]>
Commit | Line | Data |
---|---|---|
dd1eb43b LP |
1 | <?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?> |
2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" | |
3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
4 | ||
5 | <!-- | |
6 | This file is part of systemd. | |
7 | ||
8 | Copyright 2010 Lennart Poettering | |
9 | ||
10 | systemd is free software; you can redistribute it and/or modify it | |
5430f7f2 LP |
11 | under the terms of the GNU Lesser General Public License as published by |
12 | the Free Software Foundation; either version 2.1 of the License, or | |
dd1eb43b LP |
13 | (at your option) any later version. |
14 | ||
15 | systemd is distributed in the hope that it will be useful, but | |
16 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
5430f7f2 | 18 | Lesser General Public License for more details. |
dd1eb43b | 19 | |
5430f7f2 | 20 | You should have received a copy of the GNU Lesser General Public License |
dd1eb43b LP |
21 | along with systemd; If not, see <http://www.gnu.org/licenses/>. |
22 | --> | |
23 | ||
24 | <refentry id="systemd.exec"> | |
25 | <refentryinfo> | |
26 | <title>systemd.exec</title> | |
27 | <productname>systemd</productname> | |
28 | ||
29 | <authorgroup> | |
30 | <author> | |
31 | <contrib>Developer</contrib> | |
32 | <firstname>Lennart</firstname> | |
33 | <surname>Poettering</surname> | |
34 | <email>lennart@poettering.net</email> | |
35 | </author> | |
36 | </authorgroup> | |
37 | </refentryinfo> | |
38 | ||
39 | <refmeta> | |
40 | <refentrytitle>systemd.exec</refentrytitle> | |
41 | <manvolnum>5</manvolnum> | |
42 | </refmeta> | |
43 | ||
44 | <refnamediv> | |
45 | <refname>systemd.exec</refname> | |
34511ca7 | 46 | <refpurpose>Execution environment configuration</refpurpose> |
dd1eb43b LP |
47 | </refnamediv> |
48 | ||
49 | <refsynopsisdiv> | |
e670b166 ZJS |
50 | <para><filename><replaceable>service</replaceable>.service</filename>, |
51 | <filename><replaceable>socket</replaceable>.socket</filename>, | |
52 | <filename><replaceable>mount</replaceable>.mount</filename>, | |
53 | <filename><replaceable>swap</replaceable>.swap</filename></para> | |
dd1eb43b LP |
54 | </refsynopsisdiv> |
55 | ||
56 | <refsect1> | |
57 | <title>Description</title> | |
58 | ||
9a666408 | 59 | <para>Unit configuration files for services, sockets, |
43638332 | 60 | mount points, and swap devices share a subset of |
2292707d LP |
61 | configuration options which define the execution |
62 | environment of spawned processes.</para> | |
dd1eb43b LP |
63 | |
64 | <para>This man page lists the configuration options | |
9a666408 | 65 | shared by these four unit types. See |
dd1eb43b LP |
66 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
67 | for the common options of all unit configuration | |
68 | files, and | |
2292707d LP |
69 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
70 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
d868475a | 71 | <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
dd1eb43b LP |
72 | and |
73 | <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
74 | for more information on the specific unit | |
75 | configuration files. The execution specific | |
76 | configuration options are configured in the [Service], | |
16dad32e | 77 | [Socket], [Mount], or [Swap] sections, depending on the unit |
dd1eb43b LP |
78 | type.</para> |
79 | </refsect1> | |
80 | ||
81 | <refsect1> | |
82 | <title>Options</title> | |
83 | ||
ccc9a4f9 | 84 | <variablelist class='unit-directives'> |
dd1eb43b LP |
85 | |
86 | <varlistentry> | |
87 | <term><varname>WorkingDirectory=</varname></term> | |
88 | ||
89 | <listitem><para>Takes an absolute | |
90 | directory path. Sets the working | |
e06c73cc | 91 | directory for executed processes. If |
79640424 | 92 | not set, defaults to the root directory |
e06c73cc LP |
93 | when systemd is running as a system |
94 | instance and the respective user's | |
95 | home directory if run as | |
96 | user.</para></listitem> | |
dd1eb43b LP |
97 | </varlistentry> |
98 | ||
99 | <varlistentry> | |
100 | <term><varname>RootDirectory=</varname></term> | |
101 | ||
102 | <listitem><para>Takes an absolute | |
103 | directory path. Sets the root | |
104 | directory for executed processes, with | |
105 | the | |
106 | <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
79640424 | 107 | system call. If this is used, it must |
dd1eb43b LP |
108 | be ensured that the process and all |
109 | its auxiliary files are available in | |
110 | the <function>chroot()</function> | |
111 | jail.</para></listitem> | |
112 | </varlistentry> | |
113 | ||
114 | <varlistentry> | |
115 | <term><varname>User=</varname></term> | |
116 | <term><varname>Group=</varname></term> | |
117 | ||
118 | <listitem><para>Sets the Unix user | |
16dad32e AE |
119 | or group that the processes are executed |
120 | as, respectively. Takes a single user or group | |
dd1eb43b | 121 | name or ID as argument. If no group is |
16dad32e | 122 | set, the default group of the user is |
dd1eb43b LP |
123 | chosen.</para></listitem> |
124 | </varlistentry> | |
125 | ||
126 | <varlistentry> | |
127 | <term><varname>SupplementaryGroups=</varname></term> | |
128 | ||
129 | <listitem><para>Sets the supplementary | |
130 | Unix groups the processes are executed | |
e9dd9f95 | 131 | as. This takes a space-separated list |
dd1eb43b LP |
132 | of group names or IDs. This option may |
133 | be specified more than once in which | |
134 | case all listed groups are set as | |
74051b9b LP |
135 | supplementary groups. When the empty |
136 | string is assigned the list of | |
137 | supplementary groups is reset, and all | |
138 | assignments prior to this one will | |
139 | have no effect. In any way, this | |
140 | option does not override, but extends | |
141 | the list of supplementary groups | |
142 | configured in the system group | |
143 | database for the | |
dd1eb43b LP |
144 | user.</para></listitem> |
145 | </varlistentry> | |
146 | ||
147 | <varlistentry> | |
148 | <term><varname>Nice=</varname></term> | |
149 | ||
150 | <listitem><para>Sets the default nice | |
151 | level (scheduling priority) for | |
152 | executed processes. Takes an integer | |
153 | between -20 (highest priority) and 19 | |
154 | (lowest priority). See | |
155 | <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
156 | for details.</para></listitem> | |
157 | </varlistentry> | |
158 | ||
159 | <varlistentry> | |
dd6c17b1 | 160 | <term><varname>OOMScoreAdjust=</varname></term> |
dd1eb43b LP |
161 | |
162 | <listitem><para>Sets the adjustment | |
163 | level for the Out-Of-Memory killer for | |
164 | executed processes. Takes an integer | |
dd6c17b1 LP |
165 | between -1000 (to disable OOM killing |
166 | for this process) and 1000 (to make | |
dd1eb43b LP |
167 | killing of this process under memory |
168 | pressure very likely). See <ulink | |
6ed80a4e | 169 | url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink> |
dd1eb43b LP |
170 | for details.</para></listitem> |
171 | </varlistentry> | |
172 | ||
173 | <varlistentry> | |
174 | <term><varname>IOSchedulingClass=</varname></term> | |
175 | ||
176 | <listitem><para>Sets the IO scheduling | |
177 | class for executed processes. Takes an | |
178 | integer between 0 and 3 or one of the | |
179 | strings <option>none</option>, | |
180 | <option>realtime</option>, | |
181 | <option>best-effort</option> or | |
182 | <option>idle</option>. See | |
183 | <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
184 | for details.</para></listitem> | |
185 | </varlistentry> | |
186 | ||
187 | <varlistentry> | |
188 | <term><varname>IOSchedulingPriority=</varname></term> | |
189 | ||
190 | <listitem><para>Sets the IO scheduling | |
191 | priority for executed processes. Takes | |
192 | an integer between 0 (highest | |
193 | priority) and 7 (lowest priority). The | |
194 | available priorities depend on the | |
195 | selected IO scheduling class (see | |
196 | above). See | |
197 | <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
198 | for details.</para></listitem> | |
199 | </varlistentry> | |
200 | ||
201 | <varlistentry> | |
202 | <term><varname>CPUSchedulingPolicy=</varname></term> | |
203 | ||
204 | <listitem><para>Sets the CPU | |
205 | scheduling policy for executed | |
206 | processes. Takes one of | |
207 | <option>other</option>, | |
208 | <option>batch</option>, | |
209 | <option>idle</option>, | |
210 | <option>fifo</option> or | |
211 | <option>rr</option>. See | |
212 | <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
213 | for details.</para></listitem> | |
214 | </varlistentry> | |
215 | ||
216 | <varlistentry> | |
217 | <term><varname>CPUSchedulingPriority=</varname></term> | |
218 | ||
219 | <listitem><para>Sets the CPU | |
220 | scheduling priority for executed | |
bb112710 | 221 | processes. The available priority |
dd1eb43b | 222 | range depends on the selected CPU |
bb112710 HHPF |
223 | scheduling policy (see above). For |
224 | real-time scheduling policies an | |
225 | integer between 1 (lowest priority) | |
226 | and 99 (highest priority) can be used. | |
227 | See <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
228 | for details. | |
229 | </para></listitem> | |
dd1eb43b LP |
230 | </varlistentry> |
231 | ||
232 | <varlistentry> | |
233 | <term><varname>CPUSchedulingResetOnFork=</varname></term> | |
234 | ||
235 | <listitem><para>Takes a boolean | |
79640424 | 236 | argument. If true, elevated CPU |
dd1eb43b LP |
237 | scheduling priorities and policies |
238 | will be reset when the executed | |
239 | processes fork, and can hence not leak | |
240 | into child processes. See | |
241 | <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
242 | for details. Defaults to false.</para></listitem> | |
243 | </varlistentry> | |
244 | ||
245 | <varlistentry> | |
246 | <term><varname>CPUAffinity=</varname></term> | |
247 | ||
248 | <listitem><para>Controls the CPU | |
249 | affinity of the executed | |
96d4ce01 | 250 | processes. Takes a space-separated |
74051b9b LP |
251 | list of CPU indexes. This option may |
252 | be specified more than once in which | |
253 | case the specificed CPU affinity masks | |
254 | are merged. If the empty string is | |
79640424 | 255 | assigned, the mask is reset, all |
74051b9b LP |
256 | assignments prior to this will have no |
257 | effect. See | |
dd1eb43b LP |
258 | <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry> |
259 | for details.</para></listitem> | |
260 | </varlistentry> | |
261 | ||
262 | <varlistentry> | |
263 | <term><varname>UMask=</varname></term> | |
264 | ||
265 | <listitem><para>Controls the file mode | |
266 | creation mask. Takes an access mode in | |
267 | octal notation. See | |
268 | <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
269 | for details. Defaults to | |
260d3708 | 270 | 0022.</para></listitem> |
dd1eb43b LP |
271 | </varlistentry> |
272 | ||
273 | <varlistentry> | |
274 | <term><varname>Environment=</varname></term> | |
275 | ||
276 | <listitem><para>Sets environment | |
277 | variables for executed | |
96d4ce01 | 278 | processes. Takes a space-separated |
dd1eb43b LP |
279 | list of variable assignments. This |
280 | option may be specified more than once | |
281 | in which case all listed variables | |
282 | will be set. If the same variable is | |
79640424 | 283 | set twice, the later setting will |
74051b9b LP |
284 | override the earlier setting. If the |
285 | empty string is assigned to this | |
79640424 | 286 | option, the list of environment |
74051b9b | 287 | variables is reset, all prior |
0ae9c92a FC |
288 | assignments have no effect. |
289 | Variable expansion is not performed | |
97d0e5f8 | 290 | inside the strings, however, specifier |
79640424 | 291 | expansion is possible. The $ character has |
97d0e5f8 | 292 | no special meaning. |
0ae9c92a FC |
293 | If you need to assign a value containing spaces |
294 | to a variable, use double quotes (") | |
295 | for the assignment.</para> | |
296 | ||
297 | <para>Example: | |
298 | <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"</programlisting> | |
299 | gives three variables <literal>VAR1</literal>, | |
300 | <literal>VAR2</literal>, <literal>VAR3</literal>. | |
301 | </para> | |
302 | ||
303 | <para> | |
304 | See | |
dd1eb43b | 305 | <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
0ae9c92a | 306 | for details about environment variables.</para></listitem> |
dd1eb43b LP |
307 | </varlistentry> |
308 | <varlistentry> | |
309 | <term><varname>EnvironmentFile=</varname></term> | |
310 | <listitem><para>Similar to | |
311 | <varname>Environment=</varname> but | |
312 | reads the environment variables from a | |
313 | text file. The text file should | |
e9dd9f95 | 314 | contain new-line-separated variable |
dd1eb43b LP |
315 | assignments. Empty lines and lines |
316 | starting with ; or # will be ignored, | |
565d91fd MV |
317 | which may be used for commenting. A line |
318 | ending with a backslash will be concatenated | |
319 | with the following one, allowing multiline variable | |
320 | definitions. The parser strips leading | |
321 | and trailing whitespace from the values | |
7734f773 | 322 | of assignments, unless you use |
74051b9b LP |
323 | double quotes (").</para> |
324 | ||
325 | <para>The argument passed should be an | |
e9dd9f95 | 326 | absolute filename or wildcard |
74051b9b | 327 | expression, optionally prefixed with |
05cc7267 | 328 | <literal>-</literal>, which indicates |
6b4991cf JE |
329 | that if the file does not exist, it |
330 | will not be read and no error or warning | |
05cc7267 ZJS |
331 | message is logged. This option may be |
332 | specified more than once in which case | |
333 | all specified files are read. If the | |
334 | empty string is assigned to this | |
79640424 | 335 | option, the list of file to read is |
05cc7267 ZJS |
336 | reset, all prior assignments have no |
337 | effect.</para> | |
74051b9b LP |
338 | |
339 | <para>The files listed with this | |
f1779fd2 LP |
340 | directive will be read shortly before |
341 | the process is executed. Settings from | |
342 | these files override settings made | |
343 | with | |
344 | <varname>Environment=</varname>. If | |
345 | the same variable is set twice from | |
79640424 | 346 | these files, the files will be read in |
f1779fd2 LP |
347 | the order they are specified and the |
348 | later setting will override the | |
74051b9b | 349 | earlier setting.</para></listitem> |
dd1eb43b LP |
350 | </varlistentry> |
351 | ||
352 | <varlistentry> | |
353 | <term><varname>StandardInput=</varname></term> | |
354 | <listitem><para>Controls where file | |
355 | descriptor 0 (STDIN) of the executed | |
356 | processes is connected to. Takes one | |
357 | of <option>null</option>, | |
358 | <option>tty</option>, | |
359 | <option>tty-force</option>, | |
360 | <option>tty-fail</option> or | |
361 | <option>socket</option>. If | |
79640424 | 362 | <option>null</option> is selected, |
dd1eb43b LP |
363 | standard input will be connected to |
364 | <filename>/dev/null</filename>, | |
365 | i.e. all read attempts by the process | |
366 | will result in immediate EOF. If | |
79640424 | 367 | <option>tty</option> is selected, |
dd1eb43b LP |
368 | standard input is connected to a TTY |
369 | (as configured by | |
370 | <varname>TTYPath=</varname>, see | |
371 | below) and the executed process | |
372 | becomes the controlling process of the | |
373 | terminal. If the terminal is already | |
79640424 | 374 | being controlled by another process, the |
f8553ccb AE |
375 | executed process waits until the current |
376 | controlling process releases the | |
377 | terminal. | |
378 | <option>tty-force</option> | |
dd1eb43b LP |
379 | is similar to <option>tty</option>, |
380 | but the executed process is forcefully | |
381 | and immediately made the controlling | |
382 | process of the terminal, potentially | |
383 | removing previous controlling | |
384 | processes from the | |
385 | terminal. <option>tty-fail</option> is | |
386 | similar to <option>tty</option> but if | |
387 | the terminal already has a controlling | |
388 | process start-up of the executed | |
389 | process fails. The | |
390 | <option>socket</option> option is only | |
391 | valid in socket-activated services, | |
392 | and only when the socket configuration | |
393 | file (see | |
394 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
395 | for details) specifies a single socket | |
79640424 | 396 | only. If this option is set, standard |
dd1eb43b LP |
397 | input will be connected to the socket |
398 | the service was activated from, which | |
399 | is primarily useful for compatibility | |
400 | with daemons designed for use with the | |
401 | traditional | |
402 | <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
403 | daemon. This setting defaults to | |
404 | <option>null</option>.</para></listitem> | |
405 | </varlistentry> | |
406 | <varlistentry> | |
407 | <term><varname>StandardOutput=</varname></term> | |
408 | <listitem><para>Controls where file | |
409 | descriptor 1 (STDOUT) of the executed | |
410 | processes is connected to. Takes one | |
411 | of <option>inherit</option>, | |
412 | <option>null</option>, | |
413 | <option>tty</option>, | |
414 | <option>syslog</option>, | |
28dbc1e8 | 415 | <option>kmsg</option>, |
706343f4 LP |
416 | <option>journal</option>, |
417 | <option>syslog+console</option>, | |
28dbc1e8 | 418 | <option>kmsg+console</option>, |
706343f4 | 419 | <option>journal+console</option> or |
dd1eb43b | 420 | <option>socket</option>. If set to |
79640424 | 421 | <option>inherit</option>, the file |
dd1eb43b LP |
422 | descriptor of standard input is |
423 | duplicated for standard output. If set | |
79640424 | 424 | to <option>null</option>, standard |
dd1eb43b LP |
425 | output will be connected to |
426 | <filename>/dev/null</filename>, | |
427 | i.e. everything written to it will be | |
79640424 | 428 | lost. If set to <option>tty</option>, |
dd1eb43b LP |
429 | standard output will be connected to a |
430 | tty (as configured via | |
431 | <varname>TTYPath=</varname>, see | |
432 | below). If the TTY is used for output | |
79640424 | 433 | only, the executed process will not |
dd1eb43b LP |
434 | become the controlling process of the |
435 | terminal, and will not fail or wait | |
436 | for other processes to release the | |
437 | terminal. <option>syslog</option> | |
438 | connects standard output to the | |
439 | <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
346bce1f LP |
440 | system syslog |
441 | service. <option>kmsg</option> | |
dd1eb43b LP |
442 | connects it with the kernel log buffer |
443 | which is accessible via | |
706343f4 LP |
444 | <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>journal</option> |
445 | connects it with the journal which is | |
446 | accessible via | |
169c4f65 | 447 | <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> |
706343f4 LP |
448 | (Note that everything that is written |
449 | to syslog or kmsg is implicitly stored | |
450 | in the journal as well, those options | |
451 | are hence supersets of this | |
452 | one). <option>syslog+console</option>, | |
453 | <option>journal+console</option> and | |
454 | <option>kmsg+console</option> work | |
28dbc1e8 LP |
455 | similarly but copy the output to the |
456 | system console as | |
457 | well. <option>socket</option> connects | |
458 | standard output to a socket from | |
459 | socket activation, semantics are | |
dd1eb43b LP |
460 | similar to the respective option of |
461 | <varname>StandardInput=</varname>. | |
de6c78f8 LP |
462 | This setting defaults to the value set |
463 | with | |
464 | <option>DefaultStandardOutput=</option> | |
465 | in | |
5f9cfd4c | 466 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
de6c78f8 | 467 | which defaults to |
706343f4 | 468 | <option>journal</option>.</para></listitem> |
dd1eb43b LP |
469 | </varlistentry> |
470 | <varlistentry> | |
ad678a06 | 471 | <term><varname>StandardError=</varname></term> |
dd1eb43b LP |
472 | <listitem><para>Controls where file |
473 | descriptor 2 (STDERR) of the executed | |
474 | processes is connected to. The | |
475 | available options are identical to | |
476 | those of | |
ad678a06 | 477 | <varname>StandardOutput=</varname>, |
5471472d | 478 | with one exception: if set to |
dd1eb43b LP |
479 | <option>inherit</option> the file |
480 | descriptor used for standard output is | |
481 | duplicated for standard error. This | |
de6c78f8 LP |
482 | setting defaults to the value set with |
483 | <option>DefaultStandardError=</option> | |
484 | in | |
5f9cfd4c | 485 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
de6c78f8 | 486 | which defaults to |
dd1eb43b LP |
487 | <option>inherit</option>.</para></listitem> |
488 | </varlistentry> | |
489 | <varlistentry> | |
490 | <term><varname>TTYPath=</varname></term> | |
491 | <listitem><para>Sets the terminal | |
492 | device node to use if standard input, | |
493 | output or stderr are connected to a | |
494 | TTY (see above). Defaults to | |
495 | <filename>/dev/console</filename>.</para></listitem> | |
496 | </varlistentry> | |
6ea832a2 LP |
497 | <varlistentry> |
498 | <term><varname>TTYReset=</varname></term> | |
499 | <listitem><para>Reset the terminal | |
500 | device specified with | |
501 | <varname>TTYPath=</varname> before and | |
502 | after execution. Defaults to | |
503 | <literal>no</literal>.</para></listitem> | |
504 | </varlistentry> | |
505 | <varlistentry> | |
506 | <term><varname>TTYVHangup=</varname></term> | |
507 | <listitem><para>Disconnect all clients | |
508 | which have opened the terminal device | |
509 | specified with | |
510 | <varname>TTYPath=</varname> | |
511 | before and after execution. Defaults | |
512 | to | |
513 | <literal>no</literal>.</para></listitem> | |
514 | </varlistentry> | |
515 | <varlistentry> | |
516 | <term><varname>TTYVTDisallocate=</varname></term> | |
c5315881 | 517 | <listitem><para>If the terminal |
6ea832a2 LP |
518 | device specified with |
519 | <varname>TTYPath=</varname> is a | |
79640424 | 520 | virtual console terminal, try to |
6ea832a2 LP |
521 | deallocate the TTY before and after |
522 | execution. This ensures that the | |
523 | screen and scrollback buffer is | |
524 | cleared. Defaults to | |
525 | <literal>no</literal>.</para></listitem> | |
526 | </varlistentry> | |
dd1eb43b | 527 | <varlistentry> |
48c4fad9 | 528 | <term><varname>SyslogIdentifier=</varname></term> |
dd1eb43b LP |
529 | <listitem><para>Sets the process name |
530 | to prefix log lines sent to syslog or | |
79640424 | 531 | the kernel log buffer with. If not set, |
dd1eb43b LP |
532 | defaults to the process name of the |
533 | executed process. This option is only | |
534 | useful when | |
535 | <varname>StandardOutput=</varname> or | |
536 | <varname>StandardError=</varname> are | |
537 | set to <option>syslog</option> or | |
538 | <option>kmsg</option>.</para></listitem> | |
539 | </varlistentry> | |
540 | <varlistentry> | |
541 | <term><varname>SyslogFacility=</varname></term> | |
542 | <listitem><para>Sets the syslog | |
543 | facility to use when logging to | |
544 | syslog. One of <option>kern</option>, | |
545 | <option>user</option>, | |
546 | <option>mail</option>, | |
547 | <option>daemon</option>, | |
548 | <option>auth</option>, | |
549 | <option>syslog</option>, | |
550 | <option>lpr</option>, | |
551 | <option>news</option>, | |
552 | <option>uucp</option>, | |
553 | <option>cron</option>, | |
554 | <option>authpriv</option>, | |
555 | <option>ftp</option>, | |
556 | <option>local0</option>, | |
557 | <option>local1</option>, | |
558 | <option>local2</option>, | |
559 | <option>local3</option>, | |
560 | <option>local4</option>, | |
561 | <option>local5</option>, | |
562 | <option>local6</option> or | |
563 | <option>local7</option>. See | |
564 | <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
565 | for details. This option is only | |
566 | useful when | |
567 | <varname>StandardOutput=</varname> or | |
568 | <varname>StandardError=</varname> are | |
569 | set to <option>syslog</option>. | |
570 | Defaults to | |
571 | <option>daemon</option>.</para></listitem> | |
572 | </varlistentry> | |
573 | <varlistentry> | |
574 | <term><varname>SyslogLevel=</varname></term> | |
575 | <listitem><para>Default syslog level | |
576 | to use when logging to syslog or the | |
577 | kernel log buffer. One of | |
578 | <option>emerg</option>, | |
579 | <option>alert</option>, | |
580 | <option>crit</option>, | |
581 | <option>err</option>, | |
582 | <option>warning</option>, | |
583 | <option>notice</option>, | |
584 | <option>info</option>, | |
585 | <option>debug</option>. See | |
586 | <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
587 | for details. This option is only | |
588 | useful when | |
589 | <varname>StandardOutput=</varname> or | |
590 | <varname>StandardError=</varname> are | |
591 | set to <option>syslog</option> or | |
592 | <option>kmsg</option>. Note that | |
593 | individual lines output by the daemon | |
594 | might be prefixed with a different log | |
595 | level which can be used to override | |
596 | the default log level specified | |
597 | here. The interpretation of these | |
598 | prefixes may be disabled with | |
74922904 | 599 | <varname>SyslogLevelPrefix=</varname>, |
dd1eb43b | 600 | see below. For details see |
cb07866b | 601 | <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>. |
dd1eb43b LP |
602 | |
603 | Defaults to | |
604 | <option>info</option>.</para></listitem> | |
605 | </varlistentry> | |
606 | ||
607 | <varlistentry> | |
74922904 | 608 | <term><varname>SyslogLevelPrefix=</varname></term> |
dd1eb43b | 609 | <listitem><para>Takes a boolean |
74922904 | 610 | argument. If true and |
dd1eb43b LP |
611 | <varname>StandardOutput=</varname> or |
612 | <varname>StandardError=</varname> are | |
df688b23 LP |
613 | set to <option>syslog</option>, |
614 | <option>kmsg</option> or | |
615 | <option>journal</option>, log lines | |
dd1eb43b LP |
616 | written by the executed process that |
617 | are prefixed with a log level will be | |
618 | passed on to syslog with this log | |
619 | level set but the prefix removed. If | |
74922904 | 620 | set to false, the interpretation of |
dd1eb43b LP |
621 | these prefixes is disabled and the |
622 | logged lines are passed on as-is. For | |
623 | details about this prefixing see | |
cb07866b | 624 | <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>. |
74922904 | 625 | Defaults to true.</para></listitem> |
dd1eb43b LP |
626 | </varlistentry> |
627 | ||
628 | <varlistentry> | |
03fae018 | 629 | <term><varname>TimerSlackNSec=</varname></term> |
dd1eb43b LP |
630 | <listitem><para>Sets the timer slack |
631 | in nanoseconds for the executed | |
d88a251b LP |
632 | processes. The timer slack controls |
633 | the accuracy of wake-ups triggered by | |
03fae018 | 634 | timers. See |
dd1eb43b | 635 | <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> |
03fae018 LP |
636 | for more information. Note that in |
637 | contrast to most other time span | |
f8553ccb | 638 | definitions this parameter takes an |
d88a251b LP |
639 | integer value in nano-seconds if no |
640 | unit is specified. The usual time | |
641 | units are understood | |
642 | too.</para></listitem> | |
dd1eb43b LP |
643 | </varlistentry> |
644 | ||
645 | <varlistentry> | |
646 | <term><varname>LimitCPU=</varname></term> | |
647 | <term><varname>LimitFSIZE=</varname></term> | |
648 | <term><varname>LimitDATA=</varname></term> | |
649 | <term><varname>LimitSTACK=</varname></term> | |
650 | <term><varname>LimitCORE=</varname></term> | |
651 | <term><varname>LimitRSS=</varname></term> | |
652 | <term><varname>LimitNOFILE=</varname></term> | |
653 | <term><varname>LimitAS=</varname></term> | |
654 | <term><varname>LimitNPROC=</varname></term> | |
655 | <term><varname>LimitMEMLOCK=</varname></term> | |
656 | <term><varname>LimitLOCKS=</varname></term> | |
657 | <term><varname>LimitSIGPENDING=</varname></term> | |
658 | <term><varname>LimitMSGQUEUE=</varname></term> | |
659 | <term><varname>LimitNICE=</varname></term> | |
660 | <term><varname>LimitRTPRIO=</varname></term> | |
661 | <term><varname>LimitRTTIME=</varname></term> | |
662 | <listitem><para>These settings control | |
663 | various resource limits for executed | |
664 | processes. See | |
665 | <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
3d57c6ab LP |
666 | for details. Use the string |
667 | <varname>infinity</varname> to | |
668 | configure no limit on a specific | |
669 | resource.</para></listitem> | |
dd1eb43b LP |
670 | </varlistentry> |
671 | ||
672 | <varlistentry> | |
673 | <term><varname>PAMName=</varname></term> | |
674 | <listitem><para>Sets the PAM service | |
79640424 | 675 | name to set up a session as. If set, |
dd1eb43b LP |
676 | the executed process will be |
677 | registered as a PAM session under the | |
678 | specified service name. This is only | |
679 | useful in conjunction with the | |
680 | <varname>User=</varname> setting. If | |
79640424 | 681 | not set, no PAM session will be opened |
dd1eb43b LP |
682 | for the executed processes. See |
683 | <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
684 | for details.</para></listitem> | |
685 | </varlistentry> | |
686 | ||
687 | <varlistentry> | |
688 | <term><varname>TCPWrapName=</varname></term> | |
689 | <listitem><para>If this is a | |
79640424 | 690 | socket-activated service, this sets the |
dd1eb43b LP |
691 | tcpwrap service name to check the |
692 | permission for the current connection | |
693 | with. This is only useful in | |
694 | conjunction with socket-activated | |
695 | services, and stream sockets (TCP) in | |
696 | particular. It has no effect on other | |
9f056f40 LP |
697 | socket types (e.g. datagram/UDP) and |
698 | on processes unrelated to socket-based | |
dd1eb43b | 699 | activation. If the tcpwrap |
79640424 | 700 | verification fails, daemon start-up |
dd1eb43b LP |
701 | will fail and the connection is |
702 | terminated. See | |
703 | <citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
9f056f40 LP |
704 | for details. Note that this option may |
705 | be used to do access control checks | |
706 | only. Shell commands and commands | |
707 | described in | |
708 | <citerefentry><refentrytitle>hosts_options</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
709 | are not supported.</para></listitem> | |
dd1eb43b LP |
710 | </varlistentry> |
711 | ||
712 | <varlistentry> | |
260abb78 LP |
713 | <term><varname>CapabilityBoundingSet=</varname></term> |
714 | ||
715 | <listitem><para>Controls which | |
716 | capabilities to include in the | |
717 | capability bounding set for the | |
718 | executed process. See | |
dd1eb43b | 719 | <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
e9dd9f95 JSJ |
720 | for details. Takes a whitespace-separated |
721 | list of capability names as read by | |
d91c34f2 | 722 | <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>, |
74d00578 ZJS |
723 | e.g. <constant>CAP_SYS_ADMIN</constant>, |
724 | <constant>CAP_DAC_OVERRIDE</constant>, | |
725 | <constant>CAP_SYS_PTRACE</constant>. | |
260abb78 LP |
726 | Capabilities listed will be included |
727 | in the bounding set, all others are | |
728 | removed. If the list of capabilities | |
79640424 | 729 | is prefixed with <literal>~</literal>, |
d91c34f2 LP |
730 | all but the listed capabilities will |
731 | be included, the effect of the | |
732 | assignment inverted. Note that this | |
733 | option also affects the respective | |
734 | capabilities in the effective, | |
735 | permitted and inheritable capability | |
736 | sets, on top of what | |
737 | <varname>Capabilities=</varname> | |
79640424 | 738 | does. If this option is not used, the |
260abb78 LP |
739 | capability bounding set is not |
740 | modified on process execution, hence | |
741 | no limits on the capabilities of the | |
74051b9b LP |
742 | process are enforced. This option may |
743 | appear more than once in which case | |
d91c34f2 LP |
744 | the bounding sets are merged. If the |
745 | empty string is assigned to this | |
79640424 | 746 | option, the bounding set is reset to |
d91c34f2 LP |
747 | the empty capability set, and all |
748 | prior settings have no effect. If set | |
749 | to <literal>~</literal> (without any | |
79640424 | 750 | further argument), the bounding set is |
d91c34f2 LP |
751 | reset to the full set of available |
752 | capabilities, also undoing any | |
753 | previous settings.</para></listitem> | |
dd1eb43b LP |
754 | </varlistentry> |
755 | ||
756 | <varlistentry> | |
757 | <term><varname>SecureBits=</varname></term> | |
758 | <listitem><para>Controls the secure | |
759 | bits set for the executed process. See | |
760 | <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
761 | for details. Takes a list of strings: | |
762 | <option>keep-caps</option>, | |
763 | <option>keep-caps-locked</option>, | |
764 | <option>no-setuid-fixup</option>, | |
765 | <option>no-setuid-fixup-locked</option>, | |
3377af3e | 766 | <option>noroot</option> and/or |
74051b9b LP |
767 | <option>noroot-locked</option>. This |
768 | option may appear more than once in | |
769 | which case the secure bits are | |
770 | ORed. If the empty string is assigned | |
79640424 | 771 | to this option, the bits are reset to |
74051b9b | 772 | 0.</para></listitem> |
dd1eb43b LP |
773 | </varlistentry> |
774 | ||
775 | <varlistentry> | |
260abb78 | 776 | <term><varname>Capabilities=</varname></term> |
dd1eb43b | 777 | <listitem><para>Controls the |
dd1eb43b | 778 | <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
260abb78 LP |
779 | set for the executed process. Take a |
780 | capability string describing the | |
781 | effective, permitted and inherited | |
782 | capability sets as documented in | |
783 | <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
784 | Note that these capability sets are | |
785 | usually influenced by the capabilities | |
786 | attached to the executed file. Due to | |
787 | that | |
788 | <varname>CapabilityBoundingSet=</varname> | |
789 | is probably the much more useful | |
790 | setting.</para></listitem> | |
dd1eb43b LP |
791 | </varlistentry> |
792 | ||
dd1eb43b LP |
793 | <varlistentry> |
794 | <term><varname>ReadWriteDirectories=</varname></term> | |
795 | <term><varname>ReadOnlyDirectories=</varname></term> | |
796 | <term><varname>InaccessibleDirectories=</varname></term> | |
797 | ||
798 | <listitem><para>Sets up a new | |
12f25b6e | 799 | file system namespace for executed |
dd1eb43b LP |
800 | processes. These options may be used |
801 | to limit access a process might have | |
12f25b6e | 802 | to the main file system |
dd1eb43b | 803 | hierarchy. Each setting takes a |
96d4ce01 | 804 | space-separated list of absolute |
dd1eb43b LP |
805 | directory paths. Directories listed in |
806 | <varname>ReadWriteDirectories=</varname> | |
807 | are accessible from within the | |
808 | namespace with the same access rights | |
809 | as from outside. Directories listed in | |
810 | <varname>ReadOnlyDirectories=</varname> | |
811 | are accessible for reading only, | |
812 | writing will be refused even if the | |
813 | usual file access controls would | |
814 | permit this. Directories listed in | |
815 | <varname>InaccessibleDirectories=</varname> | |
74051b9b LP |
816 | will be made inaccessible for |
817 | processes inside the namespace. Note | |
818 | that restricting access with these | |
819 | options does not extend to submounts | |
820 | of a directory. You must list | |
821 | submounts separately in these settings | |
822 | to ensure the same limited | |
823 | access. These options may be specified | |
824 | more than once in which case all | |
825 | directories listed will have limited | |
826 | access from within the namespace. If | |
827 | the empty string is assigned to this | |
79640424 | 828 | option, the specific list is reset, and |
74051b9b | 829 | all prior assignments have no |
ea92ae33 MW |
830 | effect.</para> |
831 | <para>Paths in | |
832 | <varname>ReadOnlyDirectories=</varname> | |
833 | and | |
834 | <varname>InaccessibleDirectories=</varname> | |
835 | may be prefixed with | |
836 | <literal>-</literal>, in which case | |
6b4991cf | 837 | they will be ignored when they do not |
ea92ae33 | 838 | exist.</para></listitem> |
dd1eb43b LP |
839 | </varlistentry> |
840 | ||
841 | <varlistentry> | |
842 | <term><varname>PrivateTmp=</varname></term> | |
843 | ||
844 | <listitem><para>Takes a boolean | |
79640424 | 845 | argument. If true, sets up a new file |
ff01d048 | 846 | system namespace for the executed |
652d0dd7 ZJS |
847 | processes and mounts private |
848 | <filename>/tmp</filename> and | |
613b411c | 849 | <filename>/var/tmp</filename> |
e0e009c0 | 850 | directories inside it that is not |
613b411c | 851 | shared by processes outside of the |
dd1eb43b LP |
852 | namespace. This is useful to secure |
853 | access to temporary files of the | |
854 | process, but makes sharing between | |
855 | processes via | |
652d0dd7 ZJS |
856 | <filename>/tmp</filename> or |
857 | <filename>/var/tmp</filename> | |
c17ec25e | 858 | impossible. All temporary data created |
613b411c | 859 | by service will be removed after |
e0e009c0 | 860 | the service is stopped. Defaults to |
613b411c LP |
861 | false. Note that it is possible to run |
862 | two or more units within the same | |
863 | private <filename>/tmp</filename> and | |
864 | <filename>/var/tmp</filename> | |
865 | namespace by using the | |
866 | <varname>JoinsNamespaceOf=</varname> | |
867 | directive, see | |
868 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
869 | for details.</para></listitem> | |
ff01d048 LP |
870 | </varlistentry> |
871 | ||
872 | <varlistentry> | |
873 | <term><varname>PrivateNetwork=</varname></term> | |
874 | ||
875 | <listitem><para>Takes a boolean | |
79640424 | 876 | argument. If true, sets up a new |
ff01d048 LP |
877 | network namespace for the executed |
878 | processes and configures only the | |
879 | loopback network device | |
880 | <literal>lo</literal> inside it. No | |
881 | other network devices will be | |
882 | available to the executed process. | |
883 | This is useful to securely turn off | |
884 | network access by the executed | |
613b411c LP |
885 | process. Defaults to false. Note that |
886 | it is possible to run two or more | |
887 | units within the same private network | |
888 | namespace by using the | |
889 | <varname>JoinsNamespaceOf=</varname> | |
890 | directive, see | |
891 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
892 | for details.</para></listitem> | |
dd1eb43b LP |
893 | </varlistentry> |
894 | ||
895 | <varlistentry> | |
896 | <term><varname>MountFlags=</varname></term> | |
897 | ||
898 | <listitem><para>Takes a mount | |
899 | propagation flag: | |
900 | <option>shared</option>, | |
901 | <option>slave</option> or | |
902 | <option>private</option>, which | |
ac0930c8 LP |
903 | control whether the file system |
904 | namespace set up for this unit's | |
905 | processes will receive or propagate | |
906 | new mounts. See | |
8050c221 | 907 | <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry> |
ac0930c8 LP |
908 | for details. Default to |
909 | <option>shared</option>.</para></listitem> | |
dd1eb43b LP |
910 | </varlistentry> |
911 | ||
169c1bda LP |
912 | <varlistentry> |
913 | <term><varname>UtmpIdentifier=</varname></term> | |
914 | ||
c5315881 | 915 | <listitem><para>Takes a four |
169c1bda LP |
916 | character identifier string for an |
917 | utmp/wtmp entry for this service. This | |
918 | should only be set for services such | |
919 | as <command>getty</command> | |
920 | implementations where utmp/wtmp | |
921 | entries must be created and cleared | |
922 | before and after execution. If the | |
923 | configured string is longer than four | |
79640424 | 924 | characters, it is truncated and the |
169c1bda LP |
925 | terminal four characters are |
926 | used. This setting interprets %I style | |
927 | string replacements. This setting is | |
928 | unset by default, i.e. no utmp/wtmp | |
929 | entries are created or cleaned up for | |
930 | this service.</para></listitem> | |
931 | </varlistentry> | |
932 | ||
353e12c2 LP |
933 | <varlistentry> |
934 | <term><varname>IgnoreSIGPIPE=</varname></term> | |
935 | ||
936 | <listitem><para>Takes a boolean | |
05cc7267 | 937 | argument. If true, causes <constant>SIGPIPE</constant> to be |
353e12c2 | 938 | ignored in the executed |
e9dd9f95 | 939 | process. Defaults to true because |
05cc7267 | 940 | <constant>SIGPIPE</constant> generally is useful only in |
353e12c2 LP |
941 | shell pipelines.</para></listitem> |
942 | </varlistentry> | |
943 | ||
8351ceae LP |
944 | <varlistentry> |
945 | <term><varname>NoNewPrivileges=</varname></term> | |
946 | ||
947 | <listitem><para>Takes a boolean | |
e9dd9f95 | 948 | argument. If true, ensures that the |
8351ceae LP |
949 | service process and all its children |
950 | can never gain new privileges. This | |
951 | option is more powerful than the respective | |
952 | secure bits flags (see above), as it | |
953 | also prohibits UID changes of any | |
954 | kind. This is the simplest, most | |
955 | effective way to ensure that a process | |
956 | and its children can never elevate | |
957 | privileges again.</para></listitem> | |
958 | </varlistentry> | |
959 | ||
960 | <varlistentry> | |
961 | <term><varname>SystemCallFilter=</varname></term> | |
962 | ||
e9dd9f95 JSJ |
963 | <listitem><para>Takes a space-separated |
964 | list of system call | |
965 | names. If this setting is used, all | |
8351ceae LP |
966 | system calls executed by the unit |
967 | process except for the listed ones | |
968 | will result in immediate process | |
74d00578 ZJS |
969 | termination with the |
970 | <constant>SIGSYS</constant> signal | |
8351ceae | 971 | (whitelisting). If the first character |
79640424 | 972 | of the list is <literal>~</literal>, |
8351ceae LP |
973 | the effect is inverted: only the |
974 | listed system calls will result in | |
975 | immediate process termination | |
79640424 | 976 | (blacklisting). If this option is used, |
8351ceae LP |
977 | <varname>NoNewPrivileges=yes</varname> |
978 | is implied. This feature makes use of | |
979 | the Secure Computing Mode 2 interfaces | |
980 | of the kernel ('seccomp filtering') | |
981 | and is useful for enforcing a minimal | |
982 | sandboxing environment. Note that the | |
983 | <function>execve</function>, | |
984 | <function>rt_sigreturn</function>, | |
985 | <function>sigreturn</function>, | |
986 | <function>exit_group</function>, | |
987 | <function>exit</function> system calls | |
6b4991cf | 988 | are implicitly whitelisted and do not |
74051b9b LP |
989 | need to be listed explicitly. This |
990 | option may be specified more than once | |
991 | in which case the filter masks are | |
992 | merged. If the empty string is | |
79640424 | 993 | assigned, the filter is reset, all |
74051b9b LP |
994 | prior assignments will have no |
995 | effect.</para></listitem> | |
8351ceae LP |
996 | </varlistentry> |
997 | ||
dd1eb43b LP |
998 | </variablelist> |
999 | </refsect1> | |
1000 | ||
43638332 ZJS |
1001 | <refsect1> |
1002 | <title>Environment variables in spawned processes</title> | |
1003 | ||
1004 | <para>Processes started by the system are executed in | |
1005 | a clean environment in which select variables | |
1006 | listed below are set. System processes started by systemd | |
1007 | do not inherit variables from PID 1, but processes | |
1008 | started by user systemd instances inherit all | |
1009 | environment variables from the user systemd instance. | |
1010 | </para> | |
1011 | ||
1012 | <variablelist class='environment-variables'> | |
1013 | <varlistentry> | |
1014 | <term><varname>$PATH</varname></term> | |
1015 | ||
1016 | <listitem><para>Colon-separated list | |
1017 | of directiories to use when launching | |
1018 | executables. Systemd uses a fixed | |
1019 | value of | |
1020 | <filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename>:<filename>/sbin</filename>:<filename>/bin</filename>. | |
1021 | </para></listitem> | |
1022 | </varlistentry> | |
1023 | ||
1024 | <varlistentry> | |
1025 | <term><varname>$LANG</varname></term> | |
1026 | ||
1027 | <listitem><para>Locale. Can be set in | |
1028 | <citerefentry><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
1029 | or on the kernel command line (see | |
1030 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
1031 | and | |
1032 | <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>). | |
1033 | </para></listitem> | |
1034 | </varlistentry> | |
1035 | ||
1036 | <varlistentry> | |
1037 | <term><varname>$USER</varname></term> | |
59fccd82 | 1038 | <term><varname>$LOGNAME</varname></term> |
43638332 | 1039 | <term><varname>$HOME</varname></term> |
59fccd82 | 1040 | <term><varname>$SHELL</varname></term> |
43638332 | 1041 | |
59fccd82 ZJS |
1042 | <listitem><para>User name (twice), home |
1043 | directory, and the login shell. | |
72f4d966 | 1044 | The variables are set for the units that |
43638332 ZJS |
1045 | have <varname>User=</varname> set, |
1046 | which includes user | |
1047 | <command>systemd</command> instances. | |
1048 | See | |
1049 | <citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
1050 | </para></listitem> | |
1051 | </varlistentry> | |
1052 | ||
1053 | <varlistentry> | |
1054 | <term><varname>$XDG_RUNTIME_DIR</varname></term> | |
1055 | ||
1056 | <listitem><para>The directory for volatile | |
1057 | state. Set for the user <command>systemd</command> | |
1058 | instance, and also in user sessions. | |
1059 | See | |
1060 | <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>. | |
1061 | </para></listitem> | |
1062 | </varlistentry> | |
1063 | ||
1064 | <varlistentry> | |
1065 | <term><varname>$XDG_SESSION_ID</varname></term> | |
1066 | <term><varname>$XDG_SEAT</varname></term> | |
1067 | <term><varname>$XDG_VTNR</varname></term> | |
1068 | ||
1069 | <listitem><para>The identifier of the | |
72f4d966 | 1070 | session, the seat name, and |
43638332 ZJS |
1071 | virtual terminal of the session. Set |
1072 | by | |
1073 | <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
1074 | for login sessions. | |
1075 | <varname>$XDG_SEAT</varname> and | |
72f4d966 JE |
1076 | <varname>$XDG_VTNR</varname> will |
1077 | only be set when attached to a seat and a | |
43638332 ZJS |
1078 | tty.</para></listitem> |
1079 | </varlistentry> | |
1080 | ||
1081 | <varlistentry> | |
1082 | <term><varname>$MANAGERPID</varname></term> | |
1083 | ||
1084 | <listitem><para>The PID of the user | |
1085 | <command>systemd</command> instance, | |
1086 | set for processes spawned by it. | |
1087 | </para></listitem> | |
1088 | </varlistentry> | |
1089 | ||
1090 | <varlistentry> | |
1091 | <term><varname>$LISTEN_FDS</varname></term> | |
1092 | <term><varname>$LISTEN_PID</varname></term> | |
1093 | ||
1094 | <listitem><para>Information about file | |
1095 | descriptors passed to a service for | |
1096 | socket activation. See | |
1097 | <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
1098 | </para></listitem> | |
1099 | </varlistentry> | |
59fccd82 ZJS |
1100 | |
1101 | <varlistentry> | |
1102 | <term><varname>$TERM</varname></term> | |
1103 | ||
1104 | <listitem><para>Terminal type, set | |
1105 | only for units connected to a terminal | |
1106 | (<varname>StandardInput=tty</varname>, | |
1107 | <varname>StandardOutput=tty</varname>, | |
1108 | or | |
1109 | <varname>StandardError=tty</varname>). | |
1110 | See | |
1111 | <citerefentry><refentrytitle>termcap</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
1112 | </para></listitem> | |
1113 | </varlistentry> | |
43638332 ZJS |
1114 | </variablelist> |
1115 | ||
1116 | <para>Additional variables may be configured by the | |
1117 | following means: for processes spawned in specific | |
1118 | units, use the <varname>Environment=</varname> and | |
1119 | <varname>EnvironmentFile=</varname> options above; to | |
1120 | specify variables globally, use | |
1121 | <varname>DefaultEnvironment=</varname> (see | |
1122 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>) | |
1123 | or the kernel option | |
1124 | <varname>systemd.setenv=</varname> (see | |
1125 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Additional | |
1126 | variables may also be set through PAM, | |
1127 | c.f. <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> | |
1128 | </refsect1> | |
1129 | ||
dd1eb43b LP |
1130 | <refsect1> |
1131 | <title>See Also</title> | |
1132 | <para> | |
f3e219a2 | 1133 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
dd1eb43b | 1134 | <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
169c4f65 | 1135 | <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
dd1eb43b LP |
1136 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
1137 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
1138 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
2292707d | 1139 | <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
4819ff03 | 1140 | <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
9cc2c8b7 | 1141 | <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
3fde5f30 | 1142 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
43638332 ZJS |
1143 | <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>, |
1144 | <citerefentry><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
dd1eb43b LP |
1145 | </para> |
1146 | </refsect1> | |
1147 | ||
1148 | </refentry> |