected to. Takes one | |
287 | of <option>null</option>, | |
288 | <option>tty</option>, | |
289 | <option>tty-force</option>, | |
290 | <option>tty-fail</option> or | |
291 | <option>socket</option>. If | |
292 | <option>null</option> is selected | |
293 | standard input will be connected to | |
294 | <filename>/dev/null</filename>, | |
295 | i.e. all read attempts by the process | |
296 | will result in immediate EOF. If | |
297 | <option>tty</option> is selected | |
298 | standard input is connected to a TTY | |
299 | (as configured by | |
300 | <varname>TTYPath=</varname>, see | |
301 | below) and the executed process | |
302 | becomes the controlling process of the | |
303 | terminal. If the terminal is already | |
f8553ccb AE |
304 | being controlled by another process the |
305 | executed process waits until the current | |
306 | controlling process releases the | |
307 | terminal. | |
308 | <option>tty-force</option> | |
dd1eb43b LP |
309 | is similar to <option>tty</option>, |
310 | but the executed process is forcefully | |
311 | and immediately made the controlling | |
312 | process of the terminal, potentially | |
313 | removing previous controlling | |
314 | processes from the | |
315 | terminal. <option>tty-fail</option> is | |
316 | similar to <option>tty</option> but if | |
317 | the terminal already has a controlling | |
318 | process start-up of the executed | |
319 | process fails. The | |
320 | <option>socket</option> option is only | |
321 | valid in socket-activated services, | |
322 | and only when the socket configuration | |
323 | file (see | |
324 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
325 | for details) specifies a single socket | |
326 | only. If this option is set standard | |
327 | input will be connected to the socket | |
328 | the service was activated from, which | |
329 | is primarily useful for compatibility | |
330 | with daemons designed for use with the | |
331 | traditional | |
332 | <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
333 | daemon. This setting defaults to | |
334 | <option>null</option>.</para></listitem> | |
335 | </varlistentry> | |
336 | <varlistentry> | |
337 | <term><varname>StandardOutput=</varname></term> | |
338 | <listitem><para>Controls where file | |
339 | descriptor 1 (STDOUT) of the executed | |
340 | processes is connected to. Takes one | |
341 | of <option>inherit</option>, | |
342 | <option>null</option>, | |
343 | <option>tty</option>, | |
344 | <option>syslog</option>, | |
345 | <option>kmsg</option> or | |
346 | <option>socket</option>. If set to | |
347 | <option>inherit</option> the file | |
348 | descriptor of standard input is | |
349 | duplicated for standard output. If set | |
350 | to <option>null</option> standard | |
351 | output will be connected to | |
352 | <filename>/dev/null</filename>, | |
353 | i.e. everything written to it will be | |
354 | lost. If set to <option>tty</option> | |
355 | standard output will be connected to a | |
356 | tty (as configured via | |
357 | <varname>TTYPath=</varname>, see | |
358 | below). If the TTY is used for output | |
359 | only the executed process will not | |
360 | become the controlling process of the | |
361 | terminal, and will not fail or wait | |
362 | for other processes to release the | |
363 | terminal. <option>syslog</option> | |
364 | connects standard output to the | |
365 | <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
366 | system logger. <option>kmsg</option> | |
367 | connects it with the kernel log buffer | |
368 | which is accessible via | |
369 | <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>socket</option> | |
370 | connects standard output to a socket | |
371 | from socket activation, semantics are | |
372 | similar to the respective option of | |
373 | <varname>StandardInput=</varname>. | |
374 | This setting defaults to | |
375 | <option>inherit</option>.</para></listitem> | |
376 | </varlistentry> | |
377 | <varlistentry> | |
ad678a06 | 378 | <term><varname>StandardError=</varname></term> |
dd1eb43b LP |
379 | <listitem><para>Controls where file |
380 | descriptor 2 (STDERR) of the executed | |
381 | processes is connected to. The | |
382 | available options are identical to | |
383 | those of | |
ad678a06 | 384 | <varname>StandardOutput=</varname>, |
dd1eb43b LP |
385 | whith one exception: if set to |
386 | <option>inherit</option> the file | |
387 | descriptor used for standard output is | |
388 | duplicated for standard error. This | |
389 | setting defaults to | |
390 | <option>inherit</option>.</para></listitem> | |
391 | </varlistentry> | |
392 | <varlistentry> | |
393 | <term><varname>TTYPath=</varname></term> | |
394 | <listitem><para>Sets the terminal | |
395 | device node to use if standard input, | |
396 | output or stderr are connected to a | |
397 | TTY (see above). Defaults to | |
398 | <filename>/dev/console</filename>.</para></listitem> | |
399 | </varlistentry> | |
400 | <varlistentry> | |
401 | <term><varname>SyslogIdentifer=</varname></term> | |
402 | <listitem><para>Sets the process name | |
403 | to prefix log lines sent to syslog or | |
404 | the kernel log buffer with. If not set | |
405 | defaults to the process name of the | |
406 | executed process. This option is only | |
407 | useful when | |
408 | <varname>StandardOutput=</varname> or | |
409 | <varname>StandardError=</varname> are | |
410 | set to <option>syslog</option> or | |
411 | <option>kmsg</option>.</para></listitem> | |
412 | </varlistentry> | |
413 | <varlistentry> | |
414 | <term><varname>SyslogFacility=</varname></term> | |
415 | <listitem><para>Sets the syslog | |
416 | facility to use when logging to | |
417 | syslog. One of <option>kern</option>, | |
418 | <option>user</option>, | |
419 | <option>mail</option>, | |
420 | <option>daemon</option>, | |
421 | <option>auth</option>, | |
422 | <option>syslog</option>, | |
423 | <option>lpr</option>, | |
424 | <option>news</option>, | |
425 | <option>uucp</option>, | |
426 | <option>cron</option>, | |
427 | <option>authpriv</option>, | |
428 | <option>ftp</option>, | |
429 | <option>local0</option>, | |
430 | <option>local1</option>, | |
431 | <option>local2</option>, | |
432 | <option>local3</option>, | |
433 | <option>local4</option>, | |
434 | <option>local5</option>, | |
435 | <option>local6</option> or | |
436 | <option>local7</option>. See | |
437 | <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
438 | for details. This option is only | |
439 | useful when | |
440 | <varname>StandardOutput=</varname> or | |
441 | <varname>StandardError=</varname> are | |
442 | set to <option>syslog</option>. | |
443 | Defaults to | |
444 | <option>daemon</option>.</para></listitem> | |
445 | </varlistentry> | |
446 | <varlistentry> | |
447 | <term><varname>SyslogLevel=</varname></term> | |
448 | <listitem><para>Default syslog level | |
449 | to use when logging to syslog or the | |
450 | kernel log buffer. One of | |
451 | <option>emerg</option>, | |
452 | <option>alert</option>, | |
453 | <option>crit</option>, | |
454 | <option>err</option>, | |
455 | <option>warning</option>, | |
456 | <option>notice</option>, | |
457 | <option>info</option>, | |
458 | <option>debug</option>. See | |
459 | <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
460 | for details. This option is only | |
461 | useful when | |
462 | <varname>StandardOutput=</varname> or | |
463 | <varname>StandardError=</varname> are | |
464 | set to <option>syslog</option> or | |
465 | <option>kmsg</option>. Note that | |
466 | individual lines output by the daemon | |
467 | might be prefixed with a different log | |
468 | level which can be used to override | |
469 | the default log level specified | |
470 | here. The interpretation of these | |
471 | prefixes may be disabled with | |
74922904 | 472 | <varname>SyslogLevelPrefix=</varname>, |
dd1eb43b LP |
473 | see below. For details see |
474 | <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>7</manvolnum></citerefentry>. | |
475 | ||
476 | Defaults to | |
477 | <option>info</option>.</para></listitem> | |
478 | </varlistentry> | |
479 | ||
480 | <varlistentry> | |
74922904 | 481 | <term><varname>SyslogLevelPrefix=</varname></term> |
dd1eb43b | 482 | <listitem><para>Takes a boolean |
74922904 | 483 | argument. If true and |
dd1eb43b LP |
484 | <varname>StandardOutput=</varname> or |
485 | <varname>StandardError=</varname> are | |
486 | set to <option>syslog</option> or | |
487 | <option>kmsg</option> log lines | |
488 | written by the executed process that | |
489 | are prefixed with a log level will be | |
490 | passed on to syslog with this log | |
491 | level set but the prefix removed. If | |
74922904 | 492 | set to false, the interpretation of |
dd1eb43b LP |
493 | these prefixes is disabled and the |
494 | logged lines are passed on as-is. For | |
495 | details about this prefixing see | |
496 | <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>7</manvolnum></citerefentry>. | |
74922904 | 497 | Defaults to true.</para></listitem> |
dd1eb43b LP |
498 | </varlistentry> |
499 | ||
500 | <varlistentry> | |
03fae018 | 501 | <term><varname>TimerSlackNSec=</varname></term> |
dd1eb43b LP |
502 | <listitem><para>Sets the timer slack |
503 | in nanoseconds for the executed | |
f8553ccb | 504 | processes. The timer slack controls the |
03fae018 LP |
505 | accuracy of wake-ups triggered by |
506 | timers. See | |
dd1eb43b | 507 | <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> |
03fae018 LP |
508 | for more information. Note that in |
509 | contrast to most other time span | |
f8553ccb AE |
510 | definitions this parameter takes an |
511 | integer value in nano-seconds and does | |
512 | not understand any other | |
03fae018 | 513 | units.</para></listitem> |
dd1eb43b LP |
514 | </varlistentry> |
515 | ||
516 | <varlistentry> | |
517 | <term><varname>LimitCPU=</varname></term> | |
518 | <term><varname>LimitFSIZE=</varname></term> | |
519 | <term><varname>LimitDATA=</varname></term> | |
520 | <term><varname>LimitSTACK=</varname></term> | |
521 | <term><varname>LimitCORE=</varname></term> | |
522 | <term><varname>LimitRSS=</varname></term> | |
523 | <term><varname>LimitNOFILE=</varname></term> | |
524 | <term><varname>LimitAS=</varname></term> | |
525 | <term><varname>LimitNPROC=</varname></term> | |
526 | <term><varname>LimitMEMLOCK=</varname></term> | |
527 | <term><varname>LimitLOCKS=</varname></term> | |
528 | <term><varname>LimitSIGPENDING=</varname></term> | |
529 | <term><varname>LimitMSGQUEUE=</varname></term> | |
530 | <term><varname>LimitNICE=</varname></term> | |
531 | <term><varname>LimitRTPRIO=</varname></term> | |
532 | <term><varname>LimitRTTIME=</varname></term> | |
533 | <listitem><para>These settings control | |
534 | various resource limits for executed | |
535 | processes. See | |
536 | <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
537 | for details.</para></listitem> | |
538 | </varlistentry> | |
539 | ||
540 | <varlistentry> | |
541 | <term><varname>PAMName=</varname></term> | |
542 | <listitem><para>Sets the PAM service | |
543 | name to set up a session as. If set | |
544 | the executed process will be | |
545 | registered as a PAM session under the | |
546 | specified service name. This is only | |
547 | useful in conjunction with the | |
548 | <varname>User=</varname> setting. If | |
549 | not set no PAM session will be opened | |
550 | for the executed processes. See | |
551 | <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
552 | for details.</para></listitem> | |
553 | </varlistentry> | |
554 | ||
555 | <varlistentry> | |
556 | <term><varname>TCPWrapName=</varname></term> | |
557 | <listitem><para>If this is a | |
558 | socket-activated service this sets the | |
559 | tcpwrap service name to check the | |
560 | permission for the current connection | |
561 | with. This is only useful in | |
562 | conjunction with socket-activated | |
563 | services, and stream sockets (TCP) in | |
564 | particular. It has no effect on other | |
565 | socket types (e.g. datagram/UDP) and on processes | |
566 | unrelated to socket-based | |
567 | activation. If the tcpwrap | |
568 | verification fails daemon start-up | |
569 | will fail and the connection is | |
570 | terminated. See | |
571 | <citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
572 | for details.</para></listitem> | |
573 | </varlistentry> | |
574 | ||
575 | <varlistentry> | |
576 | <term><varname>Capabilities=</varname></term> | |
577 | <listitem><para>Controls the | |
578 | <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
579 | set for the executed process. Take a | |
580 | capability string as described in | |
581 | <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
582 | Note that this capability set is | |
583 | usually influenced by the capabilities | |
584 | attached to the executed | |
585 | file.</para></listitem> | |
586 | </varlistentry> | |
587 | ||
588 | <varlistentry> | |
589 | <term><varname>SecureBits=</varname></term> | |
590 | <listitem><para>Controls the secure | |
591 | bits set for the executed process. See | |
592 | <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
593 | for details. Takes a list of strings: | |
594 | <option>keep-caps</option>, | |
595 | <option>keep-caps-locked</option>, | |
596 | <option>no-setuid-fixup</option>, | |
597 | <option>no-setuid-fixup-locked</option>, | |
598 | <option>no-setuid-noroot</option> and/or | |
599 | <option>no-setuid-noroot-locked</option>. | |
600 | </para></listitem> | |
601 | </varlistentry> | |
602 | ||
603 | <varlistentry> | |
604 | <term><varname>CapabilityBoundingSetDrop=</varname></term> | |
605 | ||
606 | <listitem><para>Controls the | |
607 | capability bounding set drop set for | |
608 | the executed process. See | |
609 | <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
610 | for details. Takes a list of | |
611 | capability names as read by | |
612 | <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
613 | </para></listitem> | |
614 | </varlistentry> | |
615 | ||
616 | <varlistentry> | |
617 | <term><varname>ControlGroup=</varname></term> | |
618 | ||
619 | <listitem><para>Controls the control | |
620 | groups the executed processes shall be | |
ad678a06 | 621 | made members of. Takes a |
96d4ce01 | 622 | space-separated list of cgroup |
dd1eb43b LP |
623 | identifiers. A cgroup identifier has a |
624 | format like | |
625 | <filename>cpu:/foo/bar</filename>, | |
626 | where "cpu" identifies the kernel | |
627 | control group controller used, and | |
628 | <filename>/foo/bar</filename> is the | |
629 | control group path. The controller name | |
630 | and ":" may be omitted in which case | |
631 | the named systemd control group | |
632 | hierarchy is implied. Alternatively, | |
633 | the path and ":" may be omitted, in | |
634 | which case the default control group | |
635 | path for this unit is implied. This | |
636 | option may be used to place executed | |
637 | processes in arbitrary groups in | |
638 | arbitrary hierachies -- which can be | |
639 | configured externally with additional execution limits. By default | |
640 | systemd will place all executed | |
96d4ce01 | 641 | processes in separate per-unit control |
dd1eb43b LP |
642 | groups (named after the unit) in the |
643 | systemd named hierarchy. Since every | |
644 | process can be in one group per | |
645 | hierarchy only overriding the control group | |
646 | path in the named systemd hierarchy | |
647 | will disable automatic placement in | |
648 | the default group. For details about control | |
649 | groups see <ulink | |
650 | url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>.</para></listitem> | |
651 | </varlistentry> | |
652 | ||
653 | <varlistentry> | |
654 | <term><varname>ReadWriteDirectories=</varname></term> | |
655 | <term><varname>ReadOnlyDirectories=</varname></term> | |
656 | <term><varname>InaccessibleDirectories=</varname></term> | |
657 | ||
658 | <listitem><para>Sets up a new | |
659 | file-system name space for executed | |
660 | processes. These options may be used | |
661 | to limit access a process might have | |
662 | to the main file-system | |
663 | hierarchy. Each setting takes a | |
96d4ce01 | 664 | space-separated list of absolute |
dd1eb43b LP |
665 | directory paths. Directories listed in |
666 | <varname>ReadWriteDirectories=</varname> | |
667 | are accessible from within the | |
668 | namespace with the same access rights | |
669 | as from outside. Directories listed in | |
670 | <varname>ReadOnlyDirectories=</varname> | |
671 | are accessible for reading only, | |
672 | writing will be refused even if the | |
673 | usual file access controls would | |
674 | permit this. Directories listed in | |
675 | <varname>InaccessibleDirectories=</varname> | |
676 | will be made inaccesible for processes | |
677 | inside the namespace. Note that | |
678 | restricting access with these options | |
679 | does not extend to submounts of a | |
680 | directory. You must list submounts | |
96d4ce01 | 681 | separately in these setttings to |
dd1eb43b LP |
682 | ensure the same limited access. These |
683 | options may be specified more than | |
684 | once in which case all directories | |
685 | listed will have limited access from | |
686 | within the | |
687 | namespace.</para></listitem> | |
688 | </varlistentry> | |
689 | ||
690 | <varlistentry> | |
691 | <term><varname>PrivateTmp=</varname></term> | |
692 | ||
693 | <listitem><para>Takes a boolean | |
694 | argument. If true sets up a new | |
695 | namespace for the executed processes | |
696 | and mounts a private | |
697 | <filename>/tmp</filename> directory | |
698 | inside it, that is not shared by | |
699 | processes outside of the | |
700 | namespace. This is useful to secure | |
701 | access to temporary files of the | |
702 | process, but makes sharing between | |
703 | processes via | |
704 | <filename>/tmp</filename> | |
705 | impossible. Defaults to false.</para></listitem> | |
706 | </varlistentry> | |
707 | ||
708 | <varlistentry> | |
709 | <term><varname>MountFlags=</varname></term> | |
710 | ||
711 | <listitem><para>Takes a mount | |
712 | propagation flag: | |
713 | <option>shared</option>, | |
714 | <option>slave</option> or | |
715 | <option>private</option>, which | |
716 | control whether namespaces set up with | |
717 | <varname>ReadWriteDirectories=</varname>, | |
718 | <varname>ReadOnlyDirectories=</varname> | |
719 | and | |
720 | <varname>InaccessibleDirectories=</varname> | |
721 | receive or propagate new mounts | |
722 | from/to the main namespace. See | |
723 | <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
724 | for details. Defaults to | |
725 | <option>shared</option>, i.e. the new | |
726 | namespace will both receive new mount | |
727 | points from the main namespace as well | |
728 | as propagate new mounts to | |
729 | it.</para></listitem> | |
730 | </varlistentry> | |
731 | ||
169c1bda LP |
732 | <varlistentry> |
733 | <term><varname>UtmpIdentifier=</varname></term> | |
734 | ||
735 | <listitem><para>Takes a a four | |
736 | character identifier string for an | |
737 | utmp/wtmp entry for this service. This | |
738 | should only be set for services such | |
739 | as <command>getty</command> | |
740 | implementations where utmp/wtmp | |
741 | entries must be created and cleared | |
742 | before and after execution. If the | |
743 | configured string is longer than four | |
744 | characters it is truncated and the | |
745 | terminal four characters are | |
746 | used. This setting interprets %I style | |
747 | string replacements. This setting is | |
748 | unset by default, i.e. no utmp/wtmp | |
749 | entries are created or cleaned up for | |
750 | this service.</para></listitem> | |
751 | </varlistentry> | |
752 | ||
dd1eb43b LP |
753 | </variablelist> |
754 | </refsect1> | |
755 | ||
756 | <refsect1> | |
757 | <title>See Also</title> | |
758 | <para> | |
f3e219a2 | 759 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
dd1eb43b LP |
760 | <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
761 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
762 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
763 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
764 | <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
765 | </para> | |
766 | </refsect1> | |
767 | ||
768 | </refentry> |