]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd.exec.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #3884 from poettering/private-users
[thirdparty/systemd.git] / man / systemd.exec.xml
CommitLineData
023a4f67 1<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
dd1eb43b 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
12b42c76 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
dd1eb43b
LP		 4
5<!--
6 This file is part of systemd.
7
8 Copyright 2010 Lennart Poettering
9
10 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
dd1eb43b
LP		 13 (at your option) any later version.
14
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 18 Lesser General Public License for more details.
dd1eb43b 19
5430f7f2 20 You should have received a copy of the GNU Lesser General Public License
dd1eb43b
LP		 21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22-->
23
24<refentry id="systemd.exec">
798d3a52
ZJS		 25 <refentryinfo>
26 <title>systemd.exec</title>
27 <productname>systemd</productname>
28
29 <authorgroup>
30 <author>
31 <contrib>Developer</contrib>
32 <firstname>Lennart</firstname>
33 <surname>Poettering</surname>
34 <email>lennart@poettering.net</email>
35 </author>
36 </authorgroup>
37 </refentryinfo>
38
39 <refmeta>
40 <refentrytitle>systemd.exec</refentrytitle>
41 <manvolnum>5</manvolnum>
42 </refmeta>
43
44 <refnamediv>
45 <refname>systemd.exec</refname>
46 <refpurpose>Execution environment configuration</refpurpose>
47 </refnamediv>
48
49 <refsynopsisdiv>
50 <para><filename><replaceable>service</replaceable>.service</filename>,
51 <filename><replaceable>socket</replaceable>.socket</filename>,
52 <filename><replaceable>mount</replaceable>.mount</filename>,
53 <filename><replaceable>swap</replaceable>.swap</filename></para>
54 </refsynopsisdiv>
55
56 <refsect1>
57 <title>Description</title>
58
59 <para>Unit configuration files for services, sockets, mount
60 points, and swap devices share a subset of configuration options
61 which define the execution environment of spawned
62 processes.</para>
63
64 <para>This man page lists the configuration options shared by
65 these four unit types. See
66 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
67 for the common options of all unit configuration files, and
68 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
69 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
70 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
71 and
72 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
73 for more information on the specific unit configuration files. The
74 execution specific configuration options are configured in the
75 [Service], [Socket], [Mount], or [Swap] sections, depending on the
76 unit type.</para>
77 </refsect1>
78
c129bd5d
LP		 79 <refsect1>
80 <title>Automatic Dependencies</title>
81
82 <para>A few execution parameters result in additional, automatic
83 dependencies to be added.</para>
84
85 <para>Units with <varname>WorkingDirectory=</varname> or
86 <varname>RootDirectory=</varname> set automatically gain
87 dependencies of type <varname>Requires=</varname> and
88 <varname>After=</varname> on all mount units required to access
89 the specified paths. This is equivalent to having them listed
90 explicitly in <varname>RequiresMountsFor=</varname>.</para>
91
92 <para>Similar, units with <varname>PrivateTmp=</varname> enabled
93 automatically get mount unit dependencies for all mounts
94 required to access <filename>/tmp</filename> and
95 <filename>/var/tmp</filename>.</para>
96
dfe85b38
LP		 97 <para>Units whose standard output or error output is connected to <option>journal</option>, <option>syslog</option>
98 or <option>kmsg</option> (or their combinations with console output, see below) automatically acquire dependencies
99 of type <varname>After=</varname> on <filename>systemd-journald.socket</filename>.</para>
c129bd5d
LP		 100 </refsect1>
101
798d3a52
ZJS		 102 <refsect1>
103 <title>Options</title>
104
105 <variablelist class='unit-directives'>
106
107 <varlistentry>
108 <term><varname>WorkingDirectory=</varname></term>
109
d251207d
LP		 110 <listitem><para>Takes a directory path relative to the service's root directory specified by
111 <varname>RootDirectory=</varname>, or the special value <literal>~</literal>. Sets the working directory for
112 executed processes. If set to <literal>~</literal>, the home directory of the user specified in
113 <varname>User=</varname> is used. If not set, defaults to the root directory when systemd is running as a
114 system instance and the respective user's home directory if run as user. If the setting is prefixed with the
115 <literal>-</literal> character, a missing working directory is not considered fatal. If
116 <varname>RootDirectory=</varname> is not set, then <varname>WorkingDirectory=</varname> is relative to the root
117 of the system running the service manager. Note that setting this parameter might result in additional
118 dependencies to be added to the unit (see above).</para></listitem>
798d3a52
ZJS		 119 </varlistentry>
120
121 <varlistentry>
122 <term><varname>RootDirectory=</varname></term>
123
d251207d
LP		 124 <listitem><para>Takes a directory path relative to the host's root directory (i.e. the root of the system
125 running the service manager). Sets the root directory for executed processes, with the <citerefentry
126 project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry> system
127 call. If this is used, it must be ensured that the process binary and all its auxiliary files are available in
128 the <function>chroot()</function> jail. Note that setting this parameter might result in additional
129 dependencies to be added to the unit (see above).</para>
130
131 <para>The <varname>PrivateUsers=</varname> setting is particularly useful in conjunction with
132 <varname>RootDirectory=</varname>. For details, see below.</para></listitem>
798d3a52
ZJS		 133 </varlistentry>
134
135 <varlistentry>
136 <term><varname>User=</varname></term>
137 <term><varname>Group=</varname></term>
138
29206d46
LP		 139 <listitem><para>Set the UNIX user or group that the processes are executed as, respectively. Takes a single
140 user or group name, or numeric ID as argument. If no group is set, the default group of the user is used. This
dadd6ecf 141 setting does not affect commands whose command line is prefixed with <literal>+</literal>.</para></listitem>
29206d46
LP		 142 </varlistentry>
143
144 <varlistentry>
145 <term><varname>DynamicUser=</varname></term>
146
147 <listitem><para>Takes a boolean parameter. If set, a UNIX user and group pair is allocated dynamically when the
148 unit is started, and released as soon as it is stopped. The user and group will not be added to
149 <filename>/etc/passwd</filename> or <filename>/etc/group</filename>, but are managed transiently during
150 runtime. The <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
151 glibc NSS module provides integration of these dynamic users/groups into the system's user and group
152 databases. The user and group name to use may be configured via <varname>User=</varname> and
153 <varname>Group=</varname> (see above). If these options are not used and dynamic user/group allocation is
154 enabled for a unit, the name of the dynamic user/group is implicitly derived from the unit name. If the unit
155 name without the type suffix qualifies as valid user name it is used directly, otherwise a name incorporating a
156 hash of it is used. If a statically allocated user or group of the configured name already exists, it is used
157 and no dynamic user/group is allocated. Dynamic users/groups are allocated from the UID/GID range
158 61184…65519. It is recommended to avoid this range for regular system or login users. At any point in time
159 each UID/GID from this range is only assigned to zero or one dynamically allocated users/groups in
160 use. However, UID/GIDs are recycled after a unit is terminated. Care should be taken that any processes running
161 as part of a unit for which dynamic users/groups are enabled do not leave files or directories owned by these
162 users/groups around, as a different unit might get the same UID/GID assigned later on, and thus gain access to
163 these files or directories. If <varname>DynamicUser=</varname> is enabled, <varname>PrivateTmp=</varname> is
164 implied. This ensures that the lifetime of temporary files created by the executed processes is bound to the
165 runtime of the service, and hence the lifetime of the dynamic user/group. Since <filename>/tmp</filename> and
166 <filename>/var/tmp</filename> are usually the only world-writable directories on a system this ensures that a
167 unit making use of dynamic user/group allocation cannot leave files around after unit termination. Use
168 <varname>RuntimeDirectory=</varname> (see below) in order to assign a writable runtime directory to a service,
169 owned by the dynamic user/group and removed automatically when the unit is terminated. Defaults to
170 off.</para></listitem>
798d3a52
ZJS		 171 </varlistentry>
172
173 <varlistentry>
174 <term><varname>SupplementaryGroups=</varname></term>
175
176 <listitem><para>Sets the supplementary Unix groups the
177 processes are executed as. This takes a space-separated list
178 of group names or IDs. This option may be specified more than
b938cb90
JE		 179 once, in which case all listed groups are set as supplementary
180 groups. When the empty string is assigned, the list of
798d3a52
ZJS		 181 supplementary groups is reset, and all assignments prior to
182 this one will have no effect. In any way, this option does not
183 override, but extends the list of supplementary groups
184 configured in the system group database for the
43eb109a 185 user. This does not affect commands prefixed with <literal>+</literal>.</para></listitem>
798d3a52
ZJS		 186 </varlistentry>
187
188 <varlistentry>
189 <term><varname>Nice=</varname></term>
190
191 <listitem><para>Sets the default nice level (scheduling
192 priority) for executed processes. Takes an integer between -20
193 (highest priority) and 19 (lowest priority). See
194 <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>
195 for details.</para></listitem>
196 </varlistentry>
197
198 <varlistentry>
199 <term><varname>OOMScoreAdjust=</varname></term>
200
201 <listitem><para>Sets the adjustment level for the
202 Out-Of-Memory killer for executed processes. Takes an integer
203 between -1000 (to disable OOM killing for this process) and
204 1000 (to make killing of this process under memory pressure
205 very likely). See <ulink
206 url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
207 for details.</para></listitem>
208 </varlistentry>
209
210 <varlistentry>
211 <term><varname>IOSchedulingClass=</varname></term>
212
b938cb90 213 <listitem><para>Sets the I/O scheduling class for executed
798d3a52
ZJS		 214 processes. Takes an integer between 0 and 3 or one of the
215 strings <option>none</option>, <option>realtime</option>,
216 <option>best-effort</option> or <option>idle</option>. See
217 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
218 for details.</para></listitem>
219 </varlistentry>
220
221 <varlistentry>
222 <term><varname>IOSchedulingPriority=</varname></term>
223
b938cb90 224 <listitem><para>Sets the I/O scheduling priority for executed
798d3a52
ZJS		 225 processes. Takes an integer between 0 (highest priority) and 7
226 (lowest priority). The available priorities depend on the
b938cb90 227 selected I/O scheduling class (see above). See
798d3a52
ZJS		 228 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
229 for details.</para></listitem>
230 </varlistentry>
231
232 <varlistentry>
233 <term><varname>CPUSchedulingPolicy=</varname></term>
234
235 <listitem><para>Sets the CPU scheduling policy for executed
236 processes. Takes one of
237 <option>other</option>,
238 <option>batch</option>,
239 <option>idle</option>,
240 <option>fifo</option> or
241 <option>rr</option>. See
242 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
243 for details.</para></listitem>
244 </varlistentry>
245
246 <varlistentry>
247 <term><varname>CPUSchedulingPriority=</varname></term>
248
249 <listitem><para>Sets the CPU scheduling priority for executed
250 processes. The available priority range depends on the
251 selected CPU scheduling policy (see above). For real-time
252 scheduling policies an integer between 1 (lowest priority) and
253 99 (highest priority) can be used. See
254 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
255 for details. </para></listitem>
256 </varlistentry>
257
258 <varlistentry>
259 <term><varname>CPUSchedulingResetOnFork=</varname></term>
260
261 <listitem><para>Takes a boolean argument. If true, elevated
262 CPU scheduling priorities and policies will be reset when the
263 executed processes fork, and can hence not leak into child
264 processes. See
265 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
266 for details. Defaults to false.</para></listitem>
267 </varlistentry>
268
269 <varlistentry>
270 <term><varname>CPUAffinity=</varname></term>
271
272 <listitem><para>Controls the CPU affinity of the executed
71b1c27a
FB		 273 processes. Takes a list of CPU indices or ranges separated by
274 either whitespace or commas. CPU ranges are specified by the
275 lower and upper CPU indices separated by a dash.
b938cb90 276 This option may be specified more than once, in which case the
798d3a52
ZJS		 277 specified CPU affinity masks are merged. If the empty string
278 is assigned, the mask is reset, all assignments prior to this
279 will have no effect. See
280 <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
281 for details.</para></listitem>
282 </varlistentry>
283
284 <varlistentry>
285 <term><varname>UMask=</varname></term>
286
287 <listitem><para>Controls the file mode creation mask. Takes an
288 access mode in octal notation. See
289 <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
290 for details. Defaults to 0022.</para></listitem>
291 </varlistentry>
292
293 <varlistentry>
294 <term><varname>Environment=</varname></term>
295
296 <listitem><para>Sets environment variables for executed
297 processes. Takes a space-separated list of variable
b938cb90 298 assignments. This option may be specified more than once, in
798d3a52
ZJS		 299 which case all listed variables will be set. If the same
300 variable is set twice, the later setting will override the
301 earlier setting. If the empty string is assigned to this
302 option, the list of environment variables is reset, all prior
303 assignments have no effect. Variable expansion is not
304 performed inside the strings, however, specifier expansion is
305 possible. The $ character has no special meaning. If you need
306 to assign a value containing spaces to a variable, use double
307 quotes (") for the assignment.</para>
308
309 <para>Example:
310 <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting>
311 gives three variables <literal>VAR1</literal>,
312 <literal>VAR2</literal>, <literal>VAR3</literal>
313 with the values <literal>word1 word2</literal>,
314 <literal>word3</literal>, <literal>$word 5 6</literal>.
315 </para>
316
317 <para>
318 See
319 <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
320 for details about environment variables.</para></listitem>
321 </varlistentry>
322 <varlistentry>
323 <term><varname>EnvironmentFile=</varname></term>
324 <listitem><para>Similar to <varname>Environment=</varname> but
325 reads the environment variables from a text file. The text
326 file should contain new-line-separated variable assignments.
8f0d2981
RM		 327 Empty lines, lines without an <literal>=</literal> separator,
328 or lines starting with ; or # will be ignored,
798d3a52
ZJS		 329 which may be used for commenting. A line ending with a
330 backslash will be concatenated with the following one,
331 allowing multiline variable definitions. The parser strips
332 leading and trailing whitespace from the values of
333 assignments, unless you use double quotes (").</para>
334
335 <para>The argument passed should be an absolute filename or
336 wildcard expression, optionally prefixed with
337 <literal>-</literal>, which indicates that if the file does
338 not exist, it will not be read and no error or warning message
339 is logged. This option may be specified more than once in
340 which case all specified files are read. If the empty string
341 is assigned to this option, the list of file to read is reset,
342 all prior assignments have no effect.</para>
343
344 <para>The files listed with this directive will be read
345 shortly before the process is executed (more specifically,
346 after all processes from a previous unit state terminated.
347 This means you can generate these files in one unit state, and
f407824d
DH		 348 read it with this option in the next).</para>
349
350 <para>Settings from these
798d3a52
ZJS		 351 files override settings made with
352 <varname>Environment=</varname>. If the same variable is set
353 twice from these files, the files will be read in the order
354 they are specified and the later setting will override the
355 earlier setting.</para></listitem>
356 </varlistentry>
357
b4c14404
FB		 358 <varlistentry>
359 <term><varname>PassEnvironment=</varname></term>
360
361 <listitem><para>Pass environment variables from the systemd system
362 manager to executed processes. Takes a space-separated list of variable
363 names. This option may be specified more than once, in which case all
364 listed variables will be set. If the empty string is assigned to this
365 option, the list of environment variables is reset, all prior
366 assignments have no effect. Variables that are not set in the system
367 manager will not be passed and will be silently ignored.</para>
368
369 <para>Variables passed from this setting are overridden by those passed
370 from <varname>Environment=</varname> or
371 <varname>EnvironmentFile=</varname>.</para>
372
373 <para>Example:
374 <programlisting>PassEnvironment=VAR1 VAR2 VAR3</programlisting>
375 passes three variables <literal>VAR1</literal>,
376 <literal>VAR2</literal>, <literal>VAR3</literal>
377 with the values set for those variables in PID1.</para>
378
379 <para>
380 See
381 <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
382 for details about environment variables.</para></listitem>
383 </varlistentry>
384
798d3a52
ZJS		 385 <varlistentry>
386 <term><varname>StandardInput=</varname></term>
387 <listitem><para>Controls where file descriptor 0 (STDIN) of
388 the executed processes is connected to. Takes one of
389 <option>null</option>,
390 <option>tty</option>,
391 <option>tty-force</option>,
392 <option>tty-fail</option> or
393 <option>socket</option>.</para>
394
395 <para>If <option>null</option> is selected, standard input
396 will be connected to <filename>/dev/null</filename>, i.e. all
397 read attempts by the process will result in immediate
398 EOF.</para>
399
400 <para>If <option>tty</option> is selected, standard input is
401 connected to a TTY (as configured by
402 <varname>TTYPath=</varname>, see below) and the executed
403 process becomes the controlling process of the terminal. If
404 the terminal is already being controlled by another process,
405 the executed process waits until the current controlling
406 process releases the terminal.</para>
407
408 <para><option>tty-force</option> is similar to
409 <option>tty</option>, but the executed process is forcefully
410 and immediately made the controlling process of the terminal,
411 potentially removing previous controlling processes from the
412 terminal.</para>
413
414 <para><option>tty-fail</option> is similar to
415 <option>tty</option> but if the terminal already has a
416 controlling process start-up of the executed process
417 fails.</para>
418
419 <para>The <option>socket</option> option is only valid in
420 socket-activated services, and only when the socket
421 configuration file (see
422 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
423 for details) specifies a single socket only. If this option is
424 set, standard input will be connected to the socket the
425 service was activated from, which is primarily useful for
426 compatibility with daemons designed for use with the
427 traditional
b5c7d097 428 <citerefentry project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
798d3a52
ZJS		 429 daemon.</para>
430
431 <para>This setting defaults to
432 <option>null</option>.</para></listitem>
433 </varlistentry>
c129bd5d 434
798d3a52
ZJS		 435 <varlistentry>
436 <term><varname>StandardOutput=</varname></term>
437 <listitem><para>Controls where file descriptor 1 (STDOUT) of
438 the executed processes is connected to. Takes one of
439 <option>inherit</option>,
440 <option>null</option>,
441 <option>tty</option>,
442 <option>journal</option>,
443 <option>syslog</option>,
444 <option>kmsg</option>,
445 <option>journal+console</option>,
446 <option>syslog+console</option>,
447 <option>kmsg+console</option> or
448 <option>socket</option>.</para>
449
450 <para><option>inherit</option> duplicates the file descriptor
451 of standard input for standard output.</para>
452
453 <para><option>null</option> connects standard output to
454 <filename>/dev/null</filename>, i.e. everything written to it
455 will be lost.</para>
456
457 <para><option>tty</option> connects standard output to a tty
458 (as configured via <varname>TTYPath=</varname>, see below). If
459 the TTY is used for output only, the executed process will not
460 become the controlling process of the terminal, and will not
461 fail or wait for other processes to release the
462 terminal.</para>
463
464 <para><option>journal</option> connects standard output with
465 the journal which is accessible via
466 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
467 Note that everything that is written to syslog or kmsg (see
468 below) is implicitly stored in the journal as well, the
469 specific two options listed below are hence supersets of this
470 one.</para>
471
472 <para><option>syslog</option> connects standard output to the
473 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
474 system syslog service, in addition to the journal. Note that
475 the journal daemon is usually configured to forward everything
476 it receives to syslog anyway, in which case this option is no
477 different from <option>journal</option>.</para>
478
479 <para><option>kmsg</option> connects standard output with the
480 kernel log buffer which is accessible via
481 <citerefentry project='man-pages'><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
482 in addition to the journal. The journal daemon might be
483 configured to send all logs to kmsg anyway, in which case this
484 option is no different from <option>journal</option>.</para>
485
486 <para><option>journal+console</option>,
487 <option>syslog+console</option> and
488 <option>kmsg+console</option> work in a similar way as the
489 three options above but copy the output to the system console
490 as well.</para>
491
492 <para><option>socket</option> connects standard output to a
493 socket acquired via socket activation. The semantics are
494 similar to the same option of
495 <varname>StandardInput=</varname>.</para>
496
dfe85b38
LP		 497 <para>If the standard output (or error output, see below) of a unit is connected to the journal, syslog or the
498 kernel log buffer, the unit will implicitly gain a dependency of type <varname>After=</varname> on
28c75e25
LP		 499 <filename>systemd-journald.socket</filename> (also see the automatic dependencies section above).</para>
500
798d3a52
ZJS		 501 <para>This setting defaults to the value set with
502 <option>DefaultStandardOutput=</option> in
503 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
c129bd5d
LP		 504 which defaults to <option>journal</option>. Note that setting
505 this parameter might result in additional dependencies to be
506 added to the unit (see above).</para></listitem>
798d3a52 507 </varlistentry>
c129bd5d 508
798d3a52
ZJS		 509 <varlistentry>
510 <term><varname>StandardError=</varname></term>
511 <listitem><para>Controls where file descriptor 2 (STDERR) of
512 the executed processes is connected to. The available options
513 are identical to those of <varname>StandardOutput=</varname>,
514 with one exception: if set to <option>inherit</option> the
515 file descriptor used for standard output is duplicated for
516 standard error. This setting defaults to the value set with
517 <option>DefaultStandardError=</option> in
518 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
c129bd5d
LP		 519 which defaults to <option>inherit</option>. Note that setting
520 this parameter might result in additional dependencies to be
521 added to the unit (see above).</para></listitem>
798d3a52 522 </varlistentry>
c129bd5d 523
798d3a52
ZJS		 524 <varlistentry>
525 <term><varname>TTYPath=</varname></term>
526 <listitem><para>Sets the terminal device node to use if
527 standard input, output, or error are connected to a TTY (see
528 above). Defaults to
529 <filename>/dev/console</filename>.</para></listitem>
530 </varlistentry>
531 <varlistentry>
532 <term><varname>TTYReset=</varname></term>
533 <listitem><para>Reset the terminal device specified with
534 <varname>TTYPath=</varname> before and after execution.
535 Defaults to <literal>no</literal>.</para></listitem>
536 </varlistentry>
537 <varlistentry>
538 <term><varname>TTYVHangup=</varname></term>
539 <listitem><para>Disconnect all clients which have opened the
540 terminal device specified with <varname>TTYPath=</varname>
541 before and after execution. Defaults to
542 <literal>no</literal>.</para></listitem>
543 </varlistentry>
544 <varlistentry>
545 <term><varname>TTYVTDisallocate=</varname></term>
546 <listitem><para>If the terminal device specified with
547 <varname>TTYPath=</varname> is a virtual console terminal, try
548 to deallocate the TTY before and after execution. This ensures
549 that the screen and scrollback buffer is cleared. Defaults to
550 <literal>no</literal>.</para></listitem>
551 </varlistentry>
552 <varlistentry>
553 <term><varname>SyslogIdentifier=</varname></term>
554 <listitem><para>Sets the process name to prefix log lines sent
555 to the logging system or the kernel log buffer with. If not
556 set, defaults to the process name of the executed process.
557 This option is only useful when
558 <varname>StandardOutput=</varname> or
559 <varname>StandardError=</varname> are set to
560 <option>syslog</option>, <option>journal</option> or
561 <option>kmsg</option> (or to the same settings in combination
562 with <option>+console</option>).</para></listitem>
563 </varlistentry>
564 <varlistentry>
565 <term><varname>SyslogFacility=</varname></term>
566 <listitem><para>Sets the syslog facility to use when logging
567 to syslog. One of <option>kern</option>,
568 <option>user</option>, <option>mail</option>,
569 <option>daemon</option>, <option>auth</option>,
570 <option>syslog</option>, <option>lpr</option>,
571 <option>news</option>, <option>uucp</option>,
572 <option>cron</option>, <option>authpriv</option>,
573 <option>ftp</option>, <option>local0</option>,
574 <option>local1</option>, <option>local2</option>,
575 <option>local3</option>, <option>local4</option>,
576 <option>local5</option>, <option>local6</option> or
577 <option>local7</option>. See
578 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
579 for details. This option is only useful when
580 <varname>StandardOutput=</varname> or
581 <varname>StandardError=</varname> are set to
582 <option>syslog</option>. Defaults to
583 <option>daemon</option>.</para></listitem>
584 </varlistentry>
585 <varlistentry>
586 <term><varname>SyslogLevel=</varname></term>
a8eaaee7 587 <listitem><para>The default syslog level to use when logging to
798d3a52
ZJS		 588 syslog or the kernel log buffer. One of
589 <option>emerg</option>,
590 <option>alert</option>,
591 <option>crit</option>,
592 <option>err</option>,
593 <option>warning</option>,
594 <option>notice</option>,
595 <option>info</option>,
596 <option>debug</option>. See
597 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
598 for details. This option is only useful when
599 <varname>StandardOutput=</varname> or
600 <varname>StandardError=</varname> are set to
601 <option>syslog</option> or <option>kmsg</option>. Note that
602 individual lines output by the daemon might be prefixed with a
603 different log level which can be used to override the default
604 log level specified here. The interpretation of these prefixes
605 may be disabled with <varname>SyslogLevelPrefix=</varname>,
b938cb90 606 see below. For details, see
798d3a52
ZJS		 607 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
608
609 Defaults to
610 <option>info</option>.</para></listitem>
611 </varlistentry>
612
613 <varlistentry>
614 <term><varname>SyslogLevelPrefix=</varname></term>
615 <listitem><para>Takes a boolean argument. If true and
616 <varname>StandardOutput=</varname> or
617 <varname>StandardError=</varname> are set to
618 <option>syslog</option>, <option>kmsg</option> or
619 <option>journal</option>, log lines written by the executed
620 process that are prefixed with a log level will be passed on
621 to syslog with this log level set but the prefix removed. If
622 set to false, the interpretation of these prefixes is disabled
623 and the logged lines are passed on as-is. For details about
624 this prefixing see
625 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
626 Defaults to true.</para></listitem>
627 </varlistentry>
628
629 <varlistentry>
630 <term><varname>TimerSlackNSec=</varname></term>
631 <listitem><para>Sets the timer slack in nanoseconds for the
632 executed processes. The timer slack controls the accuracy of
633 wake-ups triggered by timers. See
634 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
635 for more information. Note that in contrast to most other time
636 span definitions this parameter takes an integer value in
637 nano-seconds if no unit is specified. The usual time units are
638 understood too.</para></listitem>
639 </varlistentry>
640
641 <varlistentry>
642 <term><varname>LimitCPU=</varname></term>
643 <term><varname>LimitFSIZE=</varname></term>
644 <term><varname>LimitDATA=</varname></term>
645 <term><varname>LimitSTACK=</varname></term>
646 <term><varname>LimitCORE=</varname></term>
647 <term><varname>LimitRSS=</varname></term>
648 <term><varname>LimitNOFILE=</varname></term>
649 <term><varname>LimitAS=</varname></term>
650 <term><varname>LimitNPROC=</varname></term>
651 <term><varname>LimitMEMLOCK=</varname></term>
652 <term><varname>LimitLOCKS=</varname></term>
653 <term><varname>LimitSIGPENDING=</varname></term>
654 <term><varname>LimitMSGQUEUE=</varname></term>
655 <term><varname>LimitNICE=</varname></term>
656 <term><varname>LimitRTPRIO=</varname></term>
657 <term><varname>LimitRTTIME=</varname></term>
29857001
LP		 658 <listitem><para>Set soft and hard limits on various resources for executed processes. See
659 <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details on
660 the resource limit concept. Resource limits may be specified in two formats: either as single value to set a
661 specific soft and hard limit to the same value, or as colon-separated pair <option>soft:hard</option> to set
662 both limits individually (e.g. <literal>LimitAS=4G:16G</literal>). Use the string <varname>infinity</varname>
663 to configure no limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base
664 1024) may be used for resource limits measured in bytes (e.g. LimitAS=16G). For the limits referring to time
665 values, the usual time units ms, s, min, h and so on may be used (see
666 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
667 details). Note that if no time unit is specified for <varname>LimitCPU=</varname> the default unit of seconds
668 is implied, while for <varname>LimitRTTIME=</varname> the default unit of microseconds is implied. Also, note
669 that the effective granularity of the limits might influence their enforcement. For example, time limits
670 specified for <varname>LimitCPU=</varname> will be rounded up implicitly to multiples of 1s. For
671 <varname>LimitNICE=</varname> the value may be specified in two syntaxes: if prefixed with <literal>+</literal>
672 or <literal>-</literal>, the value is understood as regular Linux nice value in the range -20..19. If not
673 prefixed like this the value is understood as raw resource limit parameter in the range 0..40 (with 0 being
674 equivalent to 1).</para>
a4c18002
LP		 675
676 <para>Note that most process resource limits configured with
677 these options are per-process, and processes may fork in order
678 to acquire a new set of resources that are accounted
679 independently of the original process, and may thus escape
680 limits set. Also note that <varname>LimitRSS=</varname> is not
681 implemented on Linux, and setting it has no effect. Often it
682 is advisable to prefer the resource controls listed in
683 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
684 over these per-process limits, as they apply to services as a
685 whole, may be altered dynamically at runtime, and are
686 generally more expressive. For example,
687 <varname>MemoryLimit=</varname> is a more powerful (and
688 working) replacement for <varname>LimitRSS=</varname>.</para>
798d3a52
ZJS		 689
690 <table>
691 <title>Limit directives and their equivalent with ulimit</title>
692
a4c18002 693 <tgroup cols='3'>
798d3a52
ZJS		 694 <colspec colname='directive' />
695 <colspec colname='equivalent' />
a4c18002 696 <colspec colname='unit' />
798d3a52
ZJS		 697 <thead>
698 <row>
699 <entry>Directive</entry>
700 <entry>ulimit equivalent</entry>
a4c18002 701 <entry>Unit</entry>
798d3a52
ZJS		 702 </row>
703 </thead>
704 <tbody>
705 <row>
a4c18002 706 <entry>LimitCPU=</entry>
798d3a52 707 <entry>ulimit -t</entry>
a4c18002 708 <entry>Seconds</entry>
798d3a52
ZJS		 709 </row>
710 <row>
a4c18002 711 <entry>LimitFSIZE=</entry>
798d3a52 712 <entry>ulimit -f</entry>
a4c18002 713 <entry>Bytes</entry>
798d3a52
ZJS		 714 </row>
715 <row>
a4c18002 716 <entry>LimitDATA=</entry>
798d3a52 717 <entry>ulimit -d</entry>
a4c18002 718 <entry>Bytes</entry>
798d3a52
ZJS		 719 </row>
720 <row>
a4c18002 721 <entry>LimitSTACK=</entry>
798d3a52 722 <entry>ulimit -s</entry>
a4c18002 723 <entry>Bytes</entry>
798d3a52
ZJS		 724 </row>
725 <row>
a4c18002 726 <entry>LimitCORE=</entry>
798d3a52 727 <entry>ulimit -c</entry>
a4c18002 728 <entry>Bytes</entry>
798d3a52
ZJS		 729 </row>
730 <row>
a4c18002 731 <entry>LimitRSS=</entry>
798d3a52 732 <entry>ulimit -m</entry>
a4c18002 733 <entry>Bytes</entry>
798d3a52
ZJS		 734 </row>
735 <row>
a4c18002 736 <entry>LimitNOFILE=</entry>
798d3a52 737 <entry>ulimit -n</entry>
a4c18002 738 <entry>Number of File Descriptors</entry>
798d3a52
ZJS		 739 </row>
740 <row>
a4c18002 741 <entry>LimitAS=</entry>
798d3a52 742 <entry>ulimit -v</entry>
a4c18002 743 <entry>Bytes</entry>
798d3a52
ZJS		 744 </row>
745 <row>
a4c18002 746 <entry>LimitNPROC=</entry>
798d3a52 747 <entry>ulimit -u</entry>
a4c18002 748 <entry>Number of Processes</entry>
798d3a52
ZJS		 749 </row>
750 <row>
a4c18002 751 <entry>LimitMEMLOCK=</entry>
798d3a52 752 <entry>ulimit -l</entry>
a4c18002 753 <entry>Bytes</entry>
798d3a52
ZJS		 754 </row>
755 <row>
a4c18002 756 <entry>LimitLOCKS=</entry>
798d3a52 757 <entry>ulimit -x</entry>
a4c18002 758 <entry>Number of Locks</entry>
798d3a52
ZJS		 759 </row>
760 <row>
a4c18002 761 <entry>LimitSIGPENDING=</entry>
798d3a52 762 <entry>ulimit -i</entry>
a4c18002 763 <entry>Number of Queued Signals</entry>
798d3a52
ZJS		 764 </row>
765 <row>
a4c18002 766 <entry>LimitMSGQUEUE=</entry>
798d3a52 767 <entry>ulimit -q</entry>
a4c18002 768 <entry>Bytes</entry>
798d3a52
ZJS		 769 </row>
770 <row>
a4c18002 771 <entry>LimitNICE=</entry>
798d3a52 772 <entry>ulimit -e</entry>
a4c18002 773 <entry>Nice Level</entry>
798d3a52
ZJS		 774 </row>
775 <row>
a4c18002 776 <entry>LimitRTPRIO=</entry>
798d3a52 777 <entry>ulimit -r</entry>
a4c18002 778 <entry>Realtime Priority</entry>
798d3a52
ZJS		 779 </row>
780 <row>
a4c18002 781 <entry>LimitRTTIME=</entry>
798d3a52 782 <entry>No equivalent</entry>
a4c18002 783 <entry>Microseconds</entry>
798d3a52
ZJS		 784 </row>
785 </tbody>
786 </tgroup>
a4c18002 787 </table></listitem>
798d3a52
ZJS		 788 </varlistentry>
789
790 <varlistentry>
791 <term><varname>PAMName=</varname></term>
792 <listitem><para>Sets the PAM service name to set up a session
793 as. If set, the executed process will be registered as a PAM
794 session under the specified service name. This is only useful
795 in conjunction with the <varname>User=</varname> setting. If
796 not set, no PAM session will be opened for the executed
797 processes. See
798 <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
799 for details.</para></listitem>
800 </varlistentry>
801
802 <varlistentry>
803 <term><varname>CapabilityBoundingSet=</varname></term>
804
479050b3
LP		 805 <listitem><para>Controls which capabilities to include in the capability bounding set for the executed
806 process. See <citerefentry
807 project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
808 details. Takes a whitespace-separated list of capability names as read by <citerefentry
809 project='mankier'><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
810 e.g. <constant>CAP_SYS_ADMIN</constant>, <constant>CAP_DAC_OVERRIDE</constant>,
811 <constant>CAP_SYS_PTRACE</constant>. Capabilities listed will be included in the bounding set, all others are
812 removed. If the list of capabilities is prefixed with <literal>~</literal>, all but the listed capabilities
813 will be included, the effect of the assignment inverted. Note that this option also affects the respective
814 capabilities in the effective, permitted and inheritable capability sets. If this option is not used, the
815 capability bounding set is not modified on process execution, hence no limits on the capabilities of the
816 process are enforced. This option may appear more than once, in which case the bounding sets are merged. If the
817 empty string is assigned to this option, the bounding set is reset to the empty capability set, and all prior
818 settings have no effect. If set to <literal>~</literal> (without any further argument), the bounding set is
cf677fe6 819 reset to the full set of available capabilities, also undoing any previous settings. This does not affect
43eb109a 820 commands prefixed with <literal>+</literal>.</para></listitem>
798d3a52
ZJS		 821 </varlistentry>
822
ece87975
IP		 823 <varlistentry>
824 <term><varname>AmbientCapabilities=</varname></term>
825
826 <listitem><para>Controls which capabilities to include in the
827 ambient capability set for the executed process. Takes a
828 whitespace-separated list of capability names as read by
829 <citerefentry project='mankier'><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
830 e.g. <constant>CAP_SYS_ADMIN</constant>,
831 <constant>CAP_DAC_OVERRIDE</constant>,
832 <constant>CAP_SYS_PTRACE</constant>. This option may appear more than
833 once in which case the ambient capability sets are merged.
834 If the list of capabilities is prefixed with <literal>~</literal>, all
835 but the listed capabilities will be included, the effect of the
836 assignment inverted. If the empty string is
837 assigned to this option, the ambient capability set is reset to
838 the empty capability set, and all prior settings have no effect.
839 If set to <literal>~</literal> (without any further argument), the
840 ambient capability set is reset to the full set of available
841 capabilities, also undoing any previous settings. Note that adding
842 capabilities to ambient capability set adds them to the process's
843 inherited capability set.
844 </para><para>
845 Ambient capability sets are useful if you want to execute a process
846 as a non-privileged user but still want to give it some capabilities.
847 Note that in this case option <constant>keep-caps</constant> is
848 automatically added to <varname>SecureBits=</varname> to retain the
cf677fe6 849 capabilities over the user change. <varname>AmbientCapabilities=</varname> does not affect
43eb109a 850 commands prefixed with <literal>+</literal>.</para></listitem>
ece87975
IP		 851 </varlistentry>
852
798d3a52
ZJS		 853 <varlistentry>
854 <term><varname>SecureBits=</varname></term>
855 <listitem><para>Controls the secure bits set for the executed
856 process. Takes a space-separated combination of options from
857 the following list:
858 <option>keep-caps</option>,
859 <option>keep-caps-locked</option>,
860 <option>no-setuid-fixup</option>,
861 <option>no-setuid-fixup-locked</option>,
862 <option>noroot</option>, and
863 <option>noroot-locked</option>.
b938cb90 864 This option may appear more than once, in which case the secure
798d3a52 865 bits are ORed. If the empty string is assigned to this option,
43eb109a 866 the bits are reset to 0. This does not affect commands prefixed with <literal>+</literal>.
cf677fe6 867 See <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798d3a52
ZJS		 868 for details.</para></listitem>
869 </varlistentry>
870
798d3a52 871 <varlistentry>
2a624c36
AP		 872 <term><varname>ReadWritePaths=</varname></term>
873 <term><varname>ReadOnlyPaths=</varname></term>
874 <term><varname>InaccessiblePaths=</varname></term>
798d3a52
ZJS		 875
876 <listitem><para>Sets up a new file system namespace for
877 executed processes. These options may be used to limit access
878 a process might have to the main file system hierarchy. Each
c4b41707 879 setting takes a space-separated list of paths relative to
043cc715 880 the host's root directory (i.e. the system running the service manager).
c4b41707 881 Note that if entries contain symlinks, they are resolved from the host's root directory as well.
2a624c36
AP		 882 Entries (files or directories) listed in
883 <varname>ReadWritePaths=</varname> are accessible from
798d3a52 884 within the namespace with the same access rights as from
c4b41707 885 outside. Entries listed in
2a624c36 886 <varname>ReadOnlyPaths=</varname> are accessible for
798d3a52 887 reading only, writing will be refused even if the usual file
c4b41707 888 access controls would permit this. Entries listed in
2a624c36 889 <varname>InaccessiblePaths=</varname> will be made
b50a16af
NBS		 890 inaccessible for processes inside the namespace, and may not
891 countain any other mountpoints, including those specified by
2a624c36
AP		 892 <varname>ReadWritePaths=</varname> or
893 <varname>ReadOnlyPaths=</varname>.
b50a16af 894 Note that restricting access with these options does not extend
c4b41707
AP		 895 to submounts of a directory that are created later on.
896 Non-directory paths can be specified as well. These
b938cb90 897 options may be specified more than once, in which case all
c4b41707 898 paths listed will have limited access from within the
798d3a52
ZJS		 899 namespace. If the empty string is assigned to this option, the
900 specific list is reset, and all prior assignments have no
901 effect.</para>
902 <para>Paths in
2a624c36 903 <varname>ReadOnlyPaths=</varname>
798d3a52 904 and
2a624c36 905 <varname>InaccessiblePaths=</varname>
798d3a52
ZJS		 906 may be prefixed with
907 <literal>-</literal>, in which case
908 they will be ignored when they do not
909 exist. Note that using this
910 setting will disconnect propagation of
911 mounts from the service to the host
912 (propagation in the opposite direction
913 continues to work). This means that
914 this setting may not be used for
915 services which shall be able to
916 install mount points in the main mount
917 namespace.</para></listitem>
918 </varlistentry>
919
920 <varlistentry>
921 <term><varname>PrivateTmp=</varname></term>
922
923 <listitem><para>Takes a boolean argument. If true, sets up a
924 new file system namespace for the executed processes and
925 mounts private <filename>/tmp</filename> and
926 <filename>/var/tmp</filename> directories inside it that is
927 not shared by processes outside of the namespace. This is
928 useful to secure access to temporary files of the process, but
929 makes sharing between processes via <filename>/tmp</filename>
930 or <filename>/var/tmp</filename> impossible. If this is
931 enabled, all temporary files created by a service in these
932 directories will be removed after the service is stopped.
933 Defaults to false. It is possible to run two or more units
934 within the same private <filename>/tmp</filename> and
935 <filename>/var/tmp</filename> namespace by using the
936 <varname>JoinsNamespaceOf=</varname> directive, see
937 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
938 for details. Note that using this setting will disconnect
939 propagation of mounts from the service to the host
940 (propagation in the opposite direction continues to work).
941 This means that this setting may not be used for services
942 which shall be able to install mount points in the main mount
943 namespace.</para></listitem>
944 </varlistentry>
945
946 <varlistentry>
947 <term><varname>PrivateDevices=</varname></term>
948
949 <listitem><para>Takes a boolean argument. If true, sets up a
950 new /dev namespace for the executed processes and only adds
951 API pseudo devices such as <filename>/dev/null</filename>,
952 <filename>/dev/zero</filename> or
953 <filename>/dev/random</filename> (as well as the pseudo TTY
954 subsystem) to it, but no physical devices such as
955 <filename>/dev/sda</filename>. This is useful to securely turn
956 off physical device access by the executed process. Defaults
957 to false. Enabling this option will also remove
958 <constant>CAP_MKNOD</constant> from the capability bounding
959 set for the unit (see above), and set
960 <varname>DevicePolicy=closed</varname> (see
961 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
962 for details). Note that using this setting will disconnect
963 propagation of mounts from the service to the host
964 (propagation in the opposite direction continues to work).
965 This means that this setting may not be used for services
966 which shall be able to install mount points in the main mount
737ba3c8 967 namespace. The /dev namespace will be mounted read-only and 'noexec'.
968 The latter may break old programs which try to set up executable
969 memory by using <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry>
970 of <filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>.</para></listitem>
798d3a52
ZJS		 971 </varlistentry>
972
973 <varlistentry>
974 <term><varname>PrivateNetwork=</varname></term>
975
976 <listitem><para>Takes a boolean argument. If true, sets up a
977 new network namespace for the executed processes and
978 configures only the loopback network device
979 <literal>lo</literal> inside it. No other network devices will
980 be available to the executed process. This is useful to
981 securely turn off network access by the executed process.
982 Defaults to false. It is possible to run two or more units
983 within the same private network namespace by using the
984 <varname>JoinsNamespaceOf=</varname> directive, see
985 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
986 for details. Note that this option will disconnect all socket
987 families from the host, this includes AF_NETLINK and AF_UNIX.
988 The latter has the effect that AF_UNIX sockets in the abstract
989 socket namespace will become unavailable to the processes
990 (however, those located in the file system will continue to be
991 accessible).</para></listitem>
992 </varlistentry>
993
994 <varlistentry>
d251207d
LP		 995 <term><varname>PrivateUsers=</varname></term>
996
997 <listitem><para>Takes a boolean argument. If true, sets up a new user namespace for the executed processes and
998 configures a minimal user and group mapping, that maps the <literal>root</literal> user and group as well as
999 the unit's own user and group to themselves and everything else to the <literal>nobody</literal> user and
1000 group. This is useful to securely detach the user and group databases used by the unit from the rest of the
1001 system, and thus to create an effective sandbox environment. All files, directories, processes, IPC objects and
1002 other resources owned by users/groups not equalling <literal>root</literal> or the unit's own will stay visible
1003 from within the unit but appear owned by the <literal>nobody</literal> user and group. If this mode is enabled,
1004 all unit processes are run without privileges in the host user namespace (regardless if the unit's own
1005 user/group is <literal>root</literal> or not). Specifically this means that the process will have zero process
1006 capabilities on the host's user namespace, but full capabilities within the service's user namespace. Settings
1007 such as <varname>CapabilityBoundingSet=</varname> will affect only the latter, and there's no way to acquire
1008 additional capabilities in the host's user namespace. Defaults to off.</para>
1009
1010 <para>This setting is particularly useful in conjunction with <varname>RootDirectory=</varname>, as the need to
1011 synchronize the user and group databases in the root directory and on the host is reduced, as the only users
1012 and groups who need to be matched are <literal>root</literal>, <literal>nobody</literal> and the unit's own
1013 user and group.</para></listitem>
1014 </varlistentry>
1015
798d3a52
ZJS		 1016 <varlistentry>
1017 <term><varname>ProtectSystem=</varname></term>
1018
1019 <listitem><para>Takes a boolean argument or
1020 <literal>full</literal>. If true, mounts the
1021 <filename>/usr</filename> and <filename>/boot</filename>
1022 directories read-only for processes invoked by this unit. If
1023 set to <literal>full</literal>, the <filename>/etc</filename>
1024 directory is mounted read-only, too. This setting ensures that
b938cb90 1025 any modification of the vendor-supplied operating system (and
798d3a52
ZJS		 1026 optionally its configuration) is prohibited for the service.
1027 It is recommended to enable this setting for all long-running
1028 services, unless they are involved with system updates or need
1029 to modify the operating system in other ways. Note however
1030 that processes retaining the CAP_SYS_ADMIN capability can undo
1031 the effect of this setting. This setting is hence particularly
1032 useful for daemons which have this capability removed, for
1033 example with <varname>CapabilityBoundingSet=</varname>.
1034 Defaults to off.</para></listitem>
1035 </varlistentry>
1036
1037 <varlistentry>
1038 <term><varname>ProtectHome=</varname></term>
1039
1040 <listitem><para>Takes a boolean argument or
1041 <literal>read-only</literal>. If true, the directories
58331437
CH		 1042 <filename>/home</filename>, <filename>/root</filename> and
1043 <filename>/run/user</filename>
798d3a52 1044 are made inaccessible and empty for processes invoked by this
58331437 1045 unit. If set to <literal>read-only</literal>, the three
798d3a52
ZJS		 1046 directories are made read-only instead. It is recommended to
1047 enable this setting for all long-running services (in
1048 particular network-facing ones), to ensure they cannot get
1049 access to private user data, unless the services actually
1050 require access to the user's private data. Note however that
1051 processes retaining the CAP_SYS_ADMIN capability can undo the
1052 effect of this setting. This setting is hence particularly
1053 useful for daemons which have this capability removed, for
1054 example with <varname>CapabilityBoundingSet=</varname>.
1055 Defaults to off.</para></listitem>
1056 </varlistentry>
1057
1058 <varlistentry>
1059 <term><varname>MountFlags=</varname></term>
1060
1061 <listitem><para>Takes a mount propagation flag:
1062 <option>shared</option>, <option>slave</option> or
1063 <option>private</option>, which control whether mounts in the
1064 file system namespace set up for this unit's processes will
1065 receive or propagate mounts or unmounts. See
3ba3a79d 1066 <citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
798d3a52
ZJS		 1067 for details. Defaults to <option>shared</option>. Use
1068 <option>shared</option> to ensure that mounts and unmounts are
1069 propagated from the host to the container and vice versa. Use
1070 <option>slave</option> to run processes so that none of their
1071 mounts and unmounts will propagate to the host. Use
1072 <option>private</option> to also ensure that no mounts and
1073 unmounts from the host will propagate into the unit processes'
1074 namespace. Note that <option>slave</option> means that file
1075 systems mounted on the host might stay mounted continuously in
1076 the unit's namespace, and thus keep the device busy. Note that
1077 the file system namespace related options
1078 (<varname>PrivateTmp=</varname>,
1079 <varname>PrivateDevices=</varname>,
1080 <varname>ProtectSystem=</varname>,
1081 <varname>ProtectHome=</varname>,
2a624c36
AP		 1082 <varname>ReadOnlyPaths=</varname>,
1083 <varname>InaccessiblePaths=</varname> and
1084 <varname>ReadWritePaths=</varname>) require that mount
798d3a52
ZJS		 1085 and unmount propagation from the unit's file system namespace
1086 is disabled, and hence downgrade <option>shared</option> to
1087 <option>slave</option>. </para></listitem>
1088 </varlistentry>
1089
1090 <varlistentry>
1091 <term><varname>UtmpIdentifier=</varname></term>
1092
1093 <listitem><para>Takes a four character identifier string for
023a4f67
LP		 1094 an <citerefentry
1095 project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1096 and wtmp entry for this service. This should only be
1097 set for services such as <command>getty</command>
1098 implementations (such as <citerefentry
1099 project='die-net'><refentrytitle>agetty</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
798d3a52 1100 where utmp/wtmp entries must be created and cleared before and
023a4f67
LP		 1101 after execution, or for services that shall be executed as if
1102 they were run by a <command>getty</command> process (see
1103 below). If the configured string is longer than four
798d3a52
ZJS		 1104 characters, it is truncated and the terminal four characters
1105 are used. This setting interprets %I style string
1106 replacements. This setting is unset by default, i.e. no
1107 utmp/wtmp entries are created or cleaned up for this
1108 service.</para></listitem>
1109 </varlistentry>
1110
023a4f67
LP		 1111 <varlistentry>
1112 <term><varname>UtmpMode=</varname></term>
1113
1114 <listitem><para>Takes one of <literal>init</literal>,
1115 <literal>login</literal> or <literal>user</literal>. If
1116 <varname>UtmpIdentifier=</varname> is set, controls which
1117 type of <citerefentry
1118 project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry>/wtmp
1119 entries for this service are generated. This setting has no
1120 effect unless <varname>UtmpIdentifier=</varname> is set
1121 too. If <literal>init</literal> is set, only an
1122 <constant>INIT_PROCESS</constant> entry is generated and the
6cd16034
LP		 1123 invoked process must implement a
1124 <command>getty</command>-compatible utmp/wtmp logic. If
1125 <literal>login</literal> is set, first an
a8eaaee7 1126 <constant>INIT_PROCESS</constant> entry, followed by a
6cd16034 1127 <constant>LOGIN_PROCESS</constant> entry is generated. In
b938cb90 1128 this case, the invoked process must implement a <citerefentry
023a4f67
LP		 1129 project='die-net'><refentrytitle>login</refentrytitle><manvolnum>1</manvolnum></citerefentry>-compatible
1130 utmp/wtmp logic. If <literal>user</literal> is set, first an
1131 <constant>INIT_PROCESS</constant> entry, then a
a8eaaee7 1132 <constant>LOGIN_PROCESS</constant> entry and finally a
023a4f67 1133 <constant>USER_PROCESS</constant> entry is generated. In this
b938cb90 1134 case, the invoked process may be any process that is suitable
023a4f67
LP		 1135 to be run as session leader. Defaults to
1136 <literal>init</literal>.</para></listitem>
1137 </varlistentry>
1138
798d3a52
ZJS		 1139 <varlistentry>
1140 <term><varname>SELinuxContext=</varname></term>
1141
1142 <listitem><para>Set the SELinux security context of the
1143 executed process. If set, this will override the automated
1144 domain transition. However, the policy still needs to
1145 authorize the transition. This directive is ignored if SELinux
1146 is disabled. If prefixed by <literal>-</literal>, all errors
43eb109a 1147 will be ignored. This does not affect commands prefixed with <literal>+</literal>.
cf677fe6 1148 See <citerefentry project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
798d3a52
ZJS		 1149 for details.</para></listitem>
1150 </varlistentry>
1151
1152 <varlistentry>
1153 <term><varname>AppArmorProfile=</varname></term>
1154
1155 <listitem><para>Takes a profile name as argument. The process
1156 executed by the unit will switch to this profile when started.
1157 Profiles must already be loaded in the kernel, or the unit
1158 will fail. This result in a non operation if AppArmor is not
1159 enabled. If prefixed by <literal>-</literal>, all errors will
43eb109a 1160 be ignored. This does not affect commands prefixed with <literal>+</literal>.</para></listitem>
798d3a52
ZJS		 1161 </varlistentry>
1162
1163 <varlistentry>
1164 <term><varname>SmackProcessLabel=</varname></term>
1165
1166 <listitem><para>Takes a <option>SMACK64</option> security
1167 label as argument. The process executed by the unit will be
1168 started under this label and SMACK will decide whether the
b938cb90 1169 process is allowed to run or not, based on it. The process
798d3a52
ZJS		 1170 will continue to run under the label specified here unless the
1171 executable has its own <option>SMACK64EXEC</option> label, in
1172 which case the process will transition to run under that
1173 label. When not specified, the label that systemd is running
1174 under is used. This directive is ignored if SMACK is
1175 disabled.</para>
1176
1177 <para>The value may be prefixed by <literal>-</literal>, in
1178 which case all errors will be ignored. An empty value may be
cf677fe6 1179 specified to unset previous assignments. This does not affect
43eb109a 1180 commands prefixed with <literal>+</literal>.</para>
798d3a52
ZJS		 1181 </listitem>
1182 </varlistentry>
1183
1184 <varlistentry>
1185 <term><varname>IgnoreSIGPIPE=</varname></term>
1186
1187 <listitem><para>Takes a boolean argument. If true, causes
1188 <constant>SIGPIPE</constant> to be ignored in the executed
1189 process. Defaults to true because <constant>SIGPIPE</constant>
1190 generally is useful only in shell pipelines.</para></listitem>
1191 </varlistentry>
1192
1193 <varlistentry>
1194 <term><varname>NoNewPrivileges=</varname></term>
1195
1196 <listitem><para>Takes a boolean argument. If true, ensures
1197 that the service process and all its children can never gain
1198 new privileges. This option is more powerful than the
1199 respective secure bits flags (see above), as it also prohibits
1200 UID changes of any kind. This is the simplest, most effective
1201 way to ensure that a process and its children can never
1202 elevate privileges again.</para></listitem>
1203 </varlistentry>
1204
1205 <varlistentry>
1206 <term><varname>SystemCallFilter=</varname></term>
1207
1208 <listitem><para>Takes a space-separated list of system call
1209 names. If this setting is used, all system calls executed by
1210 the unit processes except for the listed ones will result in
1211 immediate process termination with the
1212 <constant>SIGSYS</constant> signal (whitelisting). If the
1213 first character of the list is <literal>~</literal>, the
1214 effect is inverted: only the listed system calls will result
1215 in immediate process termination (blacklisting). If running in
19c0b0b9 1216 user mode, or in system mode, but without the
008dce38 1217 <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting
19c0b0b9 1218 <varname>User=nobody</varname>),
798d3a52
ZJS		 1219 <varname>NoNewPrivileges=yes</varname> is implied. This
1220 feature makes use of the Secure Computing Mode 2 interfaces of
1221 the kernel ('seccomp filtering') and is useful for enforcing a
1222 minimal sandboxing environment. Note that the
1223 <function>execve</function>,
1224 <function>rt_sigreturn</function>,
1225 <function>sigreturn</function>,
1226 <function>exit_group</function>, <function>exit</function>
1227 system calls are implicitly whitelisted and do not need to be
b938cb90 1228 listed explicitly. This option may be specified more than once,
798d3a52
ZJS		 1229 in which case the filter masks are merged. If the empty string
1230 is assigned, the filter is reset, all prior assignments will
43eb109a 1231 have no effect. This does not affect commands prefixed with <literal>+</literal>.</para>
798d3a52
ZJS		 1232
1233 <para>If you specify both types of this option (i.e.
1234 whitelisting and blacklisting), the first encountered will
1235 take precedence and will dictate the default action
1236 (termination or approval of a system call). Then the next
1237 occurrences of this option will add or delete the listed
1238 system calls from the set of the filtered system calls,
1239 depending of its type and the default action. (For example, if
1240 you have started with a whitelisting of
1241 <function>read</function> and <function>write</function>, and
1242 right after it add a blacklisting of
1243 <function>write</function>, then <function>write</function>
201c1cc2
TM		 1244 will be removed from the set.)</para>
1245
1246 <para>As the number of possible system
1247 calls is large, predefined sets of system calls are provided.
1248 A set starts with <literal>@</literal> character, followed by
1249 name of the set.
1250
1251 <table>
1252 <title>Currently predefined system call sets</title>
1253
1254 <tgroup cols='2'>
1255 <colspec colname='set' />
1256 <colspec colname='description' />
1257 <thead>
1258 <row>
1259 <entry>Set</entry>
1260 <entry>Description</entry>
1261 </row>
1262 </thead>
1263 <tbody>
1264 <row>
1265 <entry>@clock</entry>
1f9ac68b
LP		 1266 <entry>System calls for changing the system clock (<citerefentry project='man-pages'><refentrytitle>adjtimex</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>settimeofday</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
1267 </row>
1268 <row>
1269 <entry>@cpu-emulation</entry>
1270 <entry>System calls for CPU emulation functionality (<citerefentry project='man-pages'><refentrytitle>vm86</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
1271 </row>
1272 <row>
1273 <entry>@debug</entry>
1274 <entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
201c1cc2
TM		 1275 </row>
1276 <row>
1277 <entry>@io-event</entry>
1f9ac68b 1278 <entry>Event loop system calls (<citerefentry project='man-pages'><refentrytitle>poll</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>select</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>eventfd</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
201c1cc2
TM		 1279 </row>
1280 <row>
1281 <entry>@ipc</entry>
1f9ac68b
LP		 1282 <entry>SysV IPC, POSIX Message Queues or other IPC (<citerefentry project='man-pages'><refentrytitle>mq_overview</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>svipc</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
1283 </row>
1284 <row>
1285 <entry>@keyring</entry>
1286 <entry>Kernel keyring access (<citerefentry project='man-pages'><refentrytitle>keyctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
201c1cc2
TM		 1287 </row>
1288 <row>
1289 <entry>@module</entry>
1f9ac68b 1290 <entry>Kernel module control (<citerefentry project='man-pages'><refentrytitle>init_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>delete_module</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
201c1cc2
TM		 1291 </row>
1292 <row>
1293 <entry>@mount</entry>
1f9ac68b 1294 <entry>File system mounting and unmounting (<citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
201c1cc2
TM		 1295 </row>
1296 <row>
1297 <entry>@network-io</entry>
1f9ac68b 1298 <entry>Socket I/O (including local AF_UNIX): <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry></entry>
201c1cc2
TM		 1299 </row>
1300 <row>
1301 <entry>@obsolete</entry>
1f9ac68b 1302 <entry>Unusual, obsolete or unimplemented (<citerefentry project='man-pages'><refentrytitle>create_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>gtty</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
201c1cc2
TM		 1303 </row>
1304 <row>
1305 <entry>@privileged</entry>
1f9ac68b 1306 <entry>All system calls which need super-user capabilities (<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
201c1cc2
TM		 1307 </row>
1308 <row>
1309 <entry>@process</entry>
1f9ac68b 1310 <entry>Process control, execution, namespaces (<citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>kill</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>, …</entry>
201c1cc2
TM		 1311 </row>
1312 <row>
1313 <entry>@raw-io</entry>
1f9ac68b 1314 <entry>Raw I/O port access (<citerefentry project='man-pages'><refentrytitle>ioperm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>iopl</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>pciconfig_read()</function>, …</entry>
201c1cc2
TM		 1315 </row>
1316 </tbody>
1317 </tgroup>
1318 </table>
1319
1320 Note, that as new system calls are added to the kernel, additional system calls might be added to the groups
1321 above, so the contents of the sets may change between systemd versions.</para></listitem>
798d3a52
ZJS		 1322 </varlistentry>
1323
1324 <varlistentry>
1325 <term><varname>SystemCallErrorNumber=</varname></term>
1326
1327 <listitem><para>Takes an <literal>errno</literal> error number
1328 name to return when the system call filter configured with
1329 <varname>SystemCallFilter=</varname> is triggered, instead of
1330 terminating the process immediately. Takes an error name such
1331 as <constant>EPERM</constant>, <constant>EACCES</constant> or
1332 <constant>EUCLEAN</constant>. When this setting is not used,
1333 or when the empty string is assigned, the process will be
1334 terminated immediately when the filter is
1335 triggered.</para></listitem>
1336 </varlistentry>
1337
1338 <varlistentry>
1339 <term><varname>SystemCallArchitectures=</varname></term>
1340
b938cb90 1341 <listitem><para>Takes a space-separated list of architecture
798d3a52
ZJS		 1342 identifiers to include in the system call filter. The known
1343 architecture identifiers are <constant>x86</constant>,
1344 <constant>x86-64</constant>, <constant>x32</constant>,
1345 <constant>arm</constant> as well as the special identifier
1346 <constant>native</constant>. Only system calls of the
1347 specified architectures will be permitted to processes of this
1348 unit. This is an effective way to disable compatibility with
1349 non-native architectures for processes, for example to
1350 prohibit execution of 32-bit x86 binaries on 64-bit x86-64
1351 systems. The special <constant>native</constant> identifier
1352 implicitly maps to the native architecture of the system (or
1353 more strictly: to the architecture the system manager is
19c0b0b9
RC		 1354 compiled for). If running in user mode, or in system mode,
1355 but without the <constant>CAP_SYS_ADMIN</constant>
008dce38 1356 capability (e.g. setting <varname>User=nobody</varname>),
19c0b0b9 1357 <varname>NoNewPrivileges=yes</varname> is implied. Note
798d3a52
ZJS		 1358 that setting this option to a non-empty list implies that
1359 <constant>native</constant> is included too. By default, this
1360 option is set to the empty list, i.e. no architecture system
1361 call filtering is applied.</para></listitem>
1362 </varlistentry>
1363
1364 <varlistentry>
1365 <term><varname>RestrictAddressFamilies=</varname></term>
1366
1367 <listitem><para>Restricts the set of socket address families
1368 accessible to the processes of this unit. Takes a
1369 space-separated list of address family names to whitelist,
1370 such as
1371 <constant>AF_UNIX</constant>,
1372 <constant>AF_INET</constant> or
1373 <constant>AF_INET6</constant>. When
1374 prefixed with <constant>~</constant> the listed address
1375 families will be applied as blacklist, otherwise as whitelist.
1376 Note that this restricts access to the
3ba3a79d 1377 <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry>
798d3a52
ZJS		 1378 system call only. Sockets passed into the process by other
1379 means (for example, by using socket activation with socket
1380 units, see
1381 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
1382 are unaffected. Also, sockets created with
1383 <function>socketpair()</function> (which creates connected
1384 AF_UNIX sockets only) are unaffected. Note that this option
1385 has no effect on 32-bit x86 and is ignored (but works
19c0b0b9
RC		 1386 correctly on x86-64). If running in user mode, or in system
1387 mode, but without the <constant>CAP_SYS_ADMIN</constant>
008dce38 1388 capability (e.g. setting <varname>User=nobody</varname>),
19c0b0b9 1389 <varname>NoNewPrivileges=yes</varname> is implied. By
798d3a52
ZJS		 1390 default, no restriction applies, all address families are
1391 accessible to processes. If assigned the empty string, any
1392 previous list changes are undone.</para>
1393
1394 <para>Use this option to limit exposure of processes to remote
1395 systems, in particular via exotic network protocols. Note that
1396 in most cases, the local <constant>AF_UNIX</constant> address
1397 family should be included in the configured whitelist as it is
1398 frequently used for local communication, including for
1399 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry>
43eb109a 1400 logging. This does not affect commands prefixed with <literal>+</literal>.</para></listitem>
798d3a52
ZJS		 1401 </varlistentry>
1402
1403 <varlistentry>
1404 <term><varname>Personality=</varname></term>
1405
7882632d
LP		 1406 <listitem><para>Controls which kernel architecture <citerefentry
1407 project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> shall report,
1408 when invoked by unit processes. Takes one of the architecture identifiers <constant>x86</constant>,
1409 <constant>x86-64</constant>, <constant>ppc</constant>, <constant>ppc-le</constant>, <constant>ppc64</constant>,
1410 <constant>ppc64-le</constant>, <constant>s390</constant> or <constant>s390x</constant>. Which personality
1411 architectures are supported depends on the system architecture. Usually the 64bit versions of the various
1412 system architectures support their immediate 32bit personality architecture counterpart, but no others. For
1413 example, <constant>x86-64</constant> systems support the <constant>x86-64</constant> and
1414 <constant>x86</constant> personalities but no others. The personality feature is useful when running 32-bit
1415 services on a 64-bit host system. If not specified, the personality is left unmodified and thus reflects the
1416 personality of the host system's kernel.</para></listitem>
798d3a52
ZJS		 1417 </varlistentry>
1418
1419 <varlistentry>
1420 <term><varname>RuntimeDirectory=</varname></term>
1421 <term><varname>RuntimeDirectoryMode=</varname></term>
1422
1423 <listitem><para>Takes a list of directory names. If set, one
1424 or more directories by the specified names will be created
1425 below <filename>/run</filename> (for system services) or below
1426 <varname>$XDG_RUNTIME_DIR</varname> (for user services) when
1427 the unit is started, and removed when the unit is stopped. The
1428 directories will have the access mode specified in
1429 <varname>RuntimeDirectoryMode=</varname>, and will be owned by
1430 the user and group specified in <varname>User=</varname> and
1431 <varname>Group=</varname>. Use this to manage one or more
1432 runtime directories of the unit and bind their lifetime to the
1433 daemon runtime. The specified directory names must be
1434 relative, and may not include a <literal>/</literal>, i.e.
1435 must refer to simple directories to create or remove. This is
1436 particularly useful for unprivileged daemons that cannot
1437 create runtime directories in <filename>/run</filename> due to
1438 lack of privileges, and to make sure the runtime directory is
1439 cleaned up automatically after use. For runtime directories
1440 that require more complex or different configuration or
1441 lifetime guarantees, please consider using
1442 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem>
1443 </varlistentry>
1444
f3e43635
TM		 1445 <varlistentry>
1446 <term><varname>MemoryDenyWriteExecute=</varname></term>
1447
1448 <listitem><para>Takes a boolean argument. If set, attempts to create memory mappings that are writable and
1449 executable at the same time, or to change existing memory mappings to become executable are prohibited.
1450 Specifically, a system call filter is added that rejects
1451 <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1452 system calls with both <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set
1453 and <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1454 system calls with <constant>PROT_EXEC</constant> set. Note that this option is incompatible with programs
1455 that generate program code dynamically at runtime, such as JIT execution engines, or programs compiled making
1456 use of the code "trampoline" feature of various C compilers. This option improves service security, as it makes
1457 harder for software exploits to change running code dynamically.
1458 </para></listitem>
1459 </varlistentry>
1460
f4170c67
LP		 1461 <varlistentry>
1462 <term><varname>RestrictRealtime=</varname></term>
1463
1464 <listitem><para>Takes a boolean argument. If set, any attempts to enable realtime scheduling in a process of
1465 the unit are refused. This restricts access to realtime task scheduling policies such as
1466 <constant>SCHED_FIFO</constant>, <constant>SCHED_RR</constant> or <constant>SCHED_DEADLINE</constant>. See
1467 <citerefentry><refentrytitle>sched</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details about
1468 these scheduling policies. Realtime scheduling policies may be used to monopolize CPU time for longer periods
1469 of time, and may hence be used to lock up or otherwise trigger Denial-of-Service situations on the system. It
1470 is hence recommended to restrict access to realtime scheduling to the few programs that actually require
1471 them. Defaults to off.</para></listitem>
1472 </varlistentry>
1473
798d3a52
ZJS		 1474 </variablelist>
1475 </refsect1>
1476
1477 <refsect1>
1478 <title>Environment variables in spawned processes</title>
1479
1480 <para>Processes started by the system are executed in a clean
1481 environment in which select variables listed below are set. System
1482 processes started by systemd do not inherit variables from PID 1,
1483 but processes started by user systemd instances inherit all
1484 environment variables from the user systemd instance.
1485 </para>
1486
1487 <variablelist class='environment-variables'>
1488 <varlistentry>
1489 <term><varname>$PATH</varname></term>
1490
1491 <listitem><para>Colon-separated list of directories to use
1492 when launching executables. Systemd uses a fixed value of
1493 <filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename>:<filename>/sbin</filename>:<filename>/bin</filename>.
1494 </para></listitem>
1495 </varlistentry>
1496
1497 <varlistentry>
1498 <term><varname>$LANG</varname></term>
1499
1500 <listitem><para>Locale. Can be set in
3ba3a79d 1501 <citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
798d3a52
ZJS		 1502 or on the kernel command line (see
1503 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1504 and
1505 <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>).
1506 </para></listitem>
1507 </varlistentry>
1508
1509 <varlistentry>
1510 <term><varname>$USER</varname></term>
1511 <term><varname>$LOGNAME</varname></term>
1512 <term><varname>$HOME</varname></term>
1513 <term><varname>$SHELL</varname></term>
1514
1515 <listitem><para>User name (twice), home directory, and the
1516 login shell. The variables are set for the units that have
1517 <varname>User=</varname> set, which includes user
1518 <command>systemd</command> instances. See
3ba3a79d 1519 <citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
798d3a52
ZJS		 1520 </para></listitem>
1521 </varlistentry>
1522
1523 <varlistentry>
1524 <term><varname>$XDG_RUNTIME_DIR</varname></term>
1525
1526 <listitem><para>The directory for volatile state. Set for the
1527 user <command>systemd</command> instance, and also in user
1528 sessions. See
1529 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1530 </para></listitem>
1531 </varlistentry>
1532
1533 <varlistentry>
1534 <term><varname>$XDG_SESSION_ID</varname></term>
1535 <term><varname>$XDG_SEAT</varname></term>
1536 <term><varname>$XDG_VTNR</varname></term>
1537
1538 <listitem><para>The identifier of the session, the seat name,
1539 and virtual terminal of the session. Set by
1540 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
1541 for login sessions. <varname>$XDG_SEAT</varname> and
1542 <varname>$XDG_VTNR</varname> will only be set when attached to
1543 a seat and a tty.</para></listitem>
1544 </varlistentry>
1545
1546 <varlistentry>
1547 <term><varname>$MAINPID</varname></term>
1548
1549 <listitem><para>The PID of the units main process if it is
1550 known. This is only set for control processes as invoked by
1551 <varname>ExecReload=</varname> and similar. </para></listitem>
1552 </varlistentry>
1553
1554 <varlistentry>
1555 <term><varname>$MANAGERPID</varname></term>
1556
1557 <listitem><para>The PID of the user <command>systemd</command>
1558 instance, set for processes spawned by it. </para></listitem>
1559 </varlistentry>
1560
1561 <varlistentry>
1562 <term><varname>$LISTEN_FDS</varname></term>
1563 <term><varname>$LISTEN_PID</varname></term>
5c019cf2 1564 <term><varname>$LISTEN_FDNAMES</varname></term>
798d3a52
ZJS		 1565
1566 <listitem><para>Information about file descriptors passed to a
1567 service for socket activation. See
1568 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1569 </para></listitem>
1570 </varlistentry>
1571
5c019cf2
EV		 1572 <varlistentry>
1573 <term><varname>$NOTIFY_SOCKET</varname></term>
1574
1575 <listitem><para>The socket
1576 <function>sd_notify()</function> talks to. See
1577 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1578 </para></listitem>
1579 </varlistentry>
1580
1581 <varlistentry>
1582 <term><varname>$WATCHDOG_PID</varname></term>
1583 <term><varname>$WATCHDOG_USEC</varname></term>
1584
1585 <listitem><para>Information about watchdog keep-alive notifications. See
1586 <citerefentry><refentrytitle>sd_watchdog_enabled</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1587 </para></listitem>
1588 </varlistentry>
1589
798d3a52
ZJS		 1590 <varlistentry>
1591 <term><varname>$TERM</varname></term>
1592
1593 <listitem><para>Terminal type, set only for units connected to
1594 a terminal (<varname>StandardInput=tty</varname>,
1595 <varname>StandardOutput=tty</varname>, or
1596 <varname>StandardError=tty</varname>). See
1597 <citerefentry project='man-pages'><refentrytitle>termcap</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
1598 </para></listitem>
1599 </varlistentry>
7bce046b
LP		 1600
1601 <varlistentry>
1602 <term><varname>$JOURNAL_STREAM</varname></term>
1603
1604 <listitem><para>If the standard output or standard error output of the executed processes are connected to the
1605 journal (for example, by setting <varname>StandardError=journal</varname>) <varname>$JOURNAL_STREAM</varname>
1606 contains the device and inode numbers of the connection file descriptor, formatted in decimal, separated by a
1607 colon (<literal>:</literal>). This permits invoked processes to safely detect whether their standard output or
1608 standard error output are connected to the journal. The device and inode numbers of the file descriptors should
1609 be compared with the values set in the environment variable to determine whether the process output is still
1610 connected to the journal. Note that it is generally not sufficient to only check whether
1611 <varname>$JOURNAL_STREAM</varname> is set at all as services might invoke external processes replacing their
1612 standard output or standard error output, without unsetting the environment variable.</para>
1613
1614 <para>This environment variable is primarily useful to allow services to optionally upgrade their used log
1615 protocol to the native journal protocol (using
1616 <citerefentry><refentrytitle>sd_journal_print</refentrytitle><manvolnum>3</manvolnum></citerefentry> and other
1617 functions) if their standard output or standard error output is connected to the journal anyway, thus enabling
1618 delivery of structured metadata along with logged messages.</para></listitem>
1619 </varlistentry>
136dc4c4
LP		 1620
1621 <varlistentry>
1622 <term><varname>$SERVICE_RESULT</varname></term>
1623
1624 <listitem><para>Only defined for the service unit type, this environment variable is passed to all
1625 <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname> processes, and encodes the service
1626 "result". Currently, the following values are defined: <literal>timeout</literal> (in case of an operation
1627 timeout), <literal>exit-code</literal> (if a service process exited with a non-zero exit code; see
1628 <varname>$EXIT_STATUS</varname> below for the actual exit status returned), <literal>signal</literal> (if a
1629 service process was terminated abnormally by a signal; see <varname>$EXIT_STATUS</varname> below for the actual
1630 signal used for the termination), <literal>core-dump</literal> (if a service process terminated abnormally and
1631 dumped core), <literal>watchdog</literal> (if the watchdog keep-alive ping was enabled for the service but it
1632 missed the deadline), or <literal>resources</literal> (a catch-all condition in case a system operation
1633 failed).</para>
1634
1635 <para>This environment variable is useful to monitor failure or successful termination of a service. Even
1636 though this variable is available in both <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname>, it
1637 is usually a better choice to place monitoring tools in the latter, as the former is only invoked for services
1638 that managed to start up correctly, and the latter covers both services that failed during their start-up and
1639 those which failed during their runtime.</para></listitem>
1640 </varlistentry>
1641
1642 <varlistentry>
1643 <term><varname>$EXIT_CODE</varname></term>
1644 <term><varname>$EXIT_STATUS</varname></term>
1645
1646 <listitem><para>Only defined for the service unit type, these environment variables are passed to all
1647 <varname>ExecStop=</varname>, <varname>ExecStopPost=</varname> processes and contain exit status/code
1648 information of the main process of the service. For the precise definition of the exit code and status, see
1649 <citerefentry><refentrytitle>wait</refentrytitle><manvolnum>2</manvolnum></citerefentry>. <varname>$EXIT_CODE</varname>
1650 is one of <literal>exited</literal>, <literal>killed</literal>,
1651 <literal>dumped</literal>. <varname>$EXIT_STATUS</varname> contains the numeric exit code formatted as string
1652 if <varname>$EXIT_CODE</varname> is <literal>exited</literal>, and the signal name in all other cases. Note
1653 that these environment variables are only set if the service manager succeeded to start and identify the main
1654 process of the service.</para></listitem>
1655 </varlistentry>
1656
798d3a52
ZJS		 1657 </variablelist>
1658
1659 <para>Additional variables may be configured by the following
1660 means: for processes spawned in specific units, use the
5c019cf2
EV		 1661 <varname>Environment=</varname>, <varname>EnvironmentFile=</varname>
1662 and <varname>PassEnvironment=</varname> options above; to specify
798d3a52
ZJS		 1663 variables globally, use <varname>DefaultEnvironment=</varname>
1664 (see
1665 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
1666 or the kernel option <varname>systemd.setenv=</varname> (see
1667 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).
1668 Additional variables may also be set through PAM,
1669 cf. <citerefentry project='man-pages'><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
1670 </refsect1>
1671
1672 <refsect1>
1673 <title>See Also</title>
1674 <para>
1675 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1676 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1677 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1678 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1679 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1680 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1681 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1682 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1683 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1684 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
a4c18002 1685 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
798d3a52
ZJS		 1686 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
1687 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1688 <citerefentry project='man-pages'><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1689 </para>
1690 </refsect1>
dd1eb43b
LP		 1691
1692</refentry>
Unnamed repository; edit this file 'description' to name the repository.