]>
Commit | Line | Data |
---|---|---|
023a4f67 | 1 | <?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*--> |
dd1eb43b | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
12b42c76 | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
dd1eb43b LP |
4 | |
5 | <!-- | |
572eb058 | 6 | SPDX-License-Identifier: LGPL-2.1+ |
dd1eb43b LP |
7 | --> |
8 | ||
9 | <refentry id="systemd.exec"> | |
798d3a52 ZJS |
10 | <refentryinfo> |
11 | <title>systemd.exec</title> | |
12 | <productname>systemd</productname> | |
798d3a52 ZJS |
13 | </refentryinfo> |
14 | ||
15 | <refmeta> | |
16 | <refentrytitle>systemd.exec</refentrytitle> | |
17 | <manvolnum>5</manvolnum> | |
18 | </refmeta> | |
19 | ||
20 | <refnamediv> | |
21 | <refname>systemd.exec</refname> | |
22 | <refpurpose>Execution environment configuration</refpurpose> | |
23 | </refnamediv> | |
24 | ||
25 | <refsynopsisdiv> | |
26 | <para><filename><replaceable>service</replaceable>.service</filename>, | |
27 | <filename><replaceable>socket</replaceable>.socket</filename>, | |
28 | <filename><replaceable>mount</replaceable>.mount</filename>, | |
29 | <filename><replaceable>swap</replaceable>.swap</filename></para> | |
30 | </refsynopsisdiv> | |
31 | ||
32 | <refsect1> | |
33 | <title>Description</title> | |
34 | ||
b8afec21 LP |
35 | <para>Unit configuration files for services, sockets, mount points, and swap devices share a subset of |
36 | configuration options which define the execution environment of spawned processes.</para> | |
37 | ||
38 | <para>This man page lists the configuration options shared by these four unit types. See | |
39 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for the common | |
40 | options of all unit configuration files, and | |
798d3a52 ZJS |
41 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
42 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
b8afec21 LP |
43 | <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>, and |
44 | <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more | |
45 | information on the specific unit configuration files. The execution specific configuration options are configured | |
46 | in the [Service], [Socket], [Mount], or [Swap] sections, depending on the unit type.</para> | |
74b47bbd | 47 | |
c7458f93 | 48 | <para>In addition, options which control resources through Linux Control Groups (cgroups) are listed in |
74b47bbd ZJS |
49 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>. |
50 | Those options complement options listed here.</para> | |
798d3a52 ZJS |
51 | </refsect1> |
52 | ||
c129bd5d | 53 | <refsect1> |
45f09f93 JL |
54 | <title>Implicit Dependencies</title> |
55 | ||
56 | <para>A few execution parameters result in additional, automatic dependencies to be added:</para> | |
57 | ||
58 | <itemizedlist> | |
b8afec21 LP |
59 | <listitem><para>Units with <varname>WorkingDirectory=</varname>, <varname>RootDirectory=</varname>, |
60 | <varname>RootImage=</varname>, <varname>RuntimeDirectory=</varname>, <varname>StateDirectory=</varname>, | |
61 | <varname>CacheDirectory=</varname>, <varname>LogsDirectory=</varname> or | |
62 | <varname>ConfigurationDirectory=</varname> set automatically gain dependencies of type | |
63 | <varname>Requires=</varname> and <varname>After=</varname> on all mount units required to access the specified | |
64 | paths. This is equivalent to having them listed explicitly in | |
65 | <varname>RequiresMountsFor=</varname>.</para></listitem> | |
66 | ||
67 | <listitem><para>Similar, units with <varname>PrivateTmp=</varname> enabled automatically get mount unit | |
68 | dependencies for all mounts required to access <filename>/tmp</filename> and <filename>/var/tmp</filename>. They | |
69 | will also gain an automatic <varname>After=</varname> dependency on | |
45f09f93 JL |
70 | <citerefentry><refentrytitle>systemd-tmpfiles-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para></listitem> |
71 | ||
b8afec21 LP |
72 | <listitem><para>Units whose standard output or error output is connected to <option>journal</option>, |
73 | <option>syslog</option> or <option>kmsg</option> (or their combinations with console output, see below) | |
74 | automatically acquire dependencies of type <varname>After=</varname> on | |
75 | <filename>systemd-journald.socket</filename>.</para></listitem> | |
45f09f93 | 76 | </itemizedlist> |
c129bd5d LP |
77 | </refsect1> |
78 | ||
45f09f93 JL |
79 | <!-- We don't have any default dependency here. --> |
80 | ||
798d3a52 | 81 | <refsect1> |
b8afec21 | 82 | <title>Paths</title> |
798d3a52 ZJS |
83 | |
84 | <variablelist class='unit-directives'> | |
85 | ||
86 | <varlistentry> | |
87 | <term><varname>WorkingDirectory=</varname></term> | |
88 | ||
d251207d LP |
89 | <listitem><para>Takes a directory path relative to the service's root directory specified by |
90 | <varname>RootDirectory=</varname>, or the special value <literal>~</literal>. Sets the working directory for | |
91 | executed processes. If set to <literal>~</literal>, the home directory of the user specified in | |
92 | <varname>User=</varname> is used. If not set, defaults to the root directory when systemd is running as a | |
93 | system instance and the respective user's home directory if run as user. If the setting is prefixed with the | |
94 | <literal>-</literal> character, a missing working directory is not considered fatal. If | |
915e6d16 LP |
95 | <varname>RootDirectory=</varname>/<varname>RootImage=</varname> is not set, then |
96 | <varname>WorkingDirectory=</varname> is relative to the root of the system running the service manager. Note | |
97 | that setting this parameter might result in additional dependencies to be added to the unit (see | |
98 | above).</para></listitem> | |
798d3a52 ZJS |
99 | </varlistentry> |
100 | ||
101 | <varlistentry> | |
102 | <term><varname>RootDirectory=</varname></term> | |
103 | ||
d251207d LP |
104 | <listitem><para>Takes a directory path relative to the host's root directory (i.e. the root of the system |
105 | running the service manager). Sets the root directory for executed processes, with the <citerefentry | |
106 | project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry> system | |
107 | call. If this is used, it must be ensured that the process binary and all its auxiliary files are available in | |
108 | the <function>chroot()</function> jail. Note that setting this parameter might result in additional | |
109 | dependencies to be added to the unit (see above).</para> | |
110 | ||
5d997827 LP |
111 | <para>The <varname>MountAPIVFS=</varname> and <varname>PrivateUsers=</varname> settings are particularly useful |
112 | in conjunction with <varname>RootDirectory=</varname>. For details, see below.</para></listitem> | |
113 | </varlistentry> | |
114 | ||
915e6d16 LP |
115 | <varlistentry> |
116 | <term><varname>RootImage=</varname></term> | |
b8afec21 | 117 | |
915e6d16 | 118 | <listitem><para>Takes a path to a block device node or regular file as argument. This call is similar to |
6cf5a964 | 119 | <varname>RootDirectory=</varname> however mounts a file system hierarchy from a block device node or loopback |
915e6d16 LP |
120 | file instead of a directory. The device node or file system image file needs to contain a file system without a |
121 | partition table, or a file system within an MBR/MS-DOS or GPT partition table with only a single | |
122 | Linux-compatible partition, or a set of file systems within a GPT partition table that follows the <ulink | |
28a0ad81 | 123 | url="https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable Partitions |
915e6d16 LP |
124 | Specification</ulink>.</para></listitem> |
125 | </varlistentry> | |
126 | ||
5d997827 LP |
127 | <varlistentry> |
128 | <term><varname>MountAPIVFS=</varname></term> | |
129 | ||
130 | <listitem><para>Takes a boolean argument. If on, a private mount namespace for the unit's processes is created | |
ef3116b5 ZJS |
131 | and the API file systems <filename>/proc</filename>, <filename>/sys</filename>, and <filename>/dev</filename> |
132 | are mounted inside of it, unless they are already mounted. Note that this option has no effect unless used in | |
133 | conjunction with <varname>RootDirectory=</varname>/<varname>RootImage=</varname> as these three mounts are | |
134 | generally mounted in the host anyway, and unless the root directory is changed, the private mount namespace | |
135 | will be a 1:1 copy of the host's, and include these three mounts. Note that the <filename>/dev</filename> file | |
136 | system of the host is bind mounted if this option is used without <varname>PrivateDevices=</varname>. To run | |
137 | the service with a private, minimal version of <filename>/dev/</filename>, combine this option with | |
5d997827 | 138 | <varname>PrivateDevices=</varname>.</para></listitem> |
798d3a52 ZJS |
139 | </varlistentry> |
140 | ||
b8afec21 LP |
141 | <varlistentry> |
142 | <term><varname>BindPaths=</varname></term> | |
143 | <term><varname>BindReadOnlyPaths=</varname></term> | |
144 | ||
145 | <listitem><para>Configures unit-specific bind mounts. A bind mount makes a particular file or directory | |
146 | available at an additional place in the unit's view of the file system. Any bind mounts created with this | |
147 | option are specific to the unit, and are not visible in the host's mount table. This option expects a | |
148 | whitespace separated list of bind mount definitions. Each definition consists of a colon-separated triple of | |
149 | source path, destination path and option string, where the latter two are optional. If only a source path is | |
150 | specified the source and destination is taken to be the same. The option string may be either | |
151 | <literal>rbind</literal> or <literal>norbind</literal> for configuring a recursive or non-recursive bind | |
4ca763a9 YW |
152 | mount. If the destination path is omitted, the option string must be omitted too. |
153 | Each bind mount definition may be prefixed with <literal>-</literal>, in which case it will be ignored | |
154 | when its source path does not exist.</para> | |
b8afec21 LP |
155 | |
156 | <para><varname>BindPaths=</varname> creates regular writable bind mounts (unless the source file system mount | |
157 | is already marked read-only), while <varname>BindReadOnlyPaths=</varname> creates read-only bind mounts. These | |
158 | settings may be used more than once, each usage appends to the unit's list of bind mounts. If the empty string | |
159 | is assigned to either of these two options the entire list of bind mounts defined prior to this is reset. Note | |
160 | that in this case both read-only and regular bind mounts are reset, regardless which of the two settings is | |
161 | used.</para> | |
162 | ||
163 | <para>This option is particularly useful when <varname>RootDirectory=</varname>/<varname>RootImage=</varname> | |
164 | is used. In this case the source path refers to a path on the host file system, while the destination path | |
165 | refers to a path below the root directory of the unit.</para></listitem> | |
166 | </varlistentry> | |
167 | ||
168 | </variablelist> | |
169 | </refsect1> | |
170 | ||
171 | <refsect1> | |
172 | <title>Credentials</title> | |
173 | ||
174 | <variablelist class='unit-directives'> | |
175 | ||
798d3a52 ZJS |
176 | <varlistentry> |
177 | <term><varname>User=</varname></term> | |
178 | <term><varname>Group=</varname></term> | |
179 | ||
29206d46 | 180 | <listitem><para>Set the UNIX user or group that the processes are executed as, respectively. Takes a single |
b8afec21 LP |
181 | user or group name, or a numeric ID as argument. For system services (services run by the system service |
182 | manager, i.e. managed by PID 1) and for user services of the root user (services managed by root's instance of | |
47da760e LP |
183 | <command>systemd --user</command>), the default is <literal>root</literal>, but <varname>User=</varname> may be |
184 | used to specify a different user. For user services of any other user, switching user identity is not | |
185 | permitted, hence the only valid setting is the same user the user's service manager is running as. If no group | |
186 | is set, the default group of the user is used. This setting does not affect commands whose command line is | |
565dab8e LP |
187 | prefixed with <literal>+</literal>.</para> |
188 | ||
189 | <para>Note that restrictions on the user/group name syntax are enforced: the specified name must consist only | |
190 | of the characters a-z, A-Z, 0-9, <literal>_</literal> and <literal>-</literal>, except for the first character | |
191 | which must be one of a-z, A-Z or <literal>_</literal> (i.e. numbers and <literal>-</literal> are not permitted | |
192 | as first character). The user/group name must have at least one character, and at most 31. These restrictions | |
193 | are enforced in order to avoid ambiguities and to ensure user/group names and unit files remain portable among | |
194 | Linux systems.</para> | |
195 | ||
196 | <para>When used in conjunction with <varname>DynamicUser=</varname> the user/group name specified is | |
197 | dynamically allocated at the time the service is started, and released at the time the service is stopped — | |
198 | unless it is already allocated statically (see below). If <varname>DynamicUser=</varname> is not used the | |
199 | specified user and group must have been created statically in the user database no later than the moment the | |
200 | service is started, for example using the | |
201 | <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> facility, which | |
202 | is applied at boot or package install time.</para></listitem> | |
29206d46 LP |
203 | </varlistentry> |
204 | ||
205 | <varlistentry> | |
206 | <term><varname>DynamicUser=</varname></term> | |
207 | ||
208 | <listitem><para>Takes a boolean parameter. If set, a UNIX user and group pair is allocated dynamically when the | |
209 | unit is started, and released as soon as it is stopped. The user and group will not be added to | |
210 | <filename>/etc/passwd</filename> or <filename>/etc/group</filename>, but are managed transiently during | |
211 | runtime. The <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
212 | glibc NSS module provides integration of these dynamic users/groups into the system's user and group | |
213 | databases. The user and group name to use may be configured via <varname>User=</varname> and | |
214 | <varname>Group=</varname> (see above). If these options are not used and dynamic user/group allocation is | |
215 | enabled for a unit, the name of the dynamic user/group is implicitly derived from the unit name. If the unit | |
216 | name without the type suffix qualifies as valid user name it is used directly, otherwise a name incorporating a | |
217 | hash of it is used. If a statically allocated user or group of the configured name already exists, it is used | |
3bd493dc | 218 | and no dynamic user/group is allocated. Note that if <varname>User=</varname> is specified and the static group |
b8afec21 LP |
219 | with the name exists, then it is required that the static user with the name already exists. Similarly, if |
220 | <varname>Group=</varname> is specified and the static user with the name exists, then it is required that the | |
221 | static group with the name already exists. Dynamic users/groups are allocated from the UID/GID range | |
29206d46 LP |
222 | 61184…65519. It is recommended to avoid this range for regular system or login users. At any point in time |
223 | each UID/GID from this range is only assigned to zero or one dynamically allocated users/groups in | |
224 | use. However, UID/GIDs are recycled after a unit is terminated. Care should be taken that any processes running | |
225 | as part of a unit for which dynamic users/groups are enabled do not leave files or directories owned by these | |
226 | users/groups around, as a different unit might get the same UID/GID assigned later on, and thus gain access to | |
63bb64a0 | 227 | these files or directories. If <varname>DynamicUser=</varname> is enabled, <varname>RemoveIPC=</varname>, |
00d9ef85 LP |
228 | <varname>PrivateTmp=</varname> are implied. This ensures that the lifetime of IPC objects and temporary files |
229 | created by the executed processes is bound to the runtime of the service, and hence the lifetime of the dynamic | |
230 | user/group. Since <filename>/tmp</filename> and <filename>/var/tmp</filename> are usually the only | |
231 | world-writable directories on a system this ensures that a unit making use of dynamic user/group allocation | |
63bb64a0 LP |
232 | cannot leave files around after unit termination. Moreover <varname>ProtectSystem=strict</varname> and |
233 | <varname>ProtectHome=read-only</varname> are implied, thus prohibiting the service to write to arbitrary file | |
234 | system locations. In order to allow the service to write to certain directories, they have to be whitelisted | |
4a628360 LP |
235 | using <varname>ReadWritePaths=</varname>, but care must be taken so that UID/GID recycling doesn't create |
236 | security issues involving files created by the service. Use <varname>RuntimeDirectory=</varname> (see below) in | |
237 | order to assign a writable runtime directory to a service, owned by the dynamic user/group and removed | |
238 | automatically when the unit is terminated. Use <varname>StateDirectory=</varname>, | |
239 | <varname>CacheDirectory=</varname> and <varname>LogsDirectory=</varname> in order to assign a set of writable | |
240 | directories for specific purposes to the service in a way that they are protected from vulnerabilities due to | |
241 | UID reuse (see below). Defaults to off.</para></listitem> | |
798d3a52 ZJS |
242 | </varlistentry> |
243 | ||
244 | <varlistentry> | |
245 | <term><varname>SupplementaryGroups=</varname></term> | |
246 | ||
b8afec21 LP |
247 | <listitem><para>Sets the supplementary Unix groups the processes are executed as. This takes a space-separated |
248 | list of group names or IDs. This option may be specified more than once, in which case all listed groups are | |
249 | set as supplementary groups. When the empty string is assigned, the list of supplementary groups is reset, and | |
250 | all assignments prior to this one will have no effect. In any way, this option does not override, but extends | |
251 | the list of supplementary groups configured in the system group database for the user. This does not affect | |
252 | commands prefixed with <literal>+</literal>.</para></listitem> | |
798d3a52 ZJS |
253 | </varlistentry> |
254 | ||
00d9ef85 | 255 | <varlistentry> |
b8afec21 | 256 | <term><varname>PAMName=</varname></term> |
00d9ef85 | 257 | |
b8afec21 LP |
258 | <listitem><para>Sets the PAM service name to set up a session as. If set, the executed process will be |
259 | registered as a PAM session under the specified service name. This is only useful in conjunction with the | |
260 | <varname>User=</varname> setting, and is otherwise ignored. If not set, no PAM session will be opened for the | |
261 | executed processes. See <citerefentry | |
262 | project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> for | |
263 | details.</para> | |
00d9ef85 | 264 | |
b8afec21 LP |
265 | <para>Note that for each unit making use of this option a PAM session handler process will be maintained as |
266 | part of the unit and stays around as long as the unit is active, to ensure that appropriate actions can be | |
267 | taken when the unit and hence the PAM session terminates. This process is named <literal>(sd-pam)</literal> and | |
268 | is an immediate child process of the unit's main process.</para> | |
798d3a52 | 269 | |
b8afec21 LP |
270 | <para>Note that when this option is used for a unit it is very likely (depending on PAM configuration) that the |
271 | main unit process will be migrated to its own session scope unit when it is activated. This process will hence | |
272 | be associated with two units: the unit it was originally started from (and for which | |
273 | <varname>PAMName=</varname> was configured), and the session scope unit. Any child processes of that process | |
274 | will however be associated with the session scope unit only. This has implications when used in combination | |
275 | with <varname>NotifyAccess=</varname><option>all</option>, as these child processes will not be able to affect | |
276 | changes in the original unit through notification messages. These messages will be considered belonging to the | |
277 | session scope unit and not the original unit. It is hence not recommended to use <varname>PAMName=</varname> in | |
278 | combination with <varname>NotifyAccess=</varname><option>all</option>.</para> | |
279 | </listitem> | |
798d3a52 ZJS |
280 | </varlistentry> |
281 | ||
b8afec21 LP |
282 | </variablelist> |
283 | </refsect1> | |
798d3a52 | 284 | |
b8afec21 LP |
285 | <refsect1> |
286 | <title>Capabilities</title> | |
798d3a52 | 287 | |
b8afec21 | 288 | <variablelist class='unit-directives'> |
798d3a52 ZJS |
289 | |
290 | <varlistentry> | |
b8afec21 LP |
291 | <term><varname>CapabilityBoundingSet=</varname></term> |
292 | ||
293 | <listitem><para>Controls which capabilities to include in the capability bounding set for the executed | |
294 | process. See <citerefentry | |
295 | project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
296 | details. Takes a whitespace-separated list of capability names, e.g. <constant>CAP_SYS_ADMIN</constant>, | |
297 | <constant>CAP_DAC_OVERRIDE</constant>, <constant>CAP_SYS_PTRACE</constant>. Capabilities listed will be | |
298 | included in the bounding set, all others are removed. If the list of capabilities is prefixed with | |
299 | <literal>~</literal>, all but the listed capabilities will be included, the effect of the assignment | |
300 | inverted. Note that this option also affects the respective capabilities in the effective, permitted and | |
301 | inheritable capability sets. If this option is not used, the capability bounding set is not modified on process | |
302 | execution, hence no limits on the capabilities of the process are enforced. This option may appear more than | |
b086654c | 303 | once, in which case the bounding sets are merged by <constant>OR</constant>, or by <constant>AND</constant> if |
b8afec21 LP |
304 | the lines are prefixed with <literal>~</literal> (see below). If the empty string is assigned to this option, |
305 | the bounding set is reset to the empty capability set, and all prior settings have no effect. If set to | |
306 | <literal>~</literal> (without any further argument), the bounding set is reset to the full set of available | |
307 | capabilities, also undoing any previous settings. This does not affect commands prefixed with | |
308 | <literal>+</literal>.</para> | |
798d3a52 | 309 | |
b8afec21 LP |
310 | <para>Example: if a unit has the following, |
311 | <programlisting>CapabilityBoundingSet=CAP_A CAP_B | |
312 | CapabilityBoundingSet=CAP_B CAP_C</programlisting> | |
313 | then <constant>CAP_A</constant>, <constant>CAP_B</constant>, and <constant>CAP_C</constant> are set. | |
314 | If the second line is prefixed with <literal>~</literal>, e.g., | |
315 | <programlisting>CapabilityBoundingSet=CAP_A CAP_B | |
316 | CapabilityBoundingSet=~CAP_B CAP_C</programlisting> | |
317 | then, only <constant>CAP_A</constant> is set.</para></listitem> | |
798d3a52 ZJS |
318 | </varlistentry> |
319 | ||
320 | <varlistentry> | |
b8afec21 | 321 | <term><varname>AmbientCapabilities=</varname></term> |
798d3a52 | 322 | |
b8afec21 LP |
323 | <listitem><para>Controls which capabilities to include in the ambient capability set for the executed |
324 | process. Takes a whitespace-separated list of capability names, e.g. <constant>CAP_SYS_ADMIN</constant>, | |
325 | <constant>CAP_DAC_OVERRIDE</constant>, <constant>CAP_SYS_PTRACE</constant>. This option may appear more than | |
326 | once in which case the ambient capability sets are merged (see the above examples in | |
327 | <varname>CapabilityBoundingSet=</varname>). If the list of capabilities is prefixed with <literal>~</literal>, | |
328 | all but the listed capabilities will be included, the effect of the assignment inverted. If the empty string is | |
329 | assigned to this option, the ambient capability set is reset to the empty capability set, and all prior | |
330 | settings have no effect. If set to <literal>~</literal> (without any further argument), the ambient capability | |
331 | set is reset to the full set of available capabilities, also undoing any previous settings. Note that adding | |
332 | capabilities to ambient capability set adds them to the process's inherited capability set. </para><para> | |
333 | Ambient capability sets are useful if you want to execute a process as a non-privileged user but still want to | |
334 | give it some capabilities. Note that in this case option <constant>keep-caps</constant> is automatically added | |
335 | to <varname>SecureBits=</varname> to retain the capabilities over the user | |
336 | change. <varname>AmbientCapabilities=</varname> does not affect commands prefixed with | |
337 | <literal>+</literal>.</para></listitem> | |
798d3a52 ZJS |
338 | </varlistentry> |
339 | ||
b8afec21 LP |
340 | </variablelist> |
341 | </refsect1> | |
798d3a52 | 342 | |
b8afec21 LP |
343 | <refsect1> |
344 | <title>Security</title> | |
798d3a52 | 345 | |
b8afec21 | 346 | <variablelist class='unit-directives'> |
798d3a52 ZJS |
347 | |
348 | <varlistentry> | |
b8afec21 | 349 | <term><varname>NoNewPrivileges=</varname></term> |
798d3a52 | 350 | |
b8afec21 LP |
351 | <listitem><para>Takes a boolean argument. If true, ensures that the service process and all its children can |
352 | never gain new privileges through <function>execve()</function> (e.g. via setuid or setgid bits, or filesystem | |
353 | capabilities). This is the simplest and most effective way to ensure that a process and its children can never | |
5af16443 YW |
354 | elevate privileges again. Defaults to false, but certain settings override this and ignore the value of this |
355 | setting. This is the case when <varname>SystemCallFilter=</varname>, | |
b8afec21 LP |
356 | <varname>SystemCallArchitectures=</varname>, <varname>RestrictAddressFamilies=</varname>, |
357 | <varname>RestrictNamespaces=</varname>, <varname>PrivateDevices=</varname>, | |
358 | <varname>ProtectKernelTunables=</varname>, <varname>ProtectKernelModules=</varname>, | |
69b52883 | 359 | <varname>MemoryDenyWriteExecute=</varname>, <varname>RestrictRealtime=</varname>, or |
5af16443 YW |
360 | <varname>LockPersonality=</varname> are specified. Note that even if this setting is overridden by them, |
361 | <command>systemctl show</command> shows the original value of this setting. Also see | |
b8afec21 LP |
362 | <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New Privileges |
363 | Flag</ulink>. </para></listitem> | |
798d3a52 ZJS |
364 | </varlistentry> |
365 | ||
366 | <varlistentry> | |
b8afec21 | 367 | <term><varname>SecureBits=</varname></term> |
798d3a52 | 368 | |
b8afec21 LP |
369 | <listitem><para>Controls the secure bits set for the executed process. Takes a space-separated combination of |
370 | options from the following list: <option>keep-caps</option>, <option>keep-caps-locked</option>, | |
371 | <option>no-setuid-fixup</option>, <option>no-setuid-fixup-locked</option>, <option>noroot</option>, and | |
372 | <option>noroot-locked</option>. This option may appear more than once, in which case the secure bits are | |
373 | ORed. If the empty string is assigned to this option, the bits are reset to 0. This does not affect commands | |
374 | prefixed with <literal>+</literal>. See <citerefentry | |
375 | project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
376 | details.</para></listitem> | |
798d3a52 ZJS |
377 | </varlistentry> |
378 | ||
b8afec21 LP |
379 | </variablelist> |
380 | </refsect1> | |
798d3a52 | 381 | |
b8afec21 LP |
382 | <refsect1> |
383 | <title>Mandatory Access Control</title> | |
384 | <variablelist> | |
798d3a52 | 385 | |
798d3a52 | 386 | <varlistentry> |
b8afec21 LP |
387 | <term><varname>SELinuxContext=</varname></term> |
388 | ||
389 | <listitem><para>Set the SELinux security context of the executed process. If set, this will override the | |
390 | automated domain transition. However, the policy still needs to authorize the transition. This directive is | |
391 | ignored if SELinux is disabled. If prefixed by <literal>-</literal>, all errors will be ignored. This does not | |
392 | affect commands prefixed with <literal>+</literal>. See <citerefentry | |
393 | project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry> for | |
394 | details.</para></listitem> | |
798d3a52 ZJS |
395 | </varlistentry> |
396 | ||
b4c14404 | 397 | <varlistentry> |
b8afec21 | 398 | <term><varname>AppArmorProfile=</varname></term> |
b4c14404 | 399 | |
b8afec21 LP |
400 | <listitem><para>Takes a profile name as argument. The process executed by the unit will switch to this profile |
401 | when started. Profiles must already be loaded in the kernel, or the unit will fail. This result in a non | |
402 | operation if AppArmor is not enabled. If prefixed by <literal>-</literal>, all errors will be ignored. This | |
403 | does not affect commands prefixed with <literal>+</literal>.</para></listitem> | |
404 | </varlistentry> | |
00819cc1 | 405 | |
b8afec21 LP |
406 | <varlistentry> |
407 | <term><varname>SmackProcessLabel=</varname></term> | |
b4c14404 | 408 | |
b8afec21 LP |
409 | <listitem><para>Takes a <option>SMACK64</option> security label as argument. The process executed by the unit |
410 | will be started under this label and SMACK will decide whether the process is allowed to run or not, based on | |
411 | it. The process will continue to run under the label specified here unless the executable has its own | |
412 | <option>SMACK64EXEC</option> label, in which case the process will transition to run under that label. When not | |
413 | specified, the label that systemd is running under is used. This directive is ignored if SMACK is | |
414 | disabled.</para> | |
b4c14404 | 415 | |
b8afec21 LP |
416 | <para>The value may be prefixed by <literal>-</literal>, in which case all errors will be ignored. An empty |
417 | value may be specified to unset previous assignments. This does not affect commands prefixed with | |
418 | <literal>+</literal>.</para></listitem> | |
b4c14404 FB |
419 | </varlistentry> |
420 | ||
b8afec21 LP |
421 | </variablelist> |
422 | </refsect1> | |
00819cc1 | 423 | |
b8afec21 LP |
424 | <refsect1> |
425 | <title>Process Properties</title> | |
00819cc1 | 426 | |
b8afec21 | 427 | <variablelist> |
00819cc1 | 428 | |
798d3a52 | 429 | <varlistentry> |
b8afec21 LP |
430 | <term><varname>LimitCPU=</varname></term> |
431 | <term><varname>LimitFSIZE=</varname></term> | |
432 | <term><varname>LimitDATA=</varname></term> | |
433 | <term><varname>LimitSTACK=</varname></term> | |
434 | <term><varname>LimitCORE=</varname></term> | |
435 | <term><varname>LimitRSS=</varname></term> | |
436 | <term><varname>LimitNOFILE=</varname></term> | |
437 | <term><varname>LimitAS=</varname></term> | |
438 | <term><varname>LimitNPROC=</varname></term> | |
439 | <term><varname>LimitMEMLOCK=</varname></term> | |
440 | <term><varname>LimitLOCKS=</varname></term> | |
441 | <term><varname>LimitSIGPENDING=</varname></term> | |
442 | <term><varname>LimitMSGQUEUE=</varname></term> | |
443 | <term><varname>LimitNICE=</varname></term> | |
444 | <term><varname>LimitRTPRIO=</varname></term> | |
445 | <term><varname>LimitRTTIME=</varname></term> | |
fc8d0381 | 446 | |
b8afec21 LP |
447 | <listitem><para>Set soft and hard limits on various resources for executed processes. See |
448 | <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details on | |
449 | the resource limit concept. Resource limits may be specified in two formats: either as single value to set a | |
450 | specific soft and hard limit to the same value, or as colon-separated pair <option>soft:hard</option> to set | |
451 | both limits individually (e.g. <literal>LimitAS=4G:16G</literal>). Use the string <option>infinity</option> to | |
452 | configure no limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) | |
453 | may be used for resource limits measured in bytes (e.g. LimitAS=16G). For the limits referring to time values, | |
454 | the usual time units ms, s, min, h and so on may be used (see | |
455 | <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
456 | details). Note that if no time unit is specified for <varname>LimitCPU=</varname> the default unit of seconds | |
457 | is implied, while for <varname>LimitRTTIME=</varname> the default unit of microseconds is implied. Also, note | |
458 | that the effective granularity of the limits might influence their enforcement. For example, time limits | |
459 | specified for <varname>LimitCPU=</varname> will be rounded up implicitly to multiples of 1s. For | |
460 | <varname>LimitNICE=</varname> the value may be specified in two syntaxes: if prefixed with <literal>+</literal> | |
461 | or <literal>-</literal>, the value is understood as regular Linux nice value in the range -20..19. If not | |
462 | prefixed like this the value is understood as raw resource limit parameter in the range 0..40 (with 0 being | |
463 | equivalent to 1).</para> | |
fc8d0381 | 464 | |
b8afec21 LP |
465 | <para>Note that most process resource limits configured with these options are per-process, and processes may |
466 | fork in order to acquire a new set of resources that are accounted independently of the original process, and | |
467 | may thus escape limits set. Also note that <varname>LimitRSS=</varname> is not implemented on Linux, and | |
468 | setting it has no effect. Often it is advisable to prefer the resource controls listed in | |
469 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
470 | over these per-process limits, as they apply to services as a whole, may be altered dynamically at runtime, and | |
471 | are generally more expressive. For example, <varname>MemoryLimit=</varname> is a more powerful (and working) | |
472 | replacement for <varname>LimitRSS=</varname>.</para> | |
fc8d0381 | 473 | |
b8afec21 LP |
474 | <para>For system units these resource limits may be chosen freely. For user units however (i.e. units run by a |
475 | per-user instance of | |
476 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>), these limits are | |
477 | bound by (possibly more restrictive) per-user limits enforced by the OS.</para> | |
fc8d0381 | 478 | |
b8afec21 LP |
479 | <para>Resource limits not configured explicitly for a unit default to the value configured in the various |
480 | <varname>DefaultLimitCPU=</varname>, <varname>DefaultLimitFSIZE=</varname>, … options available in | |
481 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, and – | |
482 | if not configured there – the kernel or per-user defaults, as defined by the OS (the latter only for user | |
483 | services, see above).</para> | |
fc8d0381 | 484 | |
b8afec21 LP |
485 | <table> |
486 | <title>Resource limit directives, their equivalent <command>ulimit</command> shell commands and the unit used</title> | |
798d3a52 | 487 | |
a4c18002 | 488 | <tgroup cols='3'> |
798d3a52 ZJS |
489 | <colspec colname='directive' /> |
490 | <colspec colname='equivalent' /> | |
a4c18002 | 491 | <colspec colname='unit' /> |
798d3a52 ZJS |
492 | <thead> |
493 | <row> | |
494 | <entry>Directive</entry> | |
f4c9356d | 495 | <entry><command>ulimit</command> equivalent</entry> |
a4c18002 | 496 | <entry>Unit</entry> |
798d3a52 ZJS |
497 | </row> |
498 | </thead> | |
499 | <tbody> | |
500 | <row> | |
a4c18002 | 501 | <entry>LimitCPU=</entry> |
798d3a52 | 502 | <entry>ulimit -t</entry> |
a4c18002 | 503 | <entry>Seconds</entry> |
798d3a52 ZJS |
504 | </row> |
505 | <row> | |
a4c18002 | 506 | <entry>LimitFSIZE=</entry> |
798d3a52 | 507 | <entry>ulimit -f</entry> |
a4c18002 | 508 | <entry>Bytes</entry> |
798d3a52 ZJS |
509 | </row> |
510 | <row> | |
a4c18002 | 511 | <entry>LimitDATA=</entry> |
798d3a52 | 512 | <entry>ulimit -d</entry> |
a4c18002 | 513 | <entry>Bytes</entry> |
798d3a52 ZJS |
514 | </row> |
515 | <row> | |
a4c18002 | 516 | <entry>LimitSTACK=</entry> |
798d3a52 | 517 | <entry>ulimit -s</entry> |
a4c18002 | 518 | <entry>Bytes</entry> |
798d3a52 ZJS |
519 | </row> |
520 | <row> | |
a4c18002 | 521 | <entry>LimitCORE=</entry> |
798d3a52 | 522 | <entry>ulimit -c</entry> |
a4c18002 | 523 | <entry>Bytes</entry> |
798d3a52 ZJS |
524 | </row> |
525 | <row> | |
a4c18002 | 526 | <entry>LimitRSS=</entry> |
798d3a52 | 527 | <entry>ulimit -m</entry> |
a4c18002 | 528 | <entry>Bytes</entry> |
798d3a52 ZJS |
529 | </row> |
530 | <row> | |
a4c18002 | 531 | <entry>LimitNOFILE=</entry> |
798d3a52 | 532 | <entry>ulimit -n</entry> |
a4c18002 | 533 | <entry>Number of File Descriptors</entry> |
798d3a52 ZJS |
534 | </row> |
535 | <row> | |
a4c18002 | 536 | <entry>LimitAS=</entry> |
798d3a52 | 537 | <entry>ulimit -v</entry> |
a4c18002 | 538 | <entry>Bytes</entry> |
798d3a52 ZJS |
539 | </row> |
540 | <row> | |
a4c18002 | 541 | <entry>LimitNPROC=</entry> |
798d3a52 | 542 | <entry>ulimit -u</entry> |
a4c18002 | 543 | <entry>Number of Processes</entry> |
798d3a52 ZJS |
544 | </row> |
545 | <row> | |
a4c18002 | 546 | <entry>LimitMEMLOCK=</entry> |
798d3a52 | 547 | <entry>ulimit -l</entry> |
a4c18002 | 548 | <entry>Bytes</entry> |
798d3a52 ZJS |
549 | </row> |
550 | <row> | |
a4c18002 | 551 | <entry>LimitLOCKS=</entry> |
798d3a52 | 552 | <entry>ulimit -x</entry> |
a4c18002 | 553 | <entry>Number of Locks</entry> |
798d3a52 ZJS |
554 | </row> |
555 | <row> | |
a4c18002 | 556 | <entry>LimitSIGPENDING=</entry> |
798d3a52 | 557 | <entry>ulimit -i</entry> |
a4c18002 | 558 | <entry>Number of Queued Signals</entry> |
798d3a52 ZJS |
559 | </row> |
560 | <row> | |
a4c18002 | 561 | <entry>LimitMSGQUEUE=</entry> |
798d3a52 | 562 | <entry>ulimit -q</entry> |
a4c18002 | 563 | <entry>Bytes</entry> |
798d3a52 ZJS |
564 | </row> |
565 | <row> | |
a4c18002 | 566 | <entry>LimitNICE=</entry> |
798d3a52 | 567 | <entry>ulimit -e</entry> |
a4c18002 | 568 | <entry>Nice Level</entry> |
798d3a52 ZJS |
569 | </row> |
570 | <row> | |
a4c18002 | 571 | <entry>LimitRTPRIO=</entry> |
798d3a52 | 572 | <entry>ulimit -r</entry> |
a4c18002 | 573 | <entry>Realtime Priority</entry> |
798d3a52 ZJS |
574 | </row> |
575 | <row> | |
a4c18002 | 576 | <entry>LimitRTTIME=</entry> |
798d3a52 | 577 | <entry>No equivalent</entry> |
a4c18002 | 578 | <entry>Microseconds</entry> |
798d3a52 ZJS |
579 | </row> |
580 | </tbody> | |
581 | </tgroup> | |
a4c18002 | 582 | </table></listitem> |
798d3a52 ZJS |
583 | </varlistentry> |
584 | ||
585 | <varlistentry> | |
b8afec21 | 586 | <term><varname>UMask=</varname></term> |
9eb484fa | 587 | |
b8afec21 LP |
588 | <listitem><para>Controls the file mode creation mask. Takes an access mode in octal notation. See |
589 | <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details. Defaults | |
590 | to 0022.</para></listitem> | |
591 | </varlistentry> | |
592 | ||
593 | <varlistentry> | |
594 | <term><varname>KeyringMode=</varname></term> | |
595 | ||
596 | <listitem><para>Controls how the kernel session keyring is set up for the service (see <citerefentry | |
597 | project='man-pages'><refentrytitle>session-keyring</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
598 | details on the session keyring). Takes one of <option>inherit</option>, <option>private</option>, | |
599 | <option>shared</option>. If set to <option>inherit</option> no special keyring setup is done, and the kernel's | |
600 | default behaviour is applied. If <option>private</option> is used a new session keyring is allocated when a | |
601 | service process is invoked, and it is not linked up with any user keyring. This is the recommended setting for | |
602 | system services, as this ensures that multiple services running under the same system user ID (in particular | |
603 | the root user) do not share their key material among each other. If <option>shared</option> is used a new | |
604 | session keyring is allocated as for <option>private</option>, but the user keyring of the user configured with | |
605 | <varname>User=</varname> is linked into it, so that keys assigned to the user may be requested by the unit's | |
606 | processes. In this modes multiple units running processes under the same user ID may share key material. Unless | |
607 | <option>inherit</option> is selected the unique invocation ID for the unit (see below) is added as a protected | |
608 | key by the name <literal>invocation_id</literal> to the newly created session keyring. Defaults to | |
00f5ad93 LP |
609 | <option>private</option> for services of the system service manager and to <option>inherit</option> for |
610 | non-service units and for services of the user service manager.</para></listitem> | |
b8afec21 LP |
611 | </varlistentry> |
612 | ||
613 | <varlistentry> | |
614 | <term><varname>OOMScoreAdjust=</varname></term> | |
615 | ||
616 | <listitem><para>Sets the adjustment level for the Out-Of-Memory killer for executed processes. Takes an integer | |
617 | between -1000 (to disable OOM killing for this process) and 1000 (to make killing of this process under memory | |
618 | pressure very likely). See <ulink | |
619 | url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink> for | |
620 | details.</para></listitem> | |
621 | </varlistentry> | |
622 | ||
623 | <varlistentry> | |
624 | <term><varname>TimerSlackNSec=</varname></term> | |
625 | <listitem><para>Sets the timer slack in nanoseconds for the executed processes. The timer slack controls the | |
626 | accuracy of wake-ups triggered by timers. See | |
627 | <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> for more | |
628 | information. Note that in contrast to most other time span definitions this parameter takes an integer value in | |
629 | nano-seconds if no unit is specified. The usual time units are understood too.</para></listitem> | |
630 | </varlistentry> | |
631 | ||
632 | <varlistentry> | |
633 | <term><varname>Personality=</varname></term> | |
634 | ||
635 | <listitem><para>Controls which kernel architecture <citerefentry | |
636 | project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> shall report, | |
637 | when invoked by unit processes. Takes one of the architecture identifiers <constant>x86</constant>, | |
638 | <constant>x86-64</constant>, <constant>ppc</constant>, <constant>ppc-le</constant>, <constant>ppc64</constant>, | |
639 | <constant>ppc64-le</constant>, <constant>s390</constant> or <constant>s390x</constant>. Which personality | |
640 | architectures are supported depends on the system architecture. Usually the 64bit versions of the various | |
641 | system architectures support their immediate 32bit personality architecture counterpart, but no others. For | |
642 | example, <constant>x86-64</constant> systems support the <constant>x86-64</constant> and | |
643 | <constant>x86</constant> personalities but no others. The personality feature is useful when running 32-bit | |
644 | services on a 64-bit host system. If not specified, the personality is left unmodified and thus reflects the | |
645 | personality of the host system's kernel.</para></listitem> | |
646 | </varlistentry> | |
647 | ||
648 | <varlistentry> | |
649 | <term><varname>IgnoreSIGPIPE=</varname></term> | |
650 | ||
651 | <listitem><para>Takes a boolean argument. If true, causes <constant>SIGPIPE</constant> to be ignored in the | |
652 | executed process. Defaults to true because <constant>SIGPIPE</constant> generally is useful only in shell | |
653 | pipelines.</para></listitem> | |
654 | </varlistentry> | |
655 | ||
656 | </variablelist> | |
657 | </refsect1> | |
658 | ||
659 | <refsect1> | |
660 | <title>Scheduling</title> | |
661 | ||
662 | <variablelist> | |
663 | ||
664 | <varlistentry> | |
665 | <term><varname>Nice=</varname></term> | |
666 | ||
667 | <listitem><para>Sets the default nice level (scheduling priority) for executed processes. Takes an integer | |
668 | between -20 (highest priority) and 19 (lowest priority). See | |
669 | <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry> for | |
670 | details.</para></listitem> | |
671 | </varlistentry> | |
672 | ||
673 | <varlistentry> | |
674 | <term><varname>CPUSchedulingPolicy=</varname></term> | |
675 | ||
676 | <listitem><para>Sets the CPU scheduling policy for executed processes. Takes one of <option>other</option>, | |
677 | <option>batch</option>, <option>idle</option>, <option>fifo</option> or <option>rr</option>. See | |
678 | <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> for | |
679 | details.</para></listitem> | |
680 | </varlistentry> | |
681 | ||
682 | <varlistentry> | |
683 | <term><varname>CPUSchedulingPriority=</varname></term> | |
684 | ||
685 | <listitem><para>Sets the CPU scheduling priority for executed processes. The available priority range depends | |
686 | on the selected CPU scheduling policy (see above). For real-time scheduling policies an integer between 1 | |
687 | (lowest priority) and 99 (highest priority) can be used. See | |
688 | <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> for | |
689 | details. </para></listitem> | |
690 | </varlistentry> | |
691 | ||
692 | <varlistentry> | |
693 | <term><varname>CPUSchedulingResetOnFork=</varname></term> | |
694 | ||
695 | <listitem><para>Takes a boolean argument. If true, elevated CPU scheduling priorities and policies will be | |
696 | reset when the executed processes fork, and can hence not leak into child processes. See | |
697 | <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> for | |
698 | details. Defaults to false.</para></listitem> | |
699 | </varlistentry> | |
700 | ||
701 | <varlistentry> | |
702 | <term><varname>CPUAffinity=</varname></term> | |
703 | ||
704 | <listitem><para>Controls the CPU affinity of the executed processes. Takes a list of CPU indices or ranges | |
705 | separated by either whitespace or commas. CPU ranges are specified by the lower and upper CPU indices separated | |
706 | by a dash. This option may be specified more than once, in which case the specified CPU affinity masks are | |
707 | merged. If the empty string is assigned, the mask is reset, all assignments prior to this will have no | |
708 | effect. See | |
709 | <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry> for | |
710 | details.</para></listitem> | |
711 | </varlistentry> | |
712 | ||
713 | <varlistentry> | |
714 | <term><varname>IOSchedulingClass=</varname></term> | |
715 | ||
716 | <listitem><para>Sets the I/O scheduling class for executed processes. Takes an integer between 0 and 3 or one | |
717 | of the strings <option>none</option>, <option>realtime</option>, <option>best-effort</option> or | |
617d253a YW |
718 | <option>idle</option>. If the empty string is assigned to this option, all prior assignments to both |
719 | <varname>IOSchedulingClass=</varname> and <varname>IOSchedulingPriority=</varname> have no effect. See | |
b8afec21 LP |
720 | <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> for |
721 | details.</para></listitem> | |
722 | </varlistentry> | |
723 | ||
724 | <varlistentry> | |
725 | <term><varname>IOSchedulingPriority=</varname></term> | |
726 | ||
727 | <listitem><para>Sets the I/O scheduling priority for executed processes. Takes an integer between 0 (highest | |
728 | priority) and 7 (lowest priority). The available priorities depend on the selected I/O scheduling class (see | |
617d253a YW |
729 | above). If the empty string is assigned to this option, all prior assignments to both |
730 | <varname>IOSchedulingClass=</varname> and <varname>IOSchedulingPriority=</varname> have no effect. | |
731 | See <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> for | |
b8afec21 LP |
732 | details.</para></listitem> |
733 | </varlistentry> | |
734 | ||
735 | </variablelist> | |
736 | </refsect1> | |
737 | ||
b8afec21 LP |
738 | <refsect1> |
739 | <title>Sandboxing</title> | |
740 | ||
741 | <variablelist> | |
742 | ||
743 | <varlistentry> | |
744 | <term><varname>ProtectSystem=</varname></term> | |
745 | ||
746 | <listitem><para>Takes a boolean argument or the special values <literal>full</literal> or | |
747 | <literal>strict</literal>. If true, mounts the <filename>/usr</filename> and <filename>/boot</filename> | |
748 | directories read-only for processes invoked by this unit. If set to <literal>full</literal>, the | |
749 | <filename>/etc</filename> directory is mounted read-only, too. If set to <literal>strict</literal> the entire | |
750 | file system hierarchy is mounted read-only, except for the API file system subtrees <filename>/dev</filename>, | |
751 | <filename>/proc</filename> and <filename>/sys</filename> (protect these directories using | |
752 | <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>, | |
753 | <varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the vendor-supplied | |
754 | operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is | |
755 | recommended to enable this setting for all long-running services, unless they are involved with system updates | |
756 | or need to modify the operating system in other ways. If this option is used, | |
757 | <varname>ReadWritePaths=</varname> may be used to exclude specific directories from being made read-only. This | |
758 | setting is implied if <varname>DynamicUser=</varname> is set. For this setting the same restrictions regarding | |
759 | mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and related calls, see | |
760 | below. Defaults to off.</para></listitem> | |
761 | </varlistentry> | |
762 | ||
763 | <varlistentry> | |
764 | <term><varname>ProtectHome=</varname></term> | |
765 | ||
e4da7d8c YW |
766 | <listitem><para>Takes a boolean argument or the special values <literal>read-only</literal> or |
767 | <literal>tmpfs</literal>. If true, the directories <filename>/home</filename>, <filename>/root</filename> and | |
768 | <filename>/run/user</filename> are made inaccessible and empty for processes invoked by this unit. If set to | |
769 | <literal>read-only</literal>, the three directories are made read-only instead. If set to <literal>tmpfs</literal>, | |
770 | temporary file systems are mounted on the three directories in read-only mode. The value <literal>tmpfs</literal> | |
771 | is useful to hide home directories not relevant to the processes invoked by the unit, while necessary directories | |
772 | are still visible by combining with <varname>BindPaths=</varname> or <varname>BindReadOnlyPaths=</varname>.</para> | |
773 | ||
774 | <para>Setting this to <literal>yes</literal> is mostly equivalent to set the three directories in | |
1b2ad5d9 | 775 | <varname>InaccessiblePaths=</varname>. Similarly, <literal>read-only</literal> is mostly equivalent to |
e4da7d8c YW |
776 | <varname>ReadOnlyPaths=</varname>, and <literal>tmpfs</literal> is mostly equivalent to |
777 | <varname>TemporaryFileSystem=</varname>.</para> | |
778 | ||
779 | <para> It is recommended to enable this setting for all long-running services (in particular network-facing ones), | |
780 | to ensure they cannot get access to private user data, unless the services actually require access to the user's | |
781 | private data. This setting is implied if <varname>DynamicUser=</varname> is set. For this setting the same | |
782 | restrictions regarding mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and related | |
783 | calls, see below.</para></listitem> | |
b8afec21 LP |
784 | </varlistentry> |
785 | ||
786 | <varlistentry> | |
787 | <term><varname>RuntimeDirectory=</varname></term> | |
788 | <term><varname>StateDirectory=</varname></term> | |
789 | <term><varname>CacheDirectory=</varname></term> | |
790 | <term><varname>LogsDirectory=</varname></term> | |
791 | <term><varname>ConfigurationDirectory=</varname></term> | |
792 | ||
793 | <listitem><para>These options take a whitespace-separated list of directory names. The specified directory | |
d3c8afd0 | 794 | names must be relative, and may not include <literal>..</literal>. If set, one or more |
8d00da49 | 795 | directories by the specified names will be created (including their parents) below the locations |
f86fae61 | 796 | defined in the following table, when the unit is started.</para> |
8d00da49 BV |
797 | <table> |
798 | <title>Automatic directory creation</title> | |
799 | <tgroup cols='3'> | |
800 | <thead> | |
801 | <row> | |
802 | <entry>Locations</entry> | |
803 | <entry>for system</entry> | |
804 | <entry>for users</entry> | |
805 | </row> | |
806 | </thead> | |
807 | <tbody> | |
808 | <row> | |
809 | <entry><varname>RuntimeDirectory=</varname></entry> | |
810 | <entry><filename>/run</filename></entry> | |
811 | <entry><varname>$XDG_RUNTIME_DIR</varname></entry> | |
812 | </row> | |
813 | <row> | |
814 | <entry><varname>StateDirectory=</varname></entry> | |
815 | <entry><filename>/var/lib</filename></entry> | |
816 | <entry><varname>$XDG_CONFIG_HOME</varname></entry> | |
817 | </row> | |
818 | <row> | |
819 | <entry><varname>CacheDirectory=</varname></entry> | |
820 | <entry><filename>/var/cache</filename></entry> | |
821 | <entry><varname>$XDG_CACHE_HOME</varname></entry> | |
822 | </row> | |
823 | <row> | |
824 | <entry><varname>LogsDirectory=</varname></entry> | |
825 | <entry><filename>/var/log</filename></entry> | |
826 | <entry><varname>$XDG_CONFIG_HOME</varname><filename>/log</filename></entry> | |
827 | </row> | |
828 | <row> | |
829 | <entry><varname>ConfigurationDirectory=</varname></entry> | |
830 | <entry><filename>/etc</filename></entry> | |
831 | <entry><varname>$XDG_CONFIG_HOME</varname></entry> | |
832 | </row> | |
833 | </tbody> | |
834 | </tgroup> | |
835 | </table> | |
f86fae61 | 836 | |
b8afec21 LP |
837 | <para>In case of <varname>RuntimeDirectory=</varname> the lowest subdirectories are removed when the unit is |
838 | stopped. It is possible to preserve the specified directories in this case if | |
839 | <varname>RuntimeDirectoryPreserve=</varname> is configured to <option>restart</option> or <option>yes</option> | |
840 | (see below). The directories specified with <varname>StateDirectory=</varname>, | |
841 | <varname>CacheDirectory=</varname>, <varname>LogsDirectory=</varname>, | |
842 | <varname>ConfigurationDirectory=</varname> are not removed when the unit is stopped.</para> | |
843 | ||
844 | <para>Except in case of <varname>ConfigurationDirectory=</varname>, the innermost specified directories will be | |
845 | owned by the user and group specified in <varname>User=</varname> and <varname>Group=</varname>. If the | |
846 | specified directories already exist and their owning user or group do not match the configured ones, all files | |
847 | and directories below the specified directories as well as the directories themselves will have their file | |
848 | ownership recursively changed to match what is configured. As an optimization, if the specified directories are | |
849 | already owned by the right user and group, files and directories below of them are left as-is, even if they do | |
850 | not match what is requested. The innermost specified directories will have their access mode adjusted to the | |
851 | what is specified in <varname>RuntimeDirectoryMode=</varname>, <varname>StateDirectoryMode=</varname>, | |
852 | <varname>CacheDirectoryMode=</varname>, <varname>LogsDirectoryMode=</varname> and | |
853 | <varname>ConfigurationDirectoryMode=</varname>.</para> | |
5aaeeffb | 854 | |
b8afec21 LP |
855 | <para>These options imply <varname>BindPaths=</varname> for the specified paths. When combined with |
856 | <varname>RootDirectory=</varname> or <varname>RootImage=</varname> these paths always reside on the host and | |
857 | are mounted from there into the unit's file system namespace.</para> | |
798d3a52 | 858 | |
b8afec21 LP |
859 | <para>If <varname>DynamicUser=</varname> is used in conjunction with <varname>StateDirectory=</varname>, |
860 | <varname>CacheDirectory=</varname> and <varname>LogsDirectory=</varname> is slightly altered: the directories | |
861 | are created below <filename>/var/lib/private</filename>, <filename>/var/cache/private</filename> and | |
862 | <filename>/var/log/private</filename>, respectively, which are host directories made inaccessible to | |
863 | unprivileged users, which ensures that access to these directories cannot be gained through dynamic user ID | |
864 | recycling. Symbolic links are created to hide this difference in behaviour. Both from perspective of the host | |
865 | and from inside the unit, the relevant directories hence always appear directly below | |
866 | <filename>/var/lib</filename>, <filename>/var/cache</filename> and <filename>/var/log</filename>.</para> | |
798d3a52 | 867 | |
b8afec21 LP |
868 | <para>Use <varname>RuntimeDirectory=</varname> to manage one or more runtime directories for the unit and bind |
869 | their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create | |
870 | runtime directories in <filename>/run</filename> due to lack of privileges, and to make sure the runtime | |
871 | directory is cleaned up automatically after use. For runtime directories that require more complex or different | |
872 | configuration or lifetime guarantees, please consider using | |
873 | <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
de7070b4 | 874 | |
b8afec21 LP |
875 | <para>Example: if a system service unit has the following, |
876 | <programlisting>RuntimeDirectory=foo/bar baz</programlisting> | |
877 | the service manager creates <filename>/run/foo</filename> (if it does not exist), | |
878 | <filename>/run/foo/bar</filename>, and <filename>/run/baz</filename>. The directories | |
879 | <filename>/run/foo/bar</filename> and <filename>/run/baz</filename> except <filename>/run/foo</filename> are | |
880 | owned by the user and group specified in <varname>User=</varname> and <varname>Group=</varname>, and removed | |
881 | when the service is stopped.</para></listitem> | |
798d3a52 ZJS |
882 | </varlistentry> |
883 | ||
ece87975 | 884 | <varlistentry> |
b8afec21 LP |
885 | <term><varname>RuntimeDirectoryMode=</varname></term> |
886 | <term><varname>StateDirectoryMode=</varname></term> | |
887 | <term><varname>CacheDirectoryMode=</varname></term> | |
888 | <term><varname>LogsDirectoryMode=</varname></term> | |
889 | <term><varname>ConfigurationDirectoryMode=</varname></term> | |
ece87975 | 890 | |
b8afec21 LP |
891 | <listitem><para>Specifies the access mode of the directories specified in <varname>RuntimeDirectory=</varname>, |
892 | <varname>StateDirectory=</varname>, <varname>CacheDirectory=</varname>, <varname>LogsDirectory=</varname>, or | |
893 | <varname>ConfigurationDirectory=</varname>, respectively, as an octal number. Defaults to | |
894 | <constant>0755</constant>. See "Permissions" in <citerefentry | |
895 | project='man-pages'><refentrytitle>path_resolution</refentrytitle><manvolnum>7</manvolnum></citerefentry> for a | |
896 | discussion of the meaning of permission bits.</para></listitem> | |
ece87975 IP |
897 | </varlistentry> |
898 | ||
798d3a52 | 899 | <varlistentry> |
b8afec21 LP |
900 | <term><varname>RuntimeDirectoryPreserve=</varname></term> |
901 | ||
902 | <listitem><para>Takes a boolean argument or <option>restart</option>. If set to <option>no</option> (the | |
903 | default), the directories specified in <varname>RuntimeDirectory=</varname> are always removed when the service | |
904 | stops. If set to <option>restart</option> the directories are preserved when the service is both automatically | |
905 | and manually restarted. Here, the automatic restart means the operation specified in | |
906 | <varname>Restart=</varname>, and manual restart means the one triggered by <command>systemctl restart | |
907 | foo.service</command>. If set to <option>yes</option>, then the directories are not removed when the service is | |
908 | stopped. Note that since the runtime directory <filename>/run</filename> is a mount point of | |
909 | <literal>tmpfs</literal>, then for system services the directories specified in | |
910 | <varname>RuntimeDirectory=</varname> are removed when the system is rebooted.</para></listitem> | |
798d3a52 ZJS |
911 | </varlistentry> |
912 | ||
798d3a52 | 913 | <varlistentry> |
2a624c36 AP |
914 | <term><varname>ReadWritePaths=</varname></term> |
915 | <term><varname>ReadOnlyPaths=</varname></term> | |
916 | <term><varname>InaccessiblePaths=</varname></term> | |
798d3a52 | 917 | |
effbd6d2 LP |
918 | <listitem><para>Sets up a new file system namespace for executed processes. These options may be used to limit |
919 | access a process might have to the file system hierarchy. Each setting takes a space-separated list of paths | |
920 | relative to the host's root directory (i.e. the system running the service manager). Note that if paths | |
921 | contain symlinks, they are resolved relative to the root directory set with | |
915e6d16 | 922 | <varname>RootDirectory=</varname>/<varname>RootImage=</varname>.</para> |
effbd6d2 LP |
923 | |
924 | <para>Paths listed in <varname>ReadWritePaths=</varname> are accessible from within the namespace with the same | |
925 | access modes as from outside of it. Paths listed in <varname>ReadOnlyPaths=</varname> are accessible for | |
926 | reading only, writing will be refused even if the usual file access controls would permit this. Nest | |
927 | <varname>ReadWritePaths=</varname> inside of <varname>ReadOnlyPaths=</varname> in order to provide writable | |
928 | subdirectories within read-only directories. Use <varname>ReadWritePaths=</varname> in order to whitelist | |
e568a92d YW |
929 | specific paths for write access if <varname>ProtectSystem=strict</varname> is used.</para> |
930 | ||
931 | <para>Paths listed in <varname>InaccessiblePaths=</varname> will be made inaccessible for processes inside | |
932 | the namespace along with everything below them in the file system hierarchy. This may be more restrictive than | |
933 | desired, because it is not possible to nest <varname>ReadWritePaths=</varname>, <varname>ReadOnlyPaths=</varname>, | |
934 | <varname>BindPaths=</varname>, or <varname>BindReadOnlyPaths=</varname> inside it. For a more flexible option, | |
935 | see <varname>TemporaryFileSystem=</varname>.</para> | |
effbd6d2 LP |
936 | |
937 | <para>Note that restricting access with these options does not extend to submounts of a directory that are | |
938 | created later on. Non-directory paths may be specified as well. These options may be specified more than once, | |
939 | in which case all paths listed will have limited access from within the namespace. If the empty string is | |
940 | assigned to this option, the specific list is reset, and all prior assignments have no effect.</para> | |
941 | ||
e778185b | 942 | <para>Paths in <varname>ReadWritePaths=</varname>, <varname>ReadOnlyPaths=</varname> and |
5327c910 LP |
943 | <varname>InaccessiblePaths=</varname> may be prefixed with <literal>-</literal>, in which case they will be |
944 | ignored when they do not exist. If prefixed with <literal>+</literal> the paths are taken relative to the root | |
915e6d16 LP |
945 | directory of the unit, as configured with <varname>RootDirectory=</varname>/<varname>RootImage=</varname>, |
946 | instead of relative to the root directory of the host (see above). When combining <literal>-</literal> and | |
947 | <literal>+</literal> on the same path make sure to specify <literal>-</literal> first, and <literal>+</literal> | |
948 | second.</para> | |
5327c910 LP |
949 | |
950 | <para>Note that using this setting will disconnect propagation of mounts from the service to the host | |
951 | (propagation in the opposite direction continues to work). This means that this setting may not be used for | |
952 | services which shall be able to install mount points in the main mount namespace. Note that the effect of these | |
953 | settings may be undone by privileged processes. In order to set up an effective sandboxed environment for a | |
954 | unit it is thus recommended to combine these settings with either | |
955 | <varname>CapabilityBoundingSet=~CAP_SYS_ADMIN</varname> or | |
956 | <varname>SystemCallFilter=~@mount</varname>.</para></listitem> | |
798d3a52 ZJS |
957 | </varlistentry> |
958 | ||
c10b460b YW |
959 | <varlistentry> |
960 | <term><varname>TemporaryFileSystem=</varname></term> | |
961 | ||
962 | <listitem><para>Takes a space-separated list of mount points for temporary file systems (tmpfs). If set, a new file | |
963 | system namespace is set up for executed processes, and a temporary file system is mounted on each mount point. | |
964 | This option may be specified more than once, in which case temporary file systems are mounted on all listed mount | |
965 | points. If the empty string is assigned to this option, the list is reset, and all prior assignments have no effect. | |
966 | Each mount point may optionally be suffixed with a colon (<literal>:</literal>) and mount options such as | |
967 | <literal>size=10%</literal> or <literal>ro</literal>. By default, each temporary file system is mounted | |
968 | with <literal>nodev,strictatime,mode=0755</literal>. These can be disabled by explicitly specifying the corresponding | |
969 | mount options, e.g., <literal>dev</literal> or <literal>nostrictatime</literal>.</para> | |
970 | ||
971 | <para>This is useful to hide files or directories not relevant to the processes invoked by the unit, while necessary | |
972 | files or directories can be still accessed by combining with <varname>BindPaths=</varname> or | |
973 | <varname>BindReadOnlyPaths=</varname>. See the example below.</para> | |
974 | ||
975 | <para>Example: if a unit has the following, | |
976 | <programlisting>TemporaryFileSystem=/var:ro | |
977 | BindReadOnlyPaths=/var/lib/systemd</programlisting> | |
978 | then the invoked processes by the unit cannot see any files or directories under <filename>/var</filename> except for | |
979 | <filename>/var/lib/systemd</filename> or its contents.</para></listitem> | |
980 | </varlistentry> | |
981 | ||
798d3a52 ZJS |
982 | <varlistentry> |
983 | <term><varname>PrivateTmp=</varname></term> | |
984 | ||
00d9ef85 LP |
985 | <listitem><para>Takes a boolean argument. If true, sets up a new file system namespace for the executed |
986 | processes and mounts private <filename>/tmp</filename> and <filename>/var/tmp</filename> directories inside it | |
987 | that is not shared by processes outside of the namespace. This is useful to secure access to temporary files of | |
988 | the process, but makes sharing between processes via <filename>/tmp</filename> or <filename>/var/tmp</filename> | |
989 | impossible. If this is enabled, all temporary files created by a service in these directories will be removed | |
990 | after the service is stopped. Defaults to false. It is possible to run two or more units within the same | |
991 | private <filename>/tmp</filename> and <filename>/var/tmp</filename> namespace by using the | |
798d3a52 | 992 | <varname>JoinsNamespaceOf=</varname> directive, see |
00d9ef85 | 993 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for |
effbd6d2 LP |
994 | details. This setting is implied if <varname>DynamicUser=</varname> is set. For this setting the same |
995 | restrictions regarding mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and | |
d71f0505 LP |
996 | related calls, see above. Enabling this setting has the side effect of adding <varname>Requires=</varname> and |
997 | <varname>After=</varname> dependencies on all mount units necessary to access <filename>/tmp</filename> and | |
998 | <filename>/var/tmp</filename>. Moreover an implicitly <varname>After=</varname> ordering on | |
999 | <citerefentry><refentrytitle>systemd-tmpfiles-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
b0238568 ZJS |
1000 | is added.</para> |
1001 | ||
b8afec21 LP |
1002 | <para>Note that the implementation of this setting might be impossible (for example if mount namespaces are not |
1003 | available), and the unit should be written in a way that does not solely rely on this setting for | |
b0238568 | 1004 | security.</para></listitem> |
798d3a52 ZJS |
1005 | </varlistentry> |
1006 | ||
1007 | <varlistentry> | |
1008 | <term><varname>PrivateDevices=</varname></term> | |
1009 | ||
b0238568 ZJS |
1010 | <listitem><para>Takes a boolean argument. If true, sets up a new <filename>/dev</filename> mount for the |
1011 | executed processes and only adds API pseudo devices such as <filename>/dev/null</filename>, | |
b8afec21 LP |
1012 | <filename>/dev/zero</filename> or <filename>/dev/random</filename> (as well as the pseudo TTY subsystem) to it, |
1013 | but no physical devices such as <filename>/dev/sda</filename>, system memory <filename>/dev/mem</filename>, | |
1014 | system ports <filename>/dev/port</filename> and others. This is useful to securely turn off physical device | |
1015 | access by the executed process. Defaults to false. Enabling this option will install a system call filter to | |
1016 | block low-level I/O system calls that are grouped in the <varname>@raw-io</varname> set, will also remove | |
1017 | <constant>CAP_MKNOD</constant> and <constant>CAP_SYS_RAWIO</constant> from the capability bounding set for the | |
1018 | unit (see above), and set <varname>DevicePolicy=closed</varname> (see | |
798d3a52 | 1019 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
effbd6d2 LP |
1020 | for details). Note that using this setting will disconnect propagation of mounts from the service to the host |
1021 | (propagation in the opposite direction continues to work). This means that this setting may not be used for | |
b8afec21 LP |
1022 | services which shall be able to install mount points in the main mount namespace. The new |
1023 | <filename>/dev</filename> will be mounted read-only and 'noexec'. The latter may break old programs which try | |
1024 | to set up executable memory by using | |
1025 | <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> of | |
1026 | <filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>. For this setting the same | |
1027 | restrictions regarding mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and | |
1028 | related calls, see above. If turned on and if running in user mode, or in system mode, but without the | |
1029 | <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>), | |
1030 | <varname>NoNewPrivileges=yes</varname> is implied.</para> | |
b0238568 | 1031 | |
b8afec21 LP |
1032 | <para>Note that the implementation of this setting might be impossible (for example if mount namespaces are not |
1033 | available), and the unit should be written in a way that does not solely rely on this setting for | |
b0238568 | 1034 | security.</para></listitem> |
798d3a52 ZJS |
1035 | </varlistentry> |
1036 | ||
1037 | <varlistentry> | |
1038 | <term><varname>PrivateNetwork=</varname></term> | |
1039 | ||
b8afec21 LP |
1040 | <listitem><para>Takes a boolean argument. If true, sets up a new network namespace for the executed processes |
1041 | and configures only the loopback network device <literal>lo</literal> inside it. No other network devices will | |
1042 | be available to the executed process. This is useful to turn off network access by the executed process. | |
1043 | Defaults to false. It is possible to run two or more units within the same private network namespace by using | |
1044 | the <varname>JoinsNamespaceOf=</varname> directive, see | |
1045 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for | |
1046 | details. Note that this option will disconnect all socket families from the host, this includes AF_NETLINK and | |
1047 | AF_UNIX. The latter has the effect that AF_UNIX sockets in the abstract socket namespace will become | |
1048 | unavailable to the processes (however, those located in the file system will continue to be accessible).</para> | |
1049 | ||
1050 | <para>Note that the implementation of this setting might be impossible (for example if network namespaces are | |
1051 | not available), and the unit should be written in a way that does not solely rely on this setting for | |
b0238568 | 1052 | security.</para></listitem> |
798d3a52 ZJS |
1053 | </varlistentry> |
1054 | ||
1055 | <varlistentry> | |
d251207d LP |
1056 | <term><varname>PrivateUsers=</varname></term> |
1057 | ||
1058 | <listitem><para>Takes a boolean argument. If true, sets up a new user namespace for the executed processes and | |
1059 | configures a minimal user and group mapping, that maps the <literal>root</literal> user and group as well as | |
1060 | the unit's own user and group to themselves and everything else to the <literal>nobody</literal> user and | |
1061 | group. This is useful to securely detach the user and group databases used by the unit from the rest of the | |
1062 | system, and thus to create an effective sandbox environment. All files, directories, processes, IPC objects and | |
2dd67817 | 1063 | other resources owned by users/groups not equaling <literal>root</literal> or the unit's own will stay visible |
d251207d LP |
1064 | from within the unit but appear owned by the <literal>nobody</literal> user and group. If this mode is enabled, |
1065 | all unit processes are run without privileges in the host user namespace (regardless if the unit's own | |
1066 | user/group is <literal>root</literal> or not). Specifically this means that the process will have zero process | |
1067 | capabilities on the host's user namespace, but full capabilities within the service's user namespace. Settings | |
1068 | such as <varname>CapabilityBoundingSet=</varname> will affect only the latter, and there's no way to acquire | |
1069 | additional capabilities in the host's user namespace. Defaults to off.</para> | |
1070 | ||
915e6d16 LP |
1071 | <para>This setting is particularly useful in conjunction with |
1072 | <varname>RootDirectory=</varname>/<varname>RootImage=</varname>, as the need to synchronize the user and group | |
1073 | databases in the root directory and on the host is reduced, as the only users and groups who need to be matched | |
b0238568 ZJS |
1074 | are <literal>root</literal>, <literal>nobody</literal> and the unit's own user and group.</para> |
1075 | ||
b8afec21 LP |
1076 | <para>Note that the implementation of this setting might be impossible (for example if user namespaces are not |
1077 | available), and the unit should be written in a way that does not solely rely on this setting for | |
b0238568 | 1078 | security.</para></listitem> |
d251207d LP |
1079 | </varlistentry> |
1080 | ||
59eeb84b LP |
1081 | <varlistentry> |
1082 | <term><varname>ProtectKernelTunables=</varname></term> | |
1083 | ||
1084 | <listitem><para>Takes a boolean argument. If true, kernel variables accessible through | |
49accde7 DH |
1085 | <filename>/proc/sys</filename>, <filename>/sys</filename>, <filename>/proc/sysrq-trigger</filename>, |
1086 | <filename>/proc/latency_stats</filename>, <filename>/proc/acpi</filename>, | |
1087 | <filename>/proc/timer_stats</filename>, <filename>/proc/fs</filename> and <filename>/proc/irq</filename> will | |
525872bf LP |
1088 | be made read-only to all processes of the unit. Usually, tunable kernel variables should be initialized only at |
1089 | boot-time, for example with the | |
1090 | <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> mechanism. Few | |
1091 | services need to write to these at runtime; it is hence recommended to turn this on for most services. For this | |
1092 | setting the same restrictions regarding mount propagation and privileges apply as for | |
1093 | <varname>ReadOnlyPaths=</varname> and related calls, see above. Defaults to off. If turned on and if running | |
1094 | in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. services | |
1095 | for which <varname>User=</varname> is set), <varname>NoNewPrivileges=yes</varname> is implied. Note that this | |
1096 | option does not prevent indirect changes to kernel tunables effected by IPC calls to other processes. However, | |
1097 | <varname>InaccessiblePaths=</varname> may be used to make relevant IPC file system objects inaccessible. If | |
1098 | <varname>ProtectKernelTunables=</varname> is set, <varname>MountAPIVFS=yes</varname> is | |
1099 | implied.</para></listitem> | |
59eeb84b LP |
1100 | </varlistentry> |
1101 | ||
85265556 DH |
1102 | <varlistentry> |
1103 | <term><varname>ProtectKernelModules=</varname></term> | |
1104 | ||
1b2ad5d9 MB |
1105 | <listitem><para>Takes a boolean argument. If true, explicit module loading will be denied. This allows |
1106 | module load and unload operations to be turned off on modular kernels. It is recommended to turn this on for most services | |
bf2d3d7c | 1107 | that do not need special file systems or extra kernel modules to work. Defaults to off. Enabling this option |
b8afec21 LP |
1108 | removes <constant>CAP_SYS_MODULE</constant> from the capability bounding set for the unit, and installs a |
1109 | system call filter to block module system calls, also <filename>/usr/lib/modules</filename> is made | |
1110 | inaccessible. For this setting the same restrictions regarding mount propagation and privileges apply as for | |
1111 | <varname>ReadOnlyPaths=</varname> and related calls, see above. Note that limited automatic module loading due | |
1112 | to user configuration or kernel mapping tables might still happen as side effect of requested user operations, | |
85265556 DH |
1113 | both privileged and unprivileged. To disable module auto-load feature please see |
1114 | <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
1115 | <constant>kernel.modules_disabled</constant> mechanism and | |
b8afec21 LP |
1116 | <filename>/proc/sys/kernel/modules_disabled</filename> documentation. If turned on and if running in user |
1117 | mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting | |
1118 | <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied.</para></listitem> | |
85265556 DH |
1119 | </varlistentry> |
1120 | ||
59eeb84b LP |
1121 | <varlistentry> |
1122 | <term><varname>ProtectControlGroups=</varname></term> | |
1123 | ||
effbd6d2 LP |
1124 | <listitem><para>Takes a boolean argument. If true, the Linux Control Groups (<citerefentry |
1125 | project='man-pages'><refentrytitle>cgroups</refentrytitle><manvolnum>7</manvolnum></citerefentry>) hierarchies | |
1126 | accessible through <filename>/sys/fs/cgroup</filename> will be made read-only to all processes of the | |
1127 | unit. Except for container managers no services should require write access to the control groups hierarchies; | |
1128 | it is hence recommended to turn this on for most services. For this setting the same restrictions regarding | |
1129 | mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and related calls, see | |
b8afec21 LP |
1130 | above. Defaults to off. If <varname>ProtectControlGroups=</varname> is set, <varname>MountAPIVFS=yes</varname> |
1131 | is implied.</para></listitem> | |
798d3a52 ZJS |
1132 | </varlistentry> |
1133 | ||
1134 | <varlistentry> | |
b8afec21 | 1135 | <term><varname>RestrictAddressFamilies=</varname></term> |
798d3a52 | 1136 | |
b8afec21 LP |
1137 | <listitem><para>Restricts the set of socket address families accessible to the processes of this unit. Takes a |
1138 | space-separated list of address family names to whitelist, such as <constant>AF_UNIX</constant>, | |
1139 | <constant>AF_INET</constant> or <constant>AF_INET6</constant>. When prefixed with <constant>~</constant> the | |
1140 | listed address families will be applied as blacklist, otherwise as whitelist. Note that this restricts access | |
1141 | to the <citerefentry | |
1142 | project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call | |
1143 | only. Sockets passed into the process by other means (for example, by using socket activation with socket | |
1144 | units, see <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>) | |
1145 | are unaffected. Also, sockets created with <function>socketpair()</function> (which creates connected AF_UNIX | |
1146 | sockets only) are unaffected. Note that this option has no effect on 32-bit x86, s390, s390x, mips, mips-le, | |
1147 | ppc, ppc-le, pcc64, ppc64-le and is ignored (but works correctly on other ABIs, including x86-64). Note that on | |
1148 | systems supporting multiple ABIs (such as x86/x86-64) it is recommended to turn off alternative ABIs for | |
1149 | services, so that they cannot be used to circumvent the restrictions of this option. Specifically, it is | |
1150 | recommended to combine this option with <varname>SystemCallArchitectures=native</varname> or similar. If | |
1151 | running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability | |
1152 | (e.g. setting <varname>User=nobody</varname>), <varname>NoNewPrivileges=yes</varname> is implied. By default, | |
1153 | no restrictions apply, all address families are accessible to processes. If assigned the empty string, any | |
1154 | previous address familiy restriction changes are undone. This setting does not affect commands prefixed with | |
1155 | <literal>+</literal>.</para> | |
1156 | ||
1157 | <para>Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive | |
1158 | network protocols, such as <constant>AF_PACKET</constant>. Note that in most cases, the local | |
1159 | <constant>AF_UNIX</constant> address family should be included in the configured whitelist as it is frequently | |
1160 | used for local communication, including for | |
1161 | <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
1162 | logging.</para></listitem> | |
798d3a52 ZJS |
1163 | </varlistentry> |
1164 | ||
1165 | <varlistentry> | |
b8afec21 | 1166 | <term><varname>RestrictNamespaces=</varname></term> |
798d3a52 | 1167 | |
b8afec21 LP |
1168 | <listitem><para>Restricts access to Linux namespace functionality for the processes of this unit. For details |
1169 | about Linux namespaces, see <citerefentry | |
1170 | project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>. Either | |
1171 | takes a boolean argument, or a space-separated list of namespace type identifiers. If false (the default), no | |
1172 | restrictions on namespace creation and switching are made. If true, access to any kind of namespacing is | |
1173 | prohibited. Otherwise, a space-separated list of namespace type identifiers must be specified, consisting of | |
1174 | any combination of: <constant>cgroup</constant>, <constant>ipc</constant>, <constant>net</constant>, | |
1175 | <constant>mnt</constant>, <constant>pid</constant>, <constant>user</constant> and <constant>uts</constant>. Any | |
1176 | namespace type listed is made accessible to the unit's processes, access to namespace types not listed is | |
1177 | prohibited (whitelisting). By prepending the list with a single tilde character (<literal>~</literal>) the | |
1178 | effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are | |
1179 | permitted (blacklisting). If the empty string is assigned, the default namespace restrictions are applied, | |
53255e53 YW |
1180 | which is equivalent to false. This option may appear more than once, in which case the namespace types are |
1181 | merged by <constant>OR</constant>, or by <constant>AND</constant> if the lines are prefixed with | |
1182 | <literal>~</literal> (see examples below). Internally, this setting limits access to the | |
b8afec21 LP |
1183 | <citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>2</manvolnum></citerefentry>, |
1184 | <citerefentry><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry> and | |
1185 | <citerefentry><refentrytitle>setns</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls, taking | |
1186 | the specified flags parameters into account. Note that — if this option is used — in addition to restricting | |
1187 | creation and switching of the specified types of namespaces (or all of them, if true) access to the | |
1188 | <function>setns()</function> system call with a zero flags parameter is prohibited. This setting is only | |
1189 | supported on x86, x86-64, mips, mips-le, mips64, mips64-le, mips64-n32, mips64-le-n32, ppc64, ppc64-le, s390 | |
1190 | and s390x, and enforces no restrictions on other architectures. If running in user mode, or in system mode, but | |
1191 | without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>), | |
53255e53 YW |
1192 | <varname>NoNewPrivileges=yes</varname> is implied.</para> |
1193 | ||
1194 | <para>Example: if a unit has the following, | |
1195 | <programlisting>RestrictNamespaces=cgroup ipc | |
1196 | RestrictNamespaces=cgroup net</programlisting> | |
1197 | then <constant>cgroup</constant>, <constant>ipc</constant>, and <constant>net</constant> are set. | |
1198 | If the second line is prefixed with <literal>~</literal>, e.g., | |
1199 | <programlisting>RestrictNamespaces=cgroup ipc | |
1200 | RestrictNamespaces=~cgroup net</programlisting> | |
1201 | then, only <constant>ipc</constant> is set.</para></listitem> | |
798d3a52 ZJS |
1202 | </varlistentry> |
1203 | ||
023a4f67 | 1204 | <varlistentry> |
b8afec21 | 1205 | <term><varname>LockPersonality=</varname></term> |
023a4f67 | 1206 | |
b8afec21 LP |
1207 | <listitem><para>Takes a boolean argument. If set, locks down the <citerefentry |
1208 | project='man-pages'><refentrytitle>personality</refentrytitle><manvolnum>2</manvolnum></citerefentry> system | |
1209 | call so that the kernel execution domain may not be changed from the default or the personality selected with | |
1210 | <varname>Personality=</varname> directive. This may be useful to improve security, because odd personality | |
1211 | emulations may be poorly tested and source of vulnerabilities. If running in user mode, or in system mode, but | |
1212 | without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>), | |
1213 | <varname>NoNewPrivileges=yes</varname> is implied.</para></listitem> | |
023a4f67 LP |
1214 | </varlistentry> |
1215 | ||
798d3a52 | 1216 | <varlistentry> |
b8afec21 | 1217 | <term><varname>MemoryDenyWriteExecute=</varname></term> |
798d3a52 | 1218 | |
b8afec21 LP |
1219 | <listitem><para>Takes a boolean argument. If set, attempts to create memory mappings that are writable and |
1220 | executable at the same time, or to change existing memory mappings to become executable, or mapping shared | |
1221 | memory segments as executable are prohibited. Specifically, a system call filter is added that rejects | |
1222 | <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with both | |
1223 | <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set, | |
1224 | <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry> or | |
1225 | <citerefentry><refentrytitle>pkey_mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls | |
1226 | with <constant>PROT_EXEC</constant> set and | |
1227 | <citerefentry><refentrytitle>shmat</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with | |
1228 | <constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs and libraries that | |
1229 | generate program code dynamically at runtime, including JIT execution engines, executable stacks, and code | |
1230 | "trampoline" feature of various C compilers. This option improves service security, as it makes harder for | |
1231 | software exploits to change running code dynamically. Note that this feature is fully available on x86-64, and | |
1232 | partially on x86. Specifically, the <function>shmat()</function> protection is not available on x86. Note that | |
1233 | on systems supporting multiple ABIs (such as x86/x86-64) it is recommended to turn off alternative ABIs for | |
1234 | services, so that they cannot be used to circumvent the restrictions of this option. Specifically, it is | |
1235 | recommended to combine this option with <varname>SystemCallArchitectures=native</varname> or similar. If | |
1236 | running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability | |
1237 | (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied.</para></listitem> | |
798d3a52 ZJS |
1238 | </varlistentry> |
1239 | ||
1240 | <varlistentry> | |
b8afec21 | 1241 | <term><varname>RestrictRealtime=</varname></term> |
798d3a52 | 1242 | |
b8afec21 LP |
1243 | <listitem><para>Takes a boolean argument. If set, any attempts to enable realtime scheduling in a process of |
1244 | the unit are refused. This restricts access to realtime task scheduling policies such as | |
1245 | <constant>SCHED_FIFO</constant>, <constant>SCHED_RR</constant> or <constant>SCHED_DEADLINE</constant>. See | |
1246 | <citerefentry project='man-pages'><refentrytitle>sched</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
1247 | for details about these scheduling policies. If running in user mode, or in system mode, but without the | |
1248 | <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>), | |
1249 | <varname>NoNewPrivileges=yes</varname> is implied. Realtime scheduling policies may be used to monopolize CPU | |
1250 | time for longer periods of time, and may hence be used to lock up or otherwise trigger Denial-of-Service | |
1251 | situations on the system. It is hence recommended to restrict access to realtime scheduling to the few programs | |
1252 | that actually require them. Defaults to off.</para></listitem> | |
798d3a52 ZJS |
1253 | </varlistentry> |
1254 | ||
1255 | <varlistentry> | |
b8afec21 | 1256 | <term><varname>RemoveIPC=</varname></term> |
798d3a52 | 1257 | |
b8afec21 LP |
1258 | <listitem><para>Takes a boolean parameter. If set, all System V and POSIX IPC objects owned by the user and |
1259 | group the processes of this unit are run as are removed when the unit is stopped. This setting only has an | |
1260 | effect if at least one of <varname>User=</varname>, <varname>Group=</varname> and | |
1261 | <varname>DynamicUser=</varname> are used. It has no effect on IPC objects owned by the root user. Specifically, | |
1262 | this removes System V semaphores, as well as System V and POSIX shared memory segments and message queues. If | |
1263 | multiple units use the same user or group the IPC objects are removed when the last of these units is | |
1264 | stopped. This setting is implied if <varname>DynamicUser=</varname> is set.</para></listitem> | |
798d3a52 ZJS |
1265 | </varlistentry> |
1266 | ||
2f2e14b2 LP |
1267 | <varlistentry> |
1268 | <term><varname>PrivateMounts=</varname></term> | |
1269 | ||
1270 | <listitem><para>Takes a boolean parameter. If set, the processes of this unit will be run in their own private | |
1271 | file system (mount) namespace with all mount propagation from the processes towards the host's main file system | |
1272 | namespace turned off. This means any file system mount points established or removed by the unit's processes | |
1273 | will be private to them and not be visible to the host. However, file system mount points established or | |
1274 | removed on the host will be propagated to the unit's processes. See <citerefentry | |
1275 | project='man-pages'><refentrytitle>mount_namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
1276 | details on file system namespaces. Defaults to off.</para> | |
1277 | ||
1278 | <para>When turned on, this executes three operations for each invoked process: a new | |
1279 | <constant>CLONE_NEWNS</constant> namespace is created, after which all existing mounts are remounted to | |
1280 | <constant>MS_SLAVE</constant> to disable propagation from the unit's processes to the host (but leaving | |
1281 | propagation in the opposite direction in effect). Finally, the mounts are remounted again to the propagation | |
1282 | mode configured with <varname>MountFlags=</varname>, see below.</para> | |
1283 | ||
1284 | <para>File system namespaces are set up individually for each process forked off by the service manager. Mounts | |
1285 | established in the namespace of the process created by <varname>ExecStartPre=</varname> will hence be cleaned | |
1286 | up automatically as soon as that process exits and will not be available to subsequent processes forked off for | |
1287 | <varname>ExecStart=</varname> (and similar applies to the various other commands configured for | |
1288 | units). Similarly, <varname>JoinsNamespaceOf=</varname> does not permit sharing kernel mount namespaces between | |
1289 | units, it only enables sharing of the <filename>/tmp/</filename> and <filename>/var/tmp/</filename> | |
1290 | directories.</para> | |
1291 | ||
1292 | <para>Other file system namespace unit settings — <varname>PrivateMounts=</varname>, | |
1293 | <varname>PrivateTmp=</varname>, <varname>PrivateDevices=</varname>, <varname>ProtectSystem=</varname>, | |
1294 | <varname>ProtectHome=</varname>, <varname>ReadOnlyPaths=</varname>, <varname>InaccessiblePaths=</varname>, | |
1295 | <varname>ReadWritePaths=</varname>, … — also enable file system namespacing in a fashion equivalent to this | |
1296 | option. Hence it is primarily useful to explicitly request this behaviour if none of the other settings are | |
1297 | used.</para></listitem> | |
1298 | </varlistentry> | |
1299 | ||
798d3a52 | 1300 | <varlistentry> |
b8afec21 | 1301 | <term><varname>MountFlags=</varname></term> |
798d3a52 | 1302 | |
2f2e14b2 LP |
1303 | <listitem><para>Takes a mount propagation setting: <option>shared</option>, <option>slave</option> or |
1304 | <option>private</option>, which controls whether file system mount points in the file system namespaces set up | |
1305 | for this unit's processes will receive or propagate mounts and unmounts from other file system namespaces. See | |
1306 | <citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
1307 | for details on mount propagation, and the three propagation flags in particular.</para> | |
1308 | ||
1309 | <para>This setting only controls the <emphasis>final</emphasis> propagation setting in effect on all mount | |
1310 | points of the file system namespace created for each process of this unit. Other file system namespacing unit | |
1311 | settings (see the discussion in <varname>PrivateMounts=</varname> above) will implicitly disable mount and | |
1312 | unmount propagation from the unit's processes towards the host by changing the propagation setting of all mount | |
1313 | points in the unit's file system namepace to <option>slave</option> first. Setting this option to | |
1314 | <option>shared</option> does not reestablish propagation in that case. Conversely, if this option is set, but | |
1315 | no other file system namespace setting is used, then new file system namespaces will be created for the unit's | |
1316 | processes and this propagation flag will be applied right away to all mounts within it, without the | |
1317 | intermediary application of <option>slave</option>.</para> | |
1318 | ||
1319 | <para>If not set – but file system namespaces are enabled through another file system namespace unit setting – | |
1320 | <option>shared</option> mount propagation is used, but — as mentioned — as <option>slave</option> is applied | |
1321 | first, propagation from the unit's processes to the host is still turned off.</para> | |
1322 | ||
1323 | <para>It is not recommended to to use <option>private</option> mount propagation for units, as this means | |
1324 | temporary mounts (such as removable media) of the host will stay mounted and thus indefinitely busy in forked | |
1325 | off processes, as unmount propagation events won't be received by the file system namespace of the unit.</para> | |
1326 | ||
1327 | <para>Usually, it is best to leave this setting unmodified, and use higher level file system namespacing | |
1328 | options instead, in particular <varname>PrivateMounts=</varname>, see above.</para> | |
1329 | </listitem> | |
798d3a52 ZJS |
1330 | </varlistentry> |
1331 | ||
b8afec21 LP |
1332 | </variablelist> |
1333 | </refsect1> | |
a6fabe38 | 1334 | |
b8afec21 LP |
1335 | <refsect1> |
1336 | <title>System Call Filtering</title> | |
1337 | <variablelist> | |
798d3a52 ZJS |
1338 | |
1339 | <varlistentry> | |
1340 | <term><varname>SystemCallFilter=</varname></term> | |
1341 | ||
c79aff9a LP |
1342 | <listitem><para>Takes a space-separated list of system call names. If this setting is used, all system calls |
1343 | executed by the unit processes except for the listed ones will result in immediate process termination with the | |
1344 | <constant>SIGSYS</constant> signal (whitelisting). If the first character of the list is <literal>~</literal>, | |
1345 | the effect is inverted: only the listed system calls will result in immediate process termination | |
8cfa775f YW |
1346 | (blacklisting). Blacklisted system calls and system call groups may optionally be suffixed with a colon |
1347 | (<literal>:</literal>) and <literal>errno</literal> error number (between 0 and 4095) or errno name such as | |
1348 | <constant>EPERM</constant>, <constant>EACCES</constant> or <constant>EUCLEAN</constant>. This value will be | |
b8afec21 LP |
1349 | returned when a blacklisted system call is triggered, instead of terminating the processes immediately. This |
1350 | value takes precedence over the one given in <varname>SystemCallErrorNumber=</varname>. If running in user | |
1351 | mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting | |
1352 | <varname>User=nobody</varname>), <varname>NoNewPrivileges=yes</varname> is implied. This feature makes use of | |
1353 | the Secure Computing Mode 2 interfaces of the kernel ('seccomp filtering') and is useful for enforcing a | |
1354 | minimal sandboxing environment. Note that the <function>execve</function>, <function>exit</function>, | |
1355 | <function>exit_group</function>, <function>getrlimit</function>, <function>rt_sigreturn</function>, | |
1356 | <function>sigreturn</function> system calls and the system calls for querying time and sleeping are implicitly | |
1357 | whitelisted and do not need to be listed explicitly. This option may be specified more than once, in which case | |
1358 | the filter masks are merged. If the empty string is assigned, the filter is reset, all prior assignments will | |
1359 | have no effect. This does not affect commands prefixed with <literal>+</literal>.</para> | |
798d3a52 | 1360 | |
0b8fab97 LP |
1361 | <para>Note that on systems supporting multiple ABIs (such as x86/x86-64) it is recommended to turn off |
1362 | alternative ABIs for services, so that they cannot be used to circumvent the restrictions of this | |
1363 | option. Specifically, it is recommended to combine this option with | |
1364 | <varname>SystemCallArchitectures=native</varname> or similar.</para> | |
1365 | ||
2ca8dc15 LP |
1366 | <para>Note that strict system call filters may impact execution and error handling code paths of the service |
1367 | invocation. Specifically, access to the <function>execve</function> system call is required for the execution | |
1368 | of the service binary — if it is blocked service invocation will necessarily fail. Also, if execution of the | |
1369 | service binary fails for some reason (for example: missing service executable), the error handling logic might | |
1370 | require access to an additional set of system calls in order to process and log this failure correctly. It | |
1371 | might be necessary to temporarily disable system call filters in order to simplify debugging of such | |
1372 | failures.</para> | |
1373 | ||
b8afec21 LP |
1374 | <para>If you specify both types of this option (i.e. whitelisting and blacklisting), the first encountered |
1375 | will take precedence and will dictate the default action (termination or approval of a system call). Then the | |
1376 | next occurrences of this option will add or delete the listed system calls from the set of the filtered system | |
1377 | calls, depending of its type and the default action. (For example, if you have started with a whitelisting of | |
1378 | <function>read</function> and <function>write</function>, and right after it add a blacklisting of | |
1379 | <function>write</function>, then <function>write</function> will be removed from the set.)</para> | |
1380 | ||
1381 | <para>As the number of possible system calls is large, predefined sets of system calls are provided. A set | |
1382 | starts with <literal>@</literal> character, followed by name of the set. | |
201c1cc2 TM |
1383 | |
1384 | <table> | |
1385 | <title>Currently predefined system call sets</title> | |
1386 | ||
1387 | <tgroup cols='2'> | |
1388 | <colspec colname='set' /> | |
1389 | <colspec colname='description' /> | |
1390 | <thead> | |
1391 | <row> | |
1392 | <entry>Set</entry> | |
1393 | <entry>Description</entry> | |
1394 | </row> | |
1395 | </thead> | |
1396 | <tbody> | |
44898c53 LP |
1397 | <row> |
1398 | <entry>@aio</entry> | |
1399 | <entry>Asynchronous I/O (<citerefentry project='man-pages'><refentrytitle>io_setup</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>io_submit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> | |
1400 | </row> | |
133ddbbe LP |
1401 | <row> |
1402 | <entry>@basic-io</entry> | |
1403 | <entry>System calls for basic I/O: reading, writing, seeking, file descriptor duplication and closing (<citerefentry project='man-pages'><refentrytitle>read</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>write</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> | |
1404 | </row> | |
44898c53 LP |
1405 | <row> |
1406 | <entry>@chown</entry> | |
1407 | <entry>Changing file ownership (<citerefentry project='man-pages'><refentrytitle>chown</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>fchownat</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> | |
1408 | </row> | |
201c1cc2 TM |
1409 | <row> |
1410 | <entry>@clock</entry> | |
1f9ac68b LP |
1411 | <entry>System calls for changing the system clock (<citerefentry project='man-pages'><refentrytitle>adjtimex</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>settimeofday</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> |
1412 | </row> | |
1413 | <row> | |
1414 | <entry>@cpu-emulation</entry> | |
1415 | <entry>System calls for CPU emulation functionality (<citerefentry project='man-pages'><refentrytitle>vm86</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> | |
1416 | </row> | |
1417 | <row> | |
1418 | <entry>@debug</entry> | |
1419 | <entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> | |
201c1cc2 | 1420 | </row> |
1a1b13c9 LP |
1421 | <row> |
1422 | <entry>@file-system</entry> | |
1423 | <entry>File system operations: opening, creating files and directories for read and write, renaming and removing them, reading file properties, or creating hard and symbolic links.</entry> | |
1424 | </row> | |
201c1cc2 TM |
1425 | <row> |
1426 | <entry>@io-event</entry> | |
1f9ac68b | 1427 | <entry>Event loop system calls (<citerefentry project='man-pages'><refentrytitle>poll</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>select</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>eventfd</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> |
201c1cc2 TM |
1428 | </row> |
1429 | <row> | |
1430 | <entry>@ipc</entry> | |
cd5bfd7e | 1431 | <entry>Pipes, SysV IPC, POSIX Message Queues and other IPC (<citerefentry project='man-pages'><refentrytitle>mq_overview</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>svipc</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry> |
1f9ac68b LP |
1432 | </row> |
1433 | <row> | |
1434 | <entry>@keyring</entry> | |
1435 | <entry>Kernel keyring access (<citerefentry project='man-pages'><refentrytitle>keyctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> | |
201c1cc2 | 1436 | </row> |
cd0ddf6f LP |
1437 | <row> |
1438 | <entry>@memlock</entry> | |
1439 | <entry>Locking of memory into RAM (<citerefentry project='man-pages'><refentrytitle>mlock</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>mlockall</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> | |
1440 | </row> | |
201c1cc2 TM |
1441 | <row> |
1442 | <entry>@module</entry> | |
d5efc18b | 1443 | <entry>Loading and unloading of kernel modules (<citerefentry project='man-pages'><refentrytitle>init_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>delete_module</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> |
201c1cc2 TM |
1444 | </row> |
1445 | <row> | |
1446 | <entry>@mount</entry> | |
d5efc18b | 1447 | <entry>Mounting and unmounting of file systems (<citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> |
201c1cc2 TM |
1448 | </row> |
1449 | <row> | |
1450 | <entry>@network-io</entry> | |
1f9ac68b | 1451 | <entry>Socket I/O (including local AF_UNIX): <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry></entry> |
201c1cc2 TM |
1452 | </row> |
1453 | <row> | |
1454 | <entry>@obsolete</entry> | |
1f9ac68b | 1455 | <entry>Unusual, obsolete or unimplemented (<citerefentry project='man-pages'><refentrytitle>create_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>gtty</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> |
201c1cc2 TM |
1456 | </row> |
1457 | <row> | |
1458 | <entry>@privileged</entry> | |
1f9ac68b | 1459 | <entry>All system calls which need super-user capabilities (<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry> |
201c1cc2 TM |
1460 | </row> |
1461 | <row> | |
1462 | <entry>@process</entry> | |
d5efc18b | 1463 | <entry>Process control, execution, namespaceing operations (<citerefentry project='man-pages'><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>kill</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>, …</entry> |
201c1cc2 TM |
1464 | </row> |
1465 | <row> | |
1466 | <entry>@raw-io</entry> | |
aa6b9cec | 1467 | <entry>Raw I/O port access (<citerefentry project='man-pages'><refentrytitle>ioperm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>iopl</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>pciconfig_read()</function>, …)</entry> |
201c1cc2 | 1468 | </row> |
bd2ab3f4 LP |
1469 | <row> |
1470 | <entry>@reboot</entry> | |
1471 | <entry>System calls for rebooting and reboot preparation (<citerefentry project='man-pages'><refentrytitle>reboot</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>kexec()</function>, …)</entry> | |
1472 | </row> | |
133ddbbe LP |
1473 | <row> |
1474 | <entry>@resources</entry> | |
1475 | <entry>System calls for changing resource limits, memory and scheduling parameters (<citerefentry project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> | |
1476 | </row> | |
6eaaeee9 LP |
1477 | <row> |
1478 | <entry>@setuid</entry> | |
1479 | <entry>System calls for changing user ID and group ID credentials, (<citerefentry project='man-pages'><refentrytitle>setuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setgid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setresuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> | |
1480 | </row> | |
cd0ddf6f LP |
1481 | <row> |
1482 | <entry>@signal</entry> | |
1483 | <entry>System calls for manipulating and handling process signals (<citerefentry project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>sigprocmask</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> | |
1484 | </row> | |
bd2ab3f4 LP |
1485 | <row> |
1486 | <entry>@swap</entry> | |
1487 | <entry>System calls for enabling/disabling swap devices (<citerefentry project='man-pages'><refentrytitle>swapon</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>swapoff</refentrytitle><manvolnum>2</manvolnum></citerefentry>)</entry> | |
1488 | </row> | |
44898c53 LP |
1489 | <row> |
1490 | <entry>@sync</entry> | |
1491 | <entry>Synchronizing files and memory to disk: (<citerefentry project='man-pages'><refentrytitle>fsync</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>msync</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> | |
1492 | </row> | |
cd0ddf6f LP |
1493 | <row> |
1494 | <entry>@timer</entry> | |
1495 | <entry>System calls for scheduling operations by time (<citerefentry project='man-pages'><refentrytitle>alarm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>timer_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> | |
1496 | </row> | |
201c1cc2 TM |
1497 | </tbody> |
1498 | </tgroup> | |
1499 | </table> | |
1500 | ||
b8afec21 LP |
1501 | Note, that as new system calls are added to the kernel, additional system calls might be added to the groups |
1502 | above. Contents of the sets may also change between systemd versions. In addition, the list of system calls | |
1503 | depends on the kernel version and architecture for which systemd was compiled. Use | |
1504 | <command>systemd-analyze syscall-filter</command> to list the actual list of system calls in each | |
1505 | filter.</para> | |
effbd6d2 LP |
1506 | |
1507 | <para>It is recommended to combine the file system namespacing related options with | |
1508 | <varname>SystemCallFilter=~@mount</varname>, in order to prohibit the unit's processes to undo the | |
1509 | mappings. Specifically these are the options <varname>PrivateTmp=</varname>, | |
1510 | <varname>PrivateDevices=</varname>, <varname>ProtectSystem=</varname>, <varname>ProtectHome=</varname>, | |
1511 | <varname>ProtectKernelTunables=</varname>, <varname>ProtectControlGroups=</varname>, | |
1512 | <varname>ReadOnlyPaths=</varname>, <varname>InaccessiblePaths=</varname> and | |
1513 | <varname>ReadWritePaths=</varname>.</para></listitem> | |
798d3a52 ZJS |
1514 | </varlistentry> |
1515 | ||
1516 | <varlistentry> | |
1517 | <term><varname>SystemCallErrorNumber=</varname></term> | |
1518 | ||
3df90f24 YW |
1519 | <listitem><para>Takes an <literal>errno</literal> error number (between 1 and 4095) or errno name such as |
1520 | <constant>EPERM</constant>, <constant>EACCES</constant> or <constant>EUCLEAN</constant>, to return when the | |
1521 | system call filter configured with <varname>SystemCallFilter=</varname> is triggered, instead of terminating | |
b8afec21 LP |
1522 | the process immediately. When this setting is not used, or when the empty string is assigned, the process will |
1523 | be terminated immediately when the filter is triggered.</para></listitem> | |
798d3a52 ZJS |
1524 | </varlistentry> |
1525 | ||
1526 | <varlistentry> | |
1527 | <term><varname>SystemCallArchitectures=</varname></term> | |
1528 | ||
0b8fab97 LP |
1529 | <listitem><para>Takes a space-separated list of architecture identifiers to include in the system call |
1530 | filter. The known architecture identifiers are the same as for <varname>ConditionArchitecture=</varname> | |
1531 | described in <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
1532 | as well as <constant>x32</constant>, <constant>mips64-n32</constant>, <constant>mips64-le-n32</constant>, and | |
2428aaf8 | 1533 | the special identifier <constant>native</constant>. The special identifier <constant>native</constant> |
62a0680b AJ |
1534 | implicitly maps to the native architecture of the system (or more precisely: to the architecture the system |
1535 | manager is compiled for). If running in user mode, or in system mode, but without the | |
1536 | <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=nobody</varname>), | |
1537 | <varname>NoNewPrivileges=yes</varname> is implied. By default, this option is set to the empty list, i.e. no | |
1538 | system call architecture filtering is applied.</para> | |
0b8fab97 | 1539 | |
2428aaf8 AJ |
1540 | <para>If this setting is used, processes of this unit will only be permitted to call native system calls, and |
1541 | system calls of the specified architectures. For the purposes of this option, the x32 architecture is treated | |
1542 | as including x86-64 system calls. However, this setting still fulfills its purpose, as explained below, on | |
1543 | x32.</para> | |
1544 | ||
1545 | <para>System call filtering is not equally effective on all architectures. For example, on x86 | |
0b8fab97 LP |
1546 | filtering of network socket-related calls is not possible, due to ABI limitations — a limitation that x86-64 |
1547 | does not have, however. On systems supporting multiple ABIs at the same time — such as x86/x86-64 — it is hence | |
1548 | recommended to limit the set of permitted system call architectures so that secondary ABIs may not be used to | |
1549 | circumvent the restrictions applied to the native ABI of the system. In particular, setting | |
c29ebc1a | 1550 | <varname>SystemCallArchitectures=native</varname> is a good choice for disabling non-native ABIs.</para> |
0b8fab97 | 1551 | |
b8afec21 LP |
1552 | <para>System call architectures may also be restricted system-wide via the |
1553 | <varname>SystemCallArchitectures=</varname> option in the global configuration. See | |
1554 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> for | |
1555 | details.</para></listitem> | |
1556 | </varlistentry> | |
1557 | ||
1558 | </variablelist> | |
1559 | </refsect1> | |
1560 | ||
1561 | <refsect1> | |
1562 | <title>Environment</title> | |
1563 | ||
1564 | <variablelist> | |
1565 | ||
1566 | <varlistentry> | |
1567 | <term><varname>Environment=</varname></term> | |
1568 | ||
1569 | <listitem><para>Sets environment variables for executed processes. Takes a space-separated list of variable | |
1570 | assignments. This option may be specified more than once, in which case all listed variables will be set. If | |
1571 | the same variable is set twice, the later setting will override the earlier setting. If the empty string is | |
1572 | assigned to this option, the list of environment variables is reset, all prior assignments have no | |
1573 | effect. Variable expansion is not performed inside the strings, however, specifier expansion is possible. The $ | |
1574 | character has no special meaning. If you need to assign a value containing spaces or the equals sign to a | |
1575 | variable, use double quotes (") for the assignment.</para> | |
1576 | ||
1577 | <para>Example: | |
1578 | <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting> | |
1579 | gives three variables <literal>VAR1</literal>, | |
1580 | <literal>VAR2</literal>, <literal>VAR3</literal> | |
1581 | with the values <literal>word1 word2</literal>, | |
1582 | <literal>word3</literal>, <literal>$word 5 6</literal>. | |
1583 | </para> | |
1584 | ||
1585 | <para> | |
1586 | See <citerefentry | |
1587 | project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details | |
1588 | about environment variables.</para></listitem> | |
1589 | </varlistentry> | |
1590 | ||
1591 | <varlistentry> | |
1592 | <term><varname>EnvironmentFile=</varname></term> | |
1593 | ||
1594 | <listitem><para>Similar to <varname>Environment=</varname> but reads the environment variables from a text | |
1595 | file. The text file should contain new-line-separated variable assignments. Empty lines, lines without an | |
1596 | <literal>=</literal> separator, or lines starting with ; or # will be ignored, which may be used for | |
1597 | commenting. A line ending with a backslash will be concatenated with the following one, allowing multiline | |
1598 | variable definitions. The parser strips leading and trailing whitespace from the values of assignments, unless | |
1599 | you use double quotes (").</para> | |
1600 | ||
1601 | <para>The argument passed should be an absolute filename or wildcard expression, optionally prefixed with | |
1602 | <literal>-</literal>, which indicates that if the file does not exist, it will not be read and no error or | |
1603 | warning message is logged. This option may be specified more than once in which case all specified files are | |
1604 | read. If the empty string is assigned to this option, the list of file to read is reset, all prior assignments | |
1605 | have no effect.</para> | |
1606 | ||
1607 | <para>The files listed with this directive will be read shortly before the process is executed (more | |
1608 | specifically, after all processes from a previous unit state terminated. This means you can generate these | |
1609 | files in one unit state, and read it with this option in the next).</para> | |
1610 | ||
1611 | <para>Settings from these files override settings made with <varname>Environment=</varname>. If the same | |
1612 | variable is set twice from these files, the files will be read in the order they are specified and the later | |
1613 | setting will override the earlier setting.</para></listitem> | |
1614 | </varlistentry> | |
1615 | ||
1616 | <varlistentry> | |
1617 | <term><varname>PassEnvironment=</varname></term> | |
1618 | ||
1619 | <listitem><para>Pass environment variables set for the system service manager to executed processes. Takes a | |
1620 | space-separated list of variable names. This option may be specified more than once, in which case all listed | |
1621 | variables will be passed. If the empty string is assigned to this option, the list of environment variables to | |
1622 | pass is reset, all prior assignments have no effect. Variables specified that are not set for the system | |
1623 | manager will not be passed and will be silently ignored. Note that this option is only relevant for the system | |
1624 | service manager, as system services by default do not automatically inherit any environment variables set for | |
1625 | the service manager itself. However, in case of the user service manager all environment variables are passed | |
1626 | to the executed processes anyway, hence this option is without effect for the user service manager.</para> | |
1627 | ||
1628 | <para>Variables set for invoked processes due to this setting are subject to being overridden by those | |
1629 | configured with <varname>Environment=</varname> or <varname>EnvironmentFile=</varname>.</para> | |
1630 | ||
1631 | <para>Example: | |
1632 | <programlisting>PassEnvironment=VAR1 VAR2 VAR3</programlisting> | |
1633 | passes three variables <literal>VAR1</literal>, | |
1634 | <literal>VAR2</literal>, <literal>VAR3</literal> | |
1635 | with the values set for those variables in PID1.</para> | |
1636 | ||
1637 | <para> | |
1638 | See <citerefentry | |
1639 | project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details | |
1640 | about environment variables.</para></listitem> | |
1641 | </varlistentry> | |
1642 | ||
1643 | <varlistentry> | |
1644 | <term><varname>UnsetEnvironment=</varname></term> | |
1645 | ||
1646 | <listitem><para>Explicitly unset environment variable assignments that would normally be passed from the | |
1647 | service manager to invoked processes of this unit. Takes a space-separated list of variable names or variable | |
1648 | assignments. This option may be specified more than once, in which case all listed variables/assignments will | |
1649 | be unset. If the empty string is assigned to this option, the list of environment variables/assignments to | |
1650 | unset is reset. If a variable assignment is specified (that is: a variable name, followed by | |
1651 | <literal>=</literal>, followed by its value), then any environment variable matching this precise assignment is | |
1652 | removed. If a variable name is specified (that is a variable name without any following <literal>=</literal> or | |
1653 | value), then any assignment matching the variable name, regardless of its value is removed. Note that the | |
1654 | effect of <varname>UnsetEnvironment=</varname> is applied as final step when the environment list passed to | |
1655 | executed processes is compiled. That means it may undo assignments from any configuration source, including | |
1656 | assignments made through <varname>Environment=</varname> or <varname>EnvironmentFile=</varname>, inherited from | |
1657 | the system manager's global set of environment variables, inherited via <varname>PassEnvironment=</varname>, | |
1658 | set by the service manager itself (such as <varname>$NOTIFY_SOCKET</varname> and such), or set by a PAM module | |
1659 | (in case <varname>PAMName=</varname> is used).</para> | |
1660 | ||
1661 | <para> | |
1662 | See <citerefentry | |
1663 | project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details | |
1664 | about environment variables.</para></listitem> | |
1665 | </varlistentry> | |
1666 | ||
1667 | </variablelist> | |
1668 | </refsect1> | |
1669 | ||
1670 | <refsect1> | |
1671 | <title>Logging and Standard Input/Output</title> | |
1672 | ||
1673 | <variablelist> | |
1674 | <varlistentry> | |
1675 | ||
1676 | <term><varname>StandardInput=</varname></term> | |
1677 | ||
1678 | <listitem><para>Controls where file descriptor 0 (STDIN) of the executed processes is connected to. Takes one | |
1679 | of <option>null</option>, <option>tty</option>, <option>tty-force</option>, <option>tty-fail</option>, | |
1680 | <option>data</option>, <option>file:<replaceable>path</replaceable></option>, <option>socket</option> or | |
1681 | <option>fd:<replaceable>name</replaceable></option>.</para> | |
1682 | ||
1683 | <para>If <option>null</option> is selected, standard input will be connected to <filename>/dev/null</filename>, | |
1684 | i.e. all read attempts by the process will result in immediate EOF.</para> | |
1685 | ||
1686 | <para>If <option>tty</option> is selected, standard input is connected to a TTY (as configured by | |
1687 | <varname>TTYPath=</varname>, see below) and the executed process becomes the controlling process of the | |
1688 | terminal. If the terminal is already being controlled by another process, the executed process waits until the | |
1689 | current controlling process releases the terminal.</para> | |
1690 | ||
1691 | <para><option>tty-force</option> is similar to <option>tty</option>, but the executed process is forcefully and | |
1692 | immediately made the controlling process of the terminal, potentially removing previous controlling processes | |
1693 | from the terminal.</para> | |
1694 | ||
1695 | <para><option>tty-fail</option> is similar to <option>tty</option>, but if the terminal already has a | |
1696 | controlling process start-up of the executed process fails.</para> | |
1697 | ||
1698 | <para>The <option>data</option> option may be used to configure arbitrary textual or binary data to pass via | |
1699 | standard input to the executed process. The data to pass is configured via | |
1700 | <varname>StandardInputText=</varname>/<varname>StandardInputData=</varname> (see below). Note that the actual | |
1701 | file descriptor type passed (memory file, regular file, UNIX pipe, …) might depend on the kernel and available | |
1702 | privileges. In any case, the file descriptor is read-only, and when read returns the specified data followed by | |
1703 | EOF.</para> | |
1704 | ||
1705 | <para>The <option>file:<replaceable>path</replaceable></option> option may be used to connect a specific file | |
1706 | system object to standard input. An absolute path following the <literal>:</literal> character is expected, | |
1707 | which may refer to a regular file, a FIFO or special file. If an <constant>AF_UNIX</constant> socket in the | |
1708 | file system is specified, a stream socket is connected to it. The latter is useful for connecting standard | |
1709 | input of processes to arbitrary system services.</para> | |
1710 | ||
1711 | <para>The <option>socket</option> option is valid in socket-activated services only, and requires the relevant | |
1712 | socket unit file (see | |
1713 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details) | |
1714 | to have <varname>Accept=yes</varname> set, or to specify a single socket only. If this option is set, standard | |
1715 | input will be connected to the socket the service was activated from, which is primarily useful for | |
1716 | compatibility with daemons designed for use with the traditional <citerefentry | |
1717 | project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry> socket activation | |
1718 | daemon.</para> | |
1719 | ||
1720 | <para>The <option>fd:<replaceable>name</replaceable></option> option connects standard input to a specific, | |
1721 | named file descriptor provided by a socket unit. The name may be specified as part of this option, following a | |
1722 | <literal>:</literal> character (e.g. <literal>fd:foobar</literal>). If no name is specified, the name | |
1723 | <literal>stdin</literal> is implied (i.e. <literal>fd</literal> is equivalent to <literal>fd:stdin</literal>). | |
1724 | At least one socket unit defining the specified name must be provided via the <varname>Sockets=</varname> | |
1725 | option, and the file descriptor name may differ from the name of its containing socket unit. If multiple | |
1726 | matches are found, the first one will be used. See <varname>FileDescriptorName=</varname> in | |
1727 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more | |
1728 | details about named file descriptors and their ordering.</para> | |
1729 | ||
1730 | <para>This setting defaults to <option>null</option>.</para></listitem> | |
1731 | </varlistentry> | |
1732 | ||
1733 | <varlistentry> | |
1734 | <term><varname>StandardOutput=</varname></term> | |
1735 | ||
1736 | <listitem><para>Controls where file descriptor 1 (STDOUT) of the executed processes is connected to. Takes one | |
1737 | of <option>inherit</option>, <option>null</option>, <option>tty</option>, <option>journal</option>, | |
1738 | <option>syslog</option>, <option>kmsg</option>, <option>journal+console</option>, | |
1739 | <option>syslog+console</option>, <option>kmsg+console</option>, | |
1740 | <option>file:<replaceable>path</replaceable></option>, <option>socket</option> or | |
1741 | <option>fd:<replaceable>name</replaceable></option>.</para> | |
1742 | ||
1743 | <para><option>inherit</option> duplicates the file descriptor of standard input for standard output.</para> | |
1744 | ||
1745 | <para><option>null</option> connects standard output to <filename>/dev/null</filename>, i.e. everything written | |
1746 | to it will be lost.</para> | |
1747 | ||
1748 | <para><option>tty</option> connects standard output to a tty (as configured via <varname>TTYPath=</varname>, | |
1749 | see below). If the TTY is used for output only, the executed process will not become the controlling process of | |
1750 | the terminal, and will not fail or wait for other processes to release the terminal.</para> | |
1751 | ||
1752 | <para><option>journal</option> connects standard output with the journal which is accessible via | |
1753 | <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>. Note that | |
1754 | everything that is written to syslog or kmsg (see below) is implicitly stored in the journal as well, the | |
1755 | specific two options listed below are hence supersets of this one.</para> | |
1756 | ||
1757 | <para><option>syslog</option> connects standard output to the <citerefentry | |
1758 | project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> system syslog | |
1759 | service, in addition to the journal. Note that the journal daemon is usually configured to forward everything | |
1760 | it receives to syslog anyway, in which case this option is no different from <option>journal</option>.</para> | |
1761 | ||
1762 | <para><option>kmsg</option> connects standard output with the kernel log buffer which is accessible via | |
1763 | <citerefentry project='man-pages'><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
1764 | in addition to the journal. The journal daemon might be configured to send all logs to kmsg anyway, in which | |
1765 | case this option is no different from <option>journal</option>.</para> | |
1766 | ||
1767 | <para><option>journal+console</option>, <option>syslog+console</option> and <option>kmsg+console</option> work | |
1768 | in a similar way as the three options above but copy the output to the system console as well.</para> | |
1769 | ||
1770 | <para>The <option>file:<replaceable>path</replaceable></option> option may be used to connect a specific file | |
1771 | system object to standard output. The semantics are similar to the same option of | |
8d29bef6 LW |
1772 | <varname>StandardInput=</varname>, see above. If standard input and output are directed to the same file path, |
1773 | it is opened only once, for reading as well as writing and duplicated. This is particular useful when the | |
b8afec21 LP |
1774 | specified path refers to an <constant>AF_UNIX</constant> socket in the file system, as in that case only a |
1775 | single stream connection is created for both input and output.</para> | |
1776 | ||
1777 | <para><option>socket</option> connects standard output to a socket acquired via socket activation. The | |
1778 | semantics are similar to the same option of <varname>StandardInput=</varname>, see above.</para> | |
1779 | ||
1780 | <para>The <option>fd:<replaceable>name</replaceable></option> option connects standard output to a specific, | |
1781 | named file descriptor provided by a socket unit. A name may be specified as part of this option, following a | |
1782 | <literal>:</literal> character (e.g. <literal>fd:foobar</literal>). If no name is specified, the name | |
1783 | <literal>stdout</literal> is implied (i.e. <literal>fd</literal> is equivalent to | |
1784 | <literal>fd:stdout</literal>). At least one socket unit defining the specified name must be provided via the | |
1785 | <varname>Sockets=</varname> option, and the file descriptor name may differ from the name of its containing | |
1786 | socket unit. If multiple matches are found, the first one will be used. See | |
1787 | <varname>FileDescriptorName=</varname> in | |
1788 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more | |
1789 | details about named descriptors and their ordering.</para> | |
1790 | ||
1791 | <para>If the standard output (or error output, see below) of a unit is connected to the journal, syslog or the | |
1792 | kernel log buffer, the unit will implicitly gain a dependency of type <varname>After=</varname> on | |
1793 | <filename>systemd-journald.socket</filename> (also see the "Implicit Dependencies" section above). Also note | |
1794 | that in this case stdout (or stderr, see below) will be an <constant>AF_UNIX</constant> stream socket, and not | |
1795 | a pipe or FIFO that can be re-opened. This means when executing shell scripts the construct <command>echo | |
1796 | "hello" > /dev/stderr</command> for writing text to stderr will not work. To mitigate this use the construct | |
1797 | <command>echo "hello" >&2</command> instead, which is mostly equivalent and avoids this pitfall.</para> | |
1798 | ||
1799 | <para>This setting defaults to the value set with <varname>DefaultStandardOutput=</varname> in | |
1800 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, which | |
1801 | defaults to <option>journal</option>. Note that setting this parameter might result in additional dependencies | |
1802 | to be added to the unit (see above).</para></listitem> | |
1803 | </varlistentry> | |
1804 | ||
1805 | <varlistentry> | |
1806 | <term><varname>StandardError=</varname></term> | |
1807 | ||
1808 | <listitem><para>Controls where file descriptor 2 (STDERR) of the executed processes is connected to. The | |
1809 | available options are identical to those of <varname>StandardOutput=</varname>, with some exceptions: if set to | |
1810 | <option>inherit</option> the file descriptor used for standard output is duplicated for standard error, while | |
1811 | <option>fd:<replaceable>name</replaceable></option> will use a default file descriptor name of | |
1812 | <literal>stderr</literal>.</para> | |
1813 | ||
1814 | <para>This setting defaults to the value set with <varname>DefaultStandardError=</varname> in | |
1815 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, which | |
1816 | defaults to <option>inherit</option>. Note that setting this parameter might result in additional dependencies | |
1817 | to be added to the unit (see above).</para></listitem> | |
1818 | </varlistentry> | |
1819 | ||
1820 | <varlistentry> | |
1821 | <term><varname>StandardInputText=</varname></term> | |
1822 | <term><varname>StandardInputData=</varname></term> | |
1823 | ||
1824 | <listitem><para>Configures arbitrary textual or binary data to pass via file descriptor 0 (STDIN) to the | |
1825 | executed processes. These settings have no effect unless <varname>StandardInput=</varname> is set to | |
1826 | <option>data</option>. Use this option to embed process input data directly in the unit file.</para> | |
1827 | ||
1828 | <para><varname>StandardInputText=</varname> accepts arbitrary textual data. C-style escapes for special | |
1829 | characters as well as the usual <literal>%</literal>-specifiers are resolved. Each time this setting is used | |
1b2ad5d9 | 1830 | the specified text is appended to the per-unit data buffer, followed by a newline character (thus every use |
b8afec21 LP |
1831 | appends a new line to the end of the buffer). Note that leading and trailing whitespace of lines configured |
1832 | with this option is removed. If an empty line is specified the buffer is cleared (hence, in order to insert an | |
1833 | empty line, add an additional <literal>\n</literal> to the end or beginning of a line).</para> | |
1834 | ||
1835 | <para><varname>StandardInputData=</varname> accepts arbitrary binary data, encoded in <ulink | |
1836 | url="https://tools.ietf.org/html/rfc2045#section-6.8">Base64</ulink>. No escape sequences or specifiers are | |
1837 | resolved. Any whitespace in the encoded version is ignored during decoding.</para> | |
1838 | ||
1839 | <para>Note that <varname>StandardInputText=</varname> and <varname>StandardInputData=</varname> operate on the | |
1840 | same data buffer, and may be mixed in order to configure both binary and textual data for the same input | |
1841 | stream. The textual or binary data is joined strictly in the order the settings appear in the unit | |
1842 | file. Assigning an empty string to either will reset the data buffer.</para> | |
1843 | ||
1844 | <para>Please keep in mind that in order to maintain readability long unit file settings may be split into | |
1845 | multiple lines, by suffixing each line (except for the last) with a <literal>\</literal> character (see | |
1846 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for | |
1847 | details). This is particularly useful for large data configured with these two options. Example:</para> | |
1848 | ||
1849 | <programlisting>… | |
1850 | StandardInput=data | |
1851 | StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy4KSWNrIGtpZWtl \ | |
1852 | LCBzdGF1bmUsIHd1bmRyZSBtaXIsCnVmZiBlZW1hbCBqZWh0IHNlIHVmZiBkaWUgVMO8ci4KTmFu \ | |
1853 | dSwgZGVuayBpY2ssIGljayBkZW5rIG5hbnUhCkpldHogaXNzZSB1ZmYsIGVyc2NodCB3YXIgc2Ug \ | |
1854 | enUhCkljayBqZWhlIHJhdXMgdW5kIGJsaWNrZSDigJQKdW5kIHdlciBzdGVodCBkcmF1w59lbj8g \ | |
1855 | SWNrZSEK | |
1856 | …</programlisting></listitem> | |
798d3a52 ZJS |
1857 | </varlistentry> |
1858 | ||
1859 | <varlistentry> | |
b8afec21 | 1860 | <term><varname>LogLevelMax=</varname></term> |
142bd808 | 1861 | |
b8afec21 LP |
1862 | <listitem><para>Configures filtering by log level of log messages generated by this unit. Takes a |
1863 | <command>syslog</command> log level, one of <option>emerg</option> (lowest log level, only highest priority | |
1864 | messages), <option>alert</option>, <option>crit</option>, <option>err</option>, <option>warning</option>, | |
1865 | <option>notice</option>, <option>info</option>, <option>debug</option> (highest log level, also lowest priority | |
1866 | messages). See <citerefentry | |
1867 | project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> for | |
1868 | details. By default no filtering is applied (i.e. the default maximum log level is <option>debug</option>). Use | |
1869 | this option to configure the logging system to drop log messages of a specific service above the specified | |
1870 | level. For example, set <varname>LogLevelMax=</varname><option>info</option> in order to turn off debug logging | |
1b2ad5d9 | 1871 | of a particularly chatty unit. Note that the configured level is applied to any log messages written by any |
b8afec21 LP |
1872 | of the processes belonging to this unit, sent via any supported logging protocol. The filtering is applied |
1873 | early in the logging pipeline, before any kind of further processing is done. Moreover, messages which pass | |
1874 | through this filter successfully might still be dropped by filters applied at a later stage in the logging | |
1875 | subsystem. For example, <varname>MaxLevelStore=</varname> configured in | |
1876 | <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> might | |
1877 | prohibit messages of higher log levels to be stored on disk, even though the per-unit | |
1878 | <varname>LogLevelMax=</varname> permitted it to be processed.</para></listitem> | |
798d3a52 ZJS |
1879 | </varlistentry> |
1880 | ||
add00535 | 1881 | <varlistentry> |
b8afec21 | 1882 | <term><varname>LogExtraFields=</varname></term> |
add00535 | 1883 | |
b8afec21 LP |
1884 | <listitem><para>Configures additional log metadata fields to include in all log records generated by processes |
1885 | associated with this unit. This setting takes one or more journal field assignments in the format | |
1886 | <literal>FIELD=VALUE</literal> separated by whitespace. See | |
1887 | <citerefentry><refentrytitle>systemd.journal-fields</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
1888 | details on the journal field concept. Even though the underlying journal implementation permits binary field | |
1889 | values, this setting accepts only valid UTF-8 values. To include space characters in a journal field value, | |
1890 | enclose the assignment in double quotes ("). The usual specifiers are expanded in all assignments (see | |
1891 | below). Note that this setting is not only useful for attaching additional metadata to log records of a unit, | |
1892 | but given that all fields and values are indexed may also be used to implement cross-unit log record | |
1893 | matching. Assign an empty string to reset the list.</para></listitem> | |
add00535 LP |
1894 | </varlistentry> |
1895 | ||
798d3a52 | 1896 | <varlistentry> |
b8afec21 | 1897 | <term><varname>SyslogIdentifier=</varname></term> |
798d3a52 | 1898 | |
b8afec21 LP |
1899 | <listitem><para>Sets the process name ("<command>syslog</command> tag") to prefix log lines sent to the logging |
1900 | system or the kernel log buffer with. If not set, defaults to the process name of the executed process. This | |
1901 | option is only useful when <varname>StandardOutput=</varname> or <varname>StandardError=</varname> are set to | |
1902 | <option>journal</option>, <option>syslog</option> or <option>kmsg</option> (or to the same settings in | |
1903 | combination with <option>+console</option>) and only applies to log messages written to stdout or | |
1904 | stderr.</para></listitem> | |
798d3a52 ZJS |
1905 | </varlistentry> |
1906 | ||
1907 | <varlistentry> | |
b8afec21 | 1908 | <term><varname>SyslogFacility=</varname></term> |
78e864e5 | 1909 | |
b8afec21 LP |
1910 | <listitem><para>Sets the <command>syslog</command> facility identifier to use when logging. One of |
1911 | <option>kern</option>, <option>user</option>, <option>mail</option>, <option>daemon</option>, | |
1912 | <option>auth</option>, <option>syslog</option>, <option>lpr</option>, <option>news</option>, | |
1913 | <option>uucp</option>, <option>cron</option>, <option>authpriv</option>, <option>ftp</option>, | |
1914 | <option>local0</option>, <option>local1</option>, <option>local2</option>, <option>local3</option>, | |
1915 | <option>local4</option>, <option>local5</option>, <option>local6</option> or <option>local7</option>. See | |
1916 | <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
1917 | for details. This option is only useful when <varname>StandardOutput=</varname> or | |
1918 | <varname>StandardError=</varname> are set to <option>journal</option>, <option>syslog</option> or | |
1919 | <option>kmsg</option> (or to the same settings in combination with <option>+console</option>), and only applies | |
1920 | to log messages written to stdout or stderr. Defaults to <option>daemon</option>.</para></listitem> | |
78e864e5 TM |
1921 | </varlistentry> |
1922 | ||
b1edf445 | 1923 | <varlistentry> |
b8afec21 | 1924 | <term><varname>SyslogLevel=</varname></term> |
b1edf445 | 1925 | |
b8afec21 LP |
1926 | <listitem><para>The default <command>syslog</command> log level to use when logging to the logging system or |
1927 | the kernel log buffer. One of <option>emerg</option>, <option>alert</option>, <option>crit</option>, | |
1928 | <option>err</option>, <option>warning</option>, <option>notice</option>, <option>info</option>, | |
1929 | <option>debug</option>. See <citerefentry | |
1930 | project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> for | |
1931 | details. This option is only useful when <varname>StandardOutput=</varname> or | |
1932 | <varname>StandardError=</varname> are set to <option>journal</option>, <option>syslog</option> or | |
1933 | <option>kmsg</option> (or to the same settings in combination with <option>+console</option>), and only applies | |
1934 | to log messages written to stdout or stderr. Note that individual lines output by executed processes may be | |
1935 | prefixed with a different log level which can be used to override the default log level specified here. The | |
1936 | interpretation of these prefixes may be disabled with <varname>SyslogLevelPrefix=</varname>, see below. For | |
1937 | details, see <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
1938 | Defaults to <option>info</option>.</para></listitem> | |
78e864e5 TM |
1939 | </varlistentry> |
1940 | ||
1941 | <varlistentry> | |
b8afec21 | 1942 | <term><varname>SyslogLevelPrefix=</varname></term> |
4a628360 | 1943 | |
b8afec21 LP |
1944 | <listitem><para>Takes a boolean argument. If true and <varname>StandardOutput=</varname> or |
1945 | <varname>StandardError=</varname> are set to <option>journal</option>, <option>syslog</option> or | |
1946 | <option>kmsg</option> (or to the same settings in combination with <option>+console</option>), log lines | |
1947 | written by the executed process that are prefixed with a log level will be processed with this log level set | |
1948 | but the prefix removed. If set to false, the interpretation of these prefixes is disabled and the logged lines | |
1949 | are passed on as-is. This only applies to log messages written to stdout or stderr. For details about this | |
1950 | prefixing see <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
1951 | Defaults to true.</para></listitem> | |
1952 | </varlistentry> | |
fdfcb946 | 1953 | |
b8afec21 LP |
1954 | <varlistentry> |
1955 | <term><varname>TTYPath=</varname></term> | |
4a628360 | 1956 | |
b8afec21 LP |
1957 | <listitem><para>Sets the terminal device node to use if standard input, output, or error are connected to a TTY |
1958 | (see above). Defaults to <filename>/dev/console</filename>.</para></listitem> | |
1959 | </varlistentry> | |
23a7448e | 1960 | |
b8afec21 LP |
1961 | <varlistentry> |
1962 | <term><varname>TTYReset=</varname></term> | |
3536f49e | 1963 | |
b8afec21 LP |
1964 | <listitem><para>Reset the terminal device specified with <varname>TTYPath=</varname> before and after |
1965 | execution. Defaults to <literal>no</literal>.</para></listitem> | |
3536f49e YW |
1966 | </varlistentry> |
1967 | ||
189cd8c2 | 1968 | <varlistentry> |
b8afec21 | 1969 | <term><varname>TTYVHangup=</varname></term> |
189cd8c2 | 1970 | |
b8afec21 LP |
1971 | <listitem><para>Disconnect all clients which have opened the terminal device specified with |
1972 | <varname>TTYPath=</varname> before and after execution. Defaults to <literal>no</literal>.</para></listitem> | |
189cd8c2 ZJS |
1973 | </varlistentry> |
1974 | ||
53f47dfc | 1975 | <varlistentry> |
b8afec21 | 1976 | <term><varname>TTYVTDisallocate=</varname></term> |
53f47dfc | 1977 | |
b8afec21 LP |
1978 | <listitem><para>If the terminal device specified with <varname>TTYPath=</varname> is a virtual console |
1979 | terminal, try to deallocate the TTY before and after execution. This ensures that the screen and scrollback | |
1980 | buffer is cleared. Defaults to <literal>no</literal>.</para></listitem> | |
189cd8c2 | 1981 | </varlistentry> |
b8afec21 LP |
1982 | </variablelist> |
1983 | </refsect1> | |
1984 | ||
1985 | <refsect1> | |
1986 | <title>System V Compatibility</title> | |
1987 | <variablelist> | |
189cd8c2 | 1988 | |
f3e43635 | 1989 | <varlistentry> |
b8afec21 | 1990 | <term><varname>UtmpIdentifier=</varname></term> |
f3e43635 | 1991 | |
b8afec21 LP |
1992 | <listitem><para>Takes a four character identifier string for an <citerefentry |
1993 | project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry> and wtmp entry | |
1994 | for this service. This should only be set for services such as <command>getty</command> implementations (such | |
1995 | as <citerefentry | |
1996 | project='die-net'><refentrytitle>agetty</refentrytitle><manvolnum>8</manvolnum></citerefentry>) where utmp/wtmp | |
1997 | entries must be created and cleared before and after execution, or for services that shall be executed as if | |
1998 | they were run by a <command>getty</command> process (see below). If the configured string is longer than four | |
1999 | characters, it is truncated and the terminal four characters are used. This setting interprets %I style string | |
2000 | replacements. This setting is unset by default, i.e. no utmp/wtmp entries are created or cleaned up for this | |
2001 | service.</para></listitem> | |
f3e43635 TM |
2002 | </varlistentry> |
2003 | ||
f4170c67 | 2004 | <varlistentry> |
b8afec21 | 2005 | <term><varname>UtmpMode=</varname></term> |
f4170c67 | 2006 | |
b8afec21 LP |
2007 | <listitem><para>Takes one of <literal>init</literal>, <literal>login</literal> or <literal>user</literal>. If |
2008 | <varname>UtmpIdentifier=</varname> is set, controls which type of <citerefentry | |
2009 | project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry>/wtmp entries | |
2010 | for this service are generated. This setting has no effect unless <varname>UtmpIdentifier=</varname> is set | |
2011 | too. If <literal>init</literal> is set, only an <constant>INIT_PROCESS</constant> entry is generated and the | |
2012 | invoked process must implement a <command>getty</command>-compatible utmp/wtmp logic. If | |
2013 | <literal>login</literal> is set, first an <constant>INIT_PROCESS</constant> entry, followed by a | |
2014 | <constant>LOGIN_PROCESS</constant> entry is generated. In this case, the invoked process must implement a | |
2015 | <citerefentry | |
2016 | project='die-net'><refentrytitle>login</refentrytitle><manvolnum>1</manvolnum></citerefentry>-compatible | |
2017 | utmp/wtmp logic. If <literal>user</literal> is set, first an <constant>INIT_PROCESS</constant> entry, then a | |
2018 | <constant>LOGIN_PROCESS</constant> entry and finally a <constant>USER_PROCESS</constant> entry is | |
2019 | generated. In this case, the invoked process may be any process that is suitable to be run as session | |
2020 | leader. Defaults to <literal>init</literal>.</para></listitem> | |
f4170c67 LP |
2021 | </varlistentry> |
2022 | ||
798d3a52 ZJS |
2023 | </variablelist> |
2024 | </refsect1> | |
2025 | ||
2026 | <refsect1> | |
2027 | <title>Environment variables in spawned processes</title> | |
2028 | ||
00819cc1 LP |
2029 | <para>Processes started by the service manager are executed with an environment variable block assembled from |
2030 | multiple sources. Processes started by the system service manager generally do not inherit environment variables | |
2031 | set for the service manager itself (but this may be altered via <varname>PassEnvironment=</varname>), but processes | |
2032 | started by the user service manager instances generally do inherit all environment variables set for the service | |
2033 | manager itself.</para> | |
2034 | ||
2035 | <para>For each invoked process the list of environment variables set is compiled from the following sources:</para> | |
2036 | ||
2037 | <itemizedlist> | |
2038 | <listitem><para>Variables globally configured for the service manager, using the | |
2039 | <varname>DefaultEnvironment=</varname> setting in | |
2040 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, the kernel command line option <varname>systemd.setenv=</varname> (see | |
2041 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>) or via | |
2042 | <command>systemctl set-environment</command> (see <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>).</para></listitem> | |
2043 | ||
2044 | <listitem><para>Variables defined by the service manager itself (see the list below)</para></listitem> | |
2045 | ||
2046 | <listitem><para>Variables set in the service manager's own environment variable block (subject to <varname>PassEnvironment=</varname> for the system service manager)</para></listitem> | |
2047 | ||
2048 | <listitem><para>Variables set via <varname>Environment=</varname> in the unit file</para></listitem> | |
2049 | ||
606df9a5 | 2050 | <listitem><para>Variables read from files specified via <varname>EnvironmentFile=</varname> in the unit file</para></listitem> |
00819cc1 | 2051 | |
46b07329 LP |
2052 | <listitem><para>Variables set by any PAM modules in case <varname>PAMName=</varname> is in effect, |
2053 | cf. <citerefentry | |
2054 | project='man-pages'><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry></para></listitem> | |
00819cc1 LP |
2055 | </itemizedlist> |
2056 | ||
2057 | <para>If the same environment variables are set by multiple of these sources, the later source — according to the | |
2058 | order of the list above — wins. Note that as final step all variables listed in | |
2059 | <varname>UnsetEnvironment=</varname> are removed again from the compiled environment variable list, immediately | |
2060 | before it is passed to the executed process.</para> | |
2061 | ||
46b07329 LP |
2062 | <para>The following select environment variables are set or propagated by the service manager for each invoked |
2063 | process:</para> | |
798d3a52 ZJS |
2064 | |
2065 | <variablelist class='environment-variables'> | |
2066 | <varlistentry> | |
2067 | <term><varname>$PATH</varname></term> | |
2068 | ||
2069 | <listitem><para>Colon-separated list of directories to use | |
f95b0be7 | 2070 | when launching executables. systemd uses a fixed value of |
798d3a52 ZJS |
2071 | <filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename>:<filename>/sbin</filename>:<filename>/bin</filename>. |
2072 | </para></listitem> | |
2073 | </varlistentry> | |
2074 | ||
2075 | <varlistentry> | |
2076 | <term><varname>$LANG</varname></term> | |
2077 | ||
2078 | <listitem><para>Locale. Can be set in | |
3ba3a79d | 2079 | <citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
798d3a52 ZJS |
2080 | or on the kernel command line (see |
2081 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
2082 | and | |
2083 | <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>). | |
2084 | </para></listitem> | |
2085 | </varlistentry> | |
2086 | ||
2087 | <varlistentry> | |
2088 | <term><varname>$USER</varname></term> | |
2089 | <term><varname>$LOGNAME</varname></term> | |
2090 | <term><varname>$HOME</varname></term> | |
2091 | <term><varname>$SHELL</varname></term> | |
2092 | ||
2093 | <listitem><para>User name (twice), home directory, and the | |
23deef88 LP |
2094 | login shell. The variables are set for the units that have |
2095 | <varname>User=</varname> set, which includes user | |
2096 | <command>systemd</command> instances. See | |
3ba3a79d | 2097 | <citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>. |
798d3a52 ZJS |
2098 | </para></listitem> |
2099 | </varlistentry> | |
2100 | ||
4b58153d LP |
2101 | <varlistentry> |
2102 | <term><varname>$INVOCATION_ID</varname></term> | |
2103 | ||
2104 | <listitem><para>Contains a randomized, unique 128bit ID identifying each runtime cycle of the unit, formatted | |
2105 | as 32 character hexadecimal string. A new ID is assigned each time the unit changes from an inactive state into | |
2106 | an activating or active state, and may be used to identify this specific runtime cycle, in particular in data | |
2107 | stored offline, such as the journal. The same ID is passed to all processes run as part of the | |
2108 | unit.</para></listitem> | |
2109 | </varlistentry> | |
2110 | ||
798d3a52 ZJS |
2111 | <varlistentry> |
2112 | <term><varname>$XDG_RUNTIME_DIR</varname></term> | |
2113 | ||
46b07329 LP |
2114 | <listitem><para>The directory to use for runtime objects (such as IPC objects) and volatile state. Set for all |
2115 | services run by the user <command>systemd</command> instance, as well as any system services that use | |
2116 | <varname>PAMName=</varname> with a PAM stack that includes <command>pam_systemd</command>. See below and | |
2117 | <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> for more | |
2118 | information.</para></listitem> | |
798d3a52 ZJS |
2119 | </varlistentry> |
2120 | ||
2121 | <varlistentry> | |
2122 | <term><varname>$MAINPID</varname></term> | |
2123 | ||
2dd67817 | 2124 | <listitem><para>The PID of the unit's main process if it is |
798d3a52 ZJS |
2125 | known. This is only set for control processes as invoked by |
2126 | <varname>ExecReload=</varname> and similar. </para></listitem> | |
2127 | </varlistentry> | |
2128 | ||
2129 | <varlistentry> | |
2130 | <term><varname>$MANAGERPID</varname></term> | |
2131 | ||
2132 | <listitem><para>The PID of the user <command>systemd</command> | |
2133 | instance, set for processes spawned by it. </para></listitem> | |
2134 | </varlistentry> | |
2135 | ||
2136 | <varlistentry> | |
2137 | <term><varname>$LISTEN_FDS</varname></term> | |
2138 | <term><varname>$LISTEN_PID</varname></term> | |
5c019cf2 | 2139 | <term><varname>$LISTEN_FDNAMES</varname></term> |
798d3a52 ZJS |
2140 | |
2141 | <listitem><para>Information about file descriptors passed to a | |
2142 | service for socket activation. See | |
2143 | <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
2144 | </para></listitem> | |
2145 | </varlistentry> | |
2146 | ||
5c019cf2 EV |
2147 | <varlistentry> |
2148 | <term><varname>$NOTIFY_SOCKET</varname></term> | |
2149 | ||
2150 | <listitem><para>The socket | |
2151 | <function>sd_notify()</function> talks to. See | |
2152 | <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
2153 | </para></listitem> | |
2154 | </varlistentry> | |
2155 | ||
2156 | <varlistentry> | |
2157 | <term><varname>$WATCHDOG_PID</varname></term> | |
2158 | <term><varname>$WATCHDOG_USEC</varname></term> | |
2159 | ||
2160 | <listitem><para>Information about watchdog keep-alive notifications. See | |
2161 | <citerefentry><refentrytitle>sd_watchdog_enabled</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
2162 | </para></listitem> | |
2163 | </varlistentry> | |
2164 | ||
798d3a52 ZJS |
2165 | <varlistentry> |
2166 | <term><varname>$TERM</varname></term> | |
2167 | ||
2168 | <listitem><para>Terminal type, set only for units connected to | |
2169 | a terminal (<varname>StandardInput=tty</varname>, | |
2170 | <varname>StandardOutput=tty</varname>, or | |
2171 | <varname>StandardError=tty</varname>). See | |
2172 | <citerefentry project='man-pages'><refentrytitle>termcap</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
2173 | </para></listitem> | |
2174 | </varlistentry> | |
7bce046b LP |
2175 | |
2176 | <varlistentry> | |
2177 | <term><varname>$JOURNAL_STREAM</varname></term> | |
2178 | ||
2179 | <listitem><para>If the standard output or standard error output of the executed processes are connected to the | |
2180 | journal (for example, by setting <varname>StandardError=journal</varname>) <varname>$JOURNAL_STREAM</varname> | |
2181 | contains the device and inode numbers of the connection file descriptor, formatted in decimal, separated by a | |
2182 | colon (<literal>:</literal>). This permits invoked processes to safely detect whether their standard output or | |
2183 | standard error output are connected to the journal. The device and inode numbers of the file descriptors should | |
2184 | be compared with the values set in the environment variable to determine whether the process output is still | |
2185 | connected to the journal. Note that it is generally not sufficient to only check whether | |
2186 | <varname>$JOURNAL_STREAM</varname> is set at all as services might invoke external processes replacing their | |
2187 | standard output or standard error output, without unsetting the environment variable.</para> | |
2188 | ||
ab2116b1 LP |
2189 | <para>If both standard output and standard error of the executed processes are connected to the journal via a |
2190 | stream socket, this environment variable will contain information about the standard error stream, as that's | |
2191 | usually the preferred destination for log data. (Note that typically the same stream is used for both standard | |
2192 | output and standard error, hence very likely the environment variable contains device and inode information | |
2193 | matching both stream file descriptors.)</para> | |
2194 | ||
7bce046b LP |
2195 | <para>This environment variable is primarily useful to allow services to optionally upgrade their used log |
2196 | protocol to the native journal protocol (using | |
2197 | <citerefentry><refentrytitle>sd_journal_print</refentrytitle><manvolnum>3</manvolnum></citerefentry> and other | |
2198 | functions) if their standard output or standard error output is connected to the journal anyway, thus enabling | |
2199 | delivery of structured metadata along with logged messages.</para></listitem> | |
2200 | </varlistentry> | |
136dc4c4 LP |
2201 | |
2202 | <varlistentry> | |
2203 | <term><varname>$SERVICE_RESULT</varname></term> | |
2204 | ||
2205 | <listitem><para>Only defined for the service unit type, this environment variable is passed to all | |
2206 | <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname> processes, and encodes the service | |
38a7c3c0 LP |
2207 | "result". Currently, the following values are defined:</para> |
2208 | ||
2209 | <table> | |
2210 | <title>Defined <varname>$SERVICE_RESULT</varname> values</title> | |
2211 | <tgroup cols='2'> | |
2212 | <colspec colname='result'/> | |
2213 | <colspec colname='meaning'/> | |
2214 | <thead> | |
2215 | <row> | |
2216 | <entry>Value</entry> | |
2217 | <entry>Meaning</entry> | |
2218 | </row> | |
2219 | </thead> | |
2220 | ||
2221 | <tbody> | |
2222 | <row> | |
2223 | <entry><literal>success</literal></entry> | |
e124ccdf | 2224 | <entry>The service ran successfully and exited cleanly.</entry> |
38a7c3c0 LP |
2225 | </row> |
2226 | <row> | |
2227 | <entry><literal>protocol</literal></entry> | |
e124ccdf | 2228 | <entry>A protocol violation occurred: the service did not take the steps required by its unit configuration (specifically what is configured in its <varname>Type=</varname> setting).</entry> |
38a7c3c0 LP |
2229 | </row> |
2230 | <row> | |
2231 | <entry><literal>timeout</literal></entry> | |
e124ccdf | 2232 | <entry>One of the steps timed out.</entry> |
38a7c3c0 LP |
2233 | </row> |
2234 | <row> | |
2235 | <entry><literal>exit-code</literal></entry> | |
e124ccdf | 2236 | <entry>Service process exited with a non-zero exit code; see <varname>$EXIT_CODE</varname> below for the actual exit code returned.</entry> |
38a7c3c0 LP |
2237 | </row> |
2238 | <row> | |
2239 | <entry><literal>signal</literal></entry> | |
e124ccdf | 2240 | <entry>A service process was terminated abnormally by a signal, without dumping core. See <varname>$EXIT_CODE</varname> below for the actual signal causing the termination.</entry> |
38a7c3c0 LP |
2241 | </row> |
2242 | <row> | |
2243 | <entry><literal>core-dump</literal></entry> | |
e124ccdf | 2244 | <entry>A service process terminated abnormally with a signal and dumped core. See <varname>$EXIT_CODE</varname> below for the signal causing the termination.</entry> |
38a7c3c0 LP |
2245 | </row> |
2246 | <row> | |
2247 | <entry><literal>watchdog</literal></entry> | |
e124ccdf | 2248 | <entry>Watchdog keep-alive ping was enabled for the service, but the deadline was missed.</entry> |
38a7c3c0 LP |
2249 | </row> |
2250 | <row> | |
2251 | <entry><literal>start-limit-hit</literal></entry> | |
e124ccdf | 2252 | <entry>A start limit was defined for the unit and it was hit, causing the unit to fail to start. See <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>'s <varname>StartLimitIntervalSec=</varname> and <varname>StartLimitBurst=</varname> for details.</entry> |
38a7c3c0 LP |
2253 | </row> |
2254 | <row> | |
2255 | <entry><literal>resources</literal></entry> | |
2256 | <entry>A catch-all condition in case a system operation failed.</entry> | |
2257 | </row> | |
2258 | </tbody> | |
2259 | </tgroup> | |
2260 | </table> | |
136dc4c4 LP |
2261 | |
2262 | <para>This environment variable is useful to monitor failure or successful termination of a service. Even | |
2263 | though this variable is available in both <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname>, it | |
2264 | is usually a better choice to place monitoring tools in the latter, as the former is only invoked for services | |
2265 | that managed to start up correctly, and the latter covers both services that failed during their start-up and | |
2266 | those which failed during their runtime.</para></listitem> | |
2267 | </varlistentry> | |
2268 | ||
2269 | <varlistentry> | |
2270 | <term><varname>$EXIT_CODE</varname></term> | |
2271 | <term><varname>$EXIT_STATUS</varname></term> | |
2272 | ||
2273 | <listitem><para>Only defined for the service unit type, these environment variables are passed to all | |
2274 | <varname>ExecStop=</varname>, <varname>ExecStopPost=</varname> processes and contain exit status/code | |
2275 | information of the main process of the service. For the precise definition of the exit code and status, see | |
2276 | <citerefentry><refentrytitle>wait</refentrytitle><manvolnum>2</manvolnum></citerefentry>. <varname>$EXIT_CODE</varname> | |
2277 | is one of <literal>exited</literal>, <literal>killed</literal>, | |
2278 | <literal>dumped</literal>. <varname>$EXIT_STATUS</varname> contains the numeric exit code formatted as string | |
2279 | if <varname>$EXIT_CODE</varname> is <literal>exited</literal>, and the signal name in all other cases. Note | |
2280 | that these environment variables are only set if the service manager succeeded to start and identify the main | |
e64e1bfd ZJS |
2281 | process of the service.</para> |
2282 | ||
2283 | <table> | |
2284 | <title>Summary of possible service result variable values</title> | |
2285 | <tgroup cols='3'> | |
2286 | <colspec colname='result' /> | |
e64e1bfd | 2287 | <colspec colname='code' /> |
a4e26faf | 2288 | <colspec colname='status' /> |
e64e1bfd ZJS |
2289 | <thead> |
2290 | <row> | |
2291 | <entry><varname>$SERVICE_RESULT</varname></entry> | |
e64e1bfd | 2292 | <entry><varname>$EXIT_CODE</varname></entry> |
a4e26faf | 2293 | <entry><varname>$EXIT_STATUS</varname></entry> |
e64e1bfd ZJS |
2294 | </row> |
2295 | </thead> | |
2296 | ||
2297 | <tbody> | |
38a7c3c0 LP |
2298 | <row> |
2299 | <entry valign="top"><literal>success</literal></entry> | |
2300 | <entry valign="top"><literal>exited</literal></entry> | |
2301 | <entry><literal>0</literal></entry> | |
2302 | </row> | |
a4e26faf JW |
2303 | <row> |
2304 | <entry morerows="1" valign="top"><literal>protocol</literal></entry> | |
2305 | <entry valign="top">not set</entry> | |
2306 | <entry>not set</entry> | |
2307 | </row> | |
2308 | <row> | |
2309 | <entry><literal>exited</literal></entry> | |
2310 | <entry><literal>0</literal></entry> | |
2311 | </row> | |
29df65f9 ZJS |
2312 | <row> |
2313 | <entry morerows="1" valign="top"><literal>timeout</literal></entry> | |
2314 | <entry valign="top"><literal>killed</literal></entry> | |
6757c06a | 2315 | <entry><literal>TERM</literal>, <literal>KILL</literal></entry> |
29df65f9 | 2316 | </row> |
29df65f9 ZJS |
2317 | <row> |
2318 | <entry valign="top"><literal>exited</literal></entry> | |
6757c06a LP |
2319 | <entry><literal>0</literal>, <literal>1</literal>, <literal>2</literal>, <literal |
2320 | >3</literal>, …, <literal>255</literal></entry> | |
29df65f9 | 2321 | </row> |
e64e1bfd ZJS |
2322 | <row> |
2323 | <entry valign="top"><literal>exit-code</literal></entry> | |
2324 | <entry valign="top"><literal>exited</literal></entry> | |
38a7c3c0 | 2325 | <entry><literal>1</literal>, <literal>2</literal>, <literal |
6757c06a | 2326 | >3</literal>, …, <literal>255</literal></entry> |
e64e1bfd | 2327 | </row> |
e64e1bfd ZJS |
2328 | <row> |
2329 | <entry valign="top"><literal>signal</literal></entry> | |
2330 | <entry valign="top"><literal>killed</literal></entry> | |
6757c06a | 2331 | <entry><literal>HUP</literal>, <literal>INT</literal>, <literal>KILL</literal>, …</entry> |
e64e1bfd | 2332 | </row> |
e64e1bfd ZJS |
2333 | <row> |
2334 | <entry valign="top"><literal>core-dump</literal></entry> | |
2335 | <entry valign="top"><literal>dumped</literal></entry> | |
6757c06a | 2336 | <entry><literal>ABRT</literal>, <literal>SEGV</literal>, <literal>QUIT</literal>, …</entry> |
e64e1bfd | 2337 | </row> |
e64e1bfd ZJS |
2338 | <row> |
2339 | <entry morerows="2" valign="top"><literal>watchdog</literal></entry> | |
2340 | <entry><literal>dumped</literal></entry> | |
2341 | <entry><literal>ABRT</literal></entry> | |
2342 | </row> | |
2343 | <row> | |
2344 | <entry><literal>killed</literal></entry> | |
6757c06a | 2345 | <entry><literal>TERM</literal>, <literal>KILL</literal></entry> |
e64e1bfd ZJS |
2346 | </row> |
2347 | <row> | |
2348 | <entry><literal>exited</literal></entry> | |
6757c06a LP |
2349 | <entry><literal>0</literal>, <literal>1</literal>, <literal>2</literal>, <literal |
2350 | >3</literal>, …, <literal>255</literal></entry> | |
e64e1bfd | 2351 | </row> |
38a7c3c0 LP |
2352 | <row> |
2353 | <entry><literal>start-limit-hit</literal></entry> | |
2354 | <entry>not set</entry> | |
2355 | <entry>not set</entry> | |
2356 | </row> | |
e64e1bfd ZJS |
2357 | <row> |
2358 | <entry><literal>resources</literal></entry> | |
2359 | <entry>any of the above</entry> | |
2360 | <entry>any of the above</entry> | |
2361 | </row> | |
29df65f9 | 2362 | <row> |
38a7c3c0 | 2363 | <entry namest="results" nameend="status">Note: the process may be also terminated by a signal not sent by systemd. In particular the process may send an arbitrary signal to itself in a handler for any of the non-maskable signals. Nevertheless, in the <literal>timeout</literal> and <literal>watchdog</literal> rows above only the signals that systemd sends have been included. Moreover, using <varname>SuccessExitStatus=</varname> additional exit statuses may be declared to indicate clean termination, which is not reflected by this table.</entry> |
29df65f9 | 2364 | </row> |
e64e1bfd ZJS |
2365 | </tbody> |
2366 | </tgroup> | |
2367 | </table> | |
2368 | ||
2369 | </listitem> | |
2370 | </varlistentry> | |
798d3a52 | 2371 | </variablelist> |
46b07329 LP |
2372 | |
2373 | <para>For system services, when <varname>PAMName=</varname> is enabled and <command>pam_systemd</command> is part | |
2374 | of the selected PAM stack, additional environment variables defined by systemd may be set for | |
2375 | services. Specifically, these are <varname>$XDG_SEAT</varname>, <varname>$XDG_VTNR</varname>, see | |
2376 | <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.</para> | |
798d3a52 ZJS |
2377 | </refsect1> |
2378 | ||
91a8f867 JS |
2379 | <refsect1> |
2380 | <title>Process exit codes</title> | |
2381 | ||
2382 | <para>When invoking a unit process the service manager possibly fails to apply the execution parameters configured | |
2383 | with the settings above. In that case the already created service process will exit with a non-zero exit code | |
2384 | before the configured command line is executed. (Or in other words, the child process possibly exits with these | |
2385 | error codes, after having been created by the <citerefentry | |
2386 | project='man-pages'><refentrytitle>fork</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call, but | |
2387 | before the matching <citerefentry | |
2388 | project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call is | |
2389 | called.) Specifically, exit codes defined by the C library, by the LSB specification and by the systemd service | |
2390 | manager itself are used.</para> | |
2391 | ||
2392 | <para>The following basic service exit codes are defined by the C library.</para> | |
2393 | ||
2394 | <table> | |
2395 | <title>Basic C library exit codes</title> | |
2396 | <tgroup cols='3'> | |
2397 | <thead> | |
2398 | <row> | |
2399 | <entry>Exit Code</entry> | |
2400 | <entry>Symbolic Name</entry> | |
2401 | <entry>Description</entry> | |
2402 | </row> | |
2403 | </thead> | |
2404 | <tbody> | |
2405 | <row> | |
2406 | <entry>0</entry> | |
2407 | <entry><constant>EXIT_SUCCESS</constant></entry> | |
2408 | <entry>Generic success code.</entry> | |
2409 | </row> | |
2410 | <row> | |
2411 | <entry>1</entry> | |
2412 | <entry><constant>EXIT_FAILURE</constant></entry> | |
2413 | <entry>Generic failure or unspecified error.</entry> | |
2414 | </row> | |
2415 | </tbody> | |
2416 | </tgroup> | |
2417 | </table> | |
2418 | ||
2419 | <para>The following service exit codes are defined by the <ulink | |
2420 | url="https://refspecs.linuxbase.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html">LSB specification | |
2421 | </ulink>. | |
2422 | </para> | |
2423 | ||
2424 | <table> | |
2425 | <title>LSB service exit codes</title> | |
2426 | <tgroup cols='3'> | |
2427 | <thead> | |
2428 | <row> | |
2429 | <entry>Exit Code</entry> | |
2430 | <entry>Symbolic Name</entry> | |
2431 | <entry>Description</entry> | |
2432 | </row> | |
2433 | </thead> | |
2434 | <tbody> | |
2435 | <row> | |
2436 | <entry>2</entry> | |
2437 | <entry><constant>EXIT_INVALIDARGUMENT</constant></entry> | |
2438 | <entry>Invalid or excess arguments.</entry> | |
2439 | </row> | |
2440 | <row> | |
2441 | <entry>3</entry> | |
2442 | <entry><constant>EXIT_NOTIMPLEMENTED</constant></entry> | |
2443 | <entry>Unimplemented feature.</entry> | |
2444 | </row> | |
2445 | <row> | |
2446 | <entry>4</entry> | |
2447 | <entry><constant>EXIT_NOPERMISSION</constant></entry> | |
2448 | <entry>The user has insufficient privileges.</entry> | |
2449 | </row> | |
2450 | <row> | |
2451 | <entry>5</entry> | |
2452 | <entry><constant>EXIT_NOTINSTALLED</constant></entry> | |
2453 | <entry>The program is not installed.</entry> | |
2454 | </row> | |
2455 | <row> | |
2456 | <entry>6</entry> | |
2457 | <entry><constant>EXIT_NOTCONFIGURED</constant></entry> | |
2458 | <entry>The program is not configured.</entry> | |
2459 | </row> | |
2460 | <row> | |
2461 | <entry>7</entry> | |
2462 | <entry><constant>EXIT_NOTRUNNING</constant></entry> | |
2463 | <entry>The program is not running.</entry> | |
2464 | </row> | |
2465 | </tbody> | |
2466 | </tgroup> | |
2467 | </table> | |
2468 | ||
2469 | <para> | |
2470 | The LSB specification suggests that error codes 200 and above are reserved for implementations. Some of them are | |
2471 | used by the service manager to indicate problems during process invocation: | |
2472 | </para> | |
2473 | <table> | |
2474 | <title>systemd-specific exit codes</title> | |
2475 | <tgroup cols='3'> | |
2476 | <thead> | |
2477 | <row> | |
2478 | <entry>Exit Code</entry> | |
2479 | <entry>Symbolic Name</entry> | |
2480 | <entry>Description</entry> | |
2481 | </row> | |
2482 | </thead> | |
2483 | <tbody> | |
2484 | <row> | |
2485 | <entry>200</entry> | |
2486 | <entry><constant>EXIT_CHDIR</constant></entry> | |
2487 | <entry>Changing to the requested working directory failed. See <varname>WorkingDirectory=</varname> above.</entry> | |
2488 | </row> | |
2489 | <row> | |
2490 | <entry>201</entry> | |
2491 | <entry><constant>EXIT_NICE</constant></entry> | |
2492 | <entry>Failed to set up process scheduling priority (nice level). See <varname>Nice=</varname> above.</entry> | |
2493 | </row> | |
2494 | <row> | |
2495 | <entry>202</entry> | |
2496 | <entry><constant>EXIT_FDS</constant></entry> | |
2497 | <entry>Failed to close unwanted file descriptors, or to adjust passed file descriptors.</entry> | |
2498 | </row> | |
2499 | <row> | |
2500 | <entry>203</entry> | |
2501 | <entry><constant>EXIT_EXEC</constant></entry> | |
2502 | <entry>The actual process execution failed (specifically, the <citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call). Most likely this is caused by a missing or non-accessible executable file.</entry> | |
2503 | </row> | |
2504 | <row> | |
2505 | <entry>204</entry> | |
2506 | <entry><constant>EXIT_MEMORY</constant></entry> | |
2507 | <entry>Failed to perform an action due to memory shortage.</entry> | |
2508 | </row> | |
2509 | <row> | |
2510 | <entry>205</entry> | |
2511 | <entry><constant>EXIT_LIMITS</constant></entry> | |
dcfaecc7 | 2512 | <entry>Failed to adjust resource limits. See <varname>LimitCPU=</varname> and related settings above.</entry> |
91a8f867 JS |
2513 | </row> |
2514 | <row> | |
2515 | <entry>206</entry> | |
2516 | <entry><constant>EXIT_OOM_ADJUST</constant></entry> | |
2517 | <entry>Failed to adjust the OOM setting. See <varname>OOMScoreAdjust=</varname> above.</entry> | |
2518 | </row> | |
2519 | <row> | |
2520 | <entry>207</entry> | |
2521 | <entry><constant>EXIT_SIGNAL_MASK</constant></entry> | |
2522 | <entry>Failed to set process signal mask.</entry> | |
2523 | </row> | |
2524 | <row> | |
2525 | <entry>208</entry> | |
2526 | <entry><constant>EXIT_STDIN</constant></entry> | |
2527 | <entry>Failed to set up standard input. See <varname>StandardInput=</varname> above.</entry> | |
2528 | </row> | |
2529 | <row> | |
2530 | <entry>209</entry> | |
2531 | <entry><constant>EXIT_STDOUT</constant></entry> | |
2532 | <entry>Failed to set up standard output. See <varname>StandardOutput=</varname> above.</entry> | |
2533 | </row> | |
2534 | <row> | |
2535 | <entry>210</entry> | |
2536 | <entry><constant>EXIT_CHROOT</constant></entry> | |
2537 | <entry>Failed to change root directory (<citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>). See <varname>RootDirectory=</varname>/<varname>RootImage=</varname> above.</entry> | |
2538 | </row> | |
2539 | <row> | |
2540 | <entry>211</entry> | |
2541 | <entry><constant>EXIT_IOPRIO</constant></entry> | |
2542 | <entry>Failed to set up IO scheduling priority. See <varname>IOSchedulingClass=</varname>/<varname>IOSchedulingPriority=</varname> above.</entry> | |
2543 | </row> | |
2544 | <row> | |
2545 | <entry>212</entry> | |
2546 | <entry><constant>EXIT_TIMERSLACK</constant></entry> | |
2547 | <entry>Failed to set up timer slack. See <varname>TimerSlackNSec=</varname> above.</entry> | |
2548 | </row> | |
2549 | <row> | |
2550 | <entry>213</entry> | |
2551 | <entry><constant>EXIT_SECUREBITS</constant></entry> | |
2552 | <entry>Failed to set process secure bits. See <varname>SecureBits=</varname> above.</entry> | |
2553 | </row> | |
2554 | <row> | |
2555 | <entry>214</entry> | |
2556 | <entry><constant>EXIT_SETSCHEDULER</constant></entry> | |
2557 | <entry>Failed to set up CPU scheduling. See <varname>CPUSchedulingPolicy=</varname>/<varname>CPUSchedulingPriority=</varname> above.</entry> | |
2558 | </row> | |
2559 | <row> | |
2560 | <entry>215</entry> | |
2561 | <entry><constant>EXIT_CPUAFFINITY</constant></entry> | |
2562 | <entry>Failed to set up CPU affinity. See <varname>CPUAffinity=</varname> above.</entry> | |
2563 | </row> | |
2564 | <row> | |
2565 | <entry>216</entry> | |
2566 | <entry><constant>EXIT_GROUP</constant></entry> | |
2567 | <entry>Failed to determine or change group credentials. See <varname>Group=</varname>/<varname>SupplementaryGroups=</varname> above.</entry> | |
2568 | </row> | |
2569 | <row> | |
2570 | <entry>217</entry> | |
2571 | <entry><constant>EXIT_USER</constant></entry> | |
2572 | <entry>Failed to determine or change user credentials, or to set up user namespacing. See <varname>User=</varname>/<varname>PrivateUsers=</varname> above.</entry> | |
2573 | </row> | |
2574 | <row> | |
2575 | <entry>218</entry> | |
2576 | <entry><constant>EXIT_CAPABILITIES</constant></entry> | |
2577 | <entry>Failed to drop capabilities, or apply ambient capabilities. See <varname>CapabilityBoundingSet=</varname>/<varname>AmbientCapabilities=</varname> above.</entry> | |
2578 | </row> | |
2579 | <row> | |
2580 | <entry>219</entry> | |
2581 | <entry><constant>EXIT_CGROUP</constant></entry> | |
2582 | <entry>Setting up the service control group failed.</entry> | |
2583 | </row> | |
2584 | <row> | |
2585 | <entry>220</entry> | |
2586 | <entry><constant>EXIT_SETSID</constant></entry> | |
2587 | <entry>Failed to create new process session.</entry> | |
2588 | </row> | |
2589 | <row> | |
2590 | <entry>221</entry> | |
2591 | <entry><constant>EXIT_CONFIRM</constant></entry> | |
2592 | <entry>Execution has been cancelled by the user. See the <varname>systemd.confirm_spawn=</varname> kernel command line setting on <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details.</entry> | |
2593 | </row> | |
2594 | <row> | |
2595 | <entry>222</entry> | |
2596 | <entry><constant>EXIT_STDERR</constant></entry> | |
2597 | <entry>Failed to set up standard error output. See <varname>StandardError=</varname> above.</entry> | |
2598 | </row> | |
2599 | <row> | |
2600 | <entry>224</entry> | |
2601 | <entry><constant>EXIT_PAM</constant></entry> | |
2602 | <entry>Failed to set up PAM session. See <varname>PAMName=</varname> above.</entry> | |
2603 | </row> | |
2604 | <row> | |
2605 | <entry>225</entry> | |
2606 | <entry><constant>EXIT_NETWORK</constant></entry> | |
2607 | <entry>Failed to set up network namespacing. See <varname>PrivateNetwork=</varname> above.</entry> | |
2608 | </row> | |
2609 | <row> | |
2610 | <entry>226</entry> | |
2611 | <entry><constant>EXIT_NAMESPACE</constant></entry> | |
2612 | <entry>Failed to set up mount namespacing. See <varname>ReadOnlyPaths=</varname> and related settings above.</entry> | |
2613 | </row> | |
2614 | <row> | |
2615 | <entry>227</entry> | |
2616 | <entry><constant>EXIT_NO_NEW_PRIVILEGES</constant></entry> | |
dcfaecc7 | 2617 | <entry>Failed to disable new privileges. See <varname>NoNewPrivileges=yes</varname> above.</entry> |
91a8f867 JS |
2618 | </row> |
2619 | <row> | |
2620 | <entry>228</entry> | |
2621 | <entry><constant>EXIT_SECCOMP</constant></entry> | |
2622 | <entry>Failed to apply system call filters. See <varname>SystemCallFilter=</varname> and related settings above.</entry> | |
2623 | </row> | |
2624 | <row> | |
2625 | <entry>229</entry> | |
2626 | <entry><constant>EXIT_SELINUX_CONTEXT</constant></entry> | |
2627 | <entry>Determining or changing SELinux context failed. See <varname>SELinuxContext=</varname> above.</entry> | |
2628 | </row> | |
2629 | <row> | |
2630 | <entry>230</entry> | |
2631 | <entry><constant>EXIT_PERSONALITY</constant></entry> | |
dcfaecc7 | 2632 | <entry>Failed to set up an execution domain (personality). See <varname>Personality=</varname> above.</entry> |
91a8f867 JS |
2633 | </row> |
2634 | <row> | |
2635 | <entry>231</entry> | |
2636 | <entry><constant>EXIT_APPARMOR_PROFILE</constant></entry> | |
2637 | <entry>Failed to prepare changing AppArmor profile. See <varname>AppArmorProfile=</varname> above.</entry> | |
2638 | </row> | |
2639 | <row> | |
2640 | <entry>232</entry> | |
2641 | <entry><constant>EXIT_ADDRESS_FAMILIES</constant></entry> | |
2642 | <entry>Failed to restrict address families. See <varname>RestrictAddressFamilies=</varname> above.</entry> | |
2643 | </row> | |
2644 | <row> | |
2645 | <entry>233</entry> | |
2646 | <entry><constant>EXIT_RUNTIME_DIRECTORY</constant></entry> | |
2647 | <entry>Setting up runtime directory failed. See <varname>RuntimeDirectory=</varname> and related settings above.</entry> | |
2648 | </row> | |
2649 | <row> | |
2650 | <entry>235</entry> | |
2651 | <entry><constant>EXIT_CHOWN</constant></entry> | |
2652 | <entry>Failed to adjust socket ownership. Used for socket units only.</entry> | |
2653 | </row> | |
2654 | <row> | |
2655 | <entry>236</entry> | |
2656 | <entry><constant>EXIT_SMACK_PROCESS_LABEL</constant></entry> | |
2657 | <entry>Failed to set SMACK label. See <varname>SmackProcessLabel=</varname> above.</entry> | |
2658 | </row> | |
2659 | <row> | |
2660 | <entry>237</entry> | |
2661 | <entry><constant>EXIT_KEYRING</constant></entry> | |
2662 | <entry>Failed to set up kernel keyring.</entry> | |
2663 | </row> | |
2664 | <row> | |
2665 | <entry>238</entry> | |
2666 | <entry><constant>EXIT_STATE_DIRECTORY</constant></entry> | |
dcfaecc7 | 2667 | <entry>Failed to set up unit's state directory. See <varname>StateDirectory=</varname> above.</entry> |
91a8f867 JS |
2668 | </row> |
2669 | <row> | |
2670 | <entry>239</entry> | |
2671 | <entry><constant>EXIT_CACHE_DIRECTORY</constant></entry> | |
dcfaecc7 | 2672 | <entry>Failed to set up unit's cache directory. See <varname>CacheDirectory=</varname> above.</entry> |
91a8f867 JS |
2673 | </row> |
2674 | <row> | |
2675 | <entry>240</entry> | |
2676 | <entry><constant>EXIT_LOGS_DIRECTORY</constant></entry> | |
dcfaecc7 | 2677 | <entry>Failed to set up unit's logging directory. See <varname>LogsDirectory=</varname> above.</entry> |
91a8f867 JS |
2678 | </row> |
2679 | <row> | |
2680 | <entry>241</entry> | |
2681 | <entry><constant>EXIT_CONFIGURATION_DIRECTORY</constant></entry> | |
dcfaecc7 | 2682 | <entry>Failed to set up unit's configuration directory. See <varname>ConfigurationDirectory=</varname> above.</entry> |
91a8f867 JS |
2683 | </row> |
2684 | </tbody> | |
2685 | </tgroup> | |
2686 | </table> | |
3e0bff7d LP |
2687 | |
2688 | <para>Finally, the BSD operating systems define a set of exit codes, typically defined on Linux systems too:</para> | |
2689 | ||
2690 | <table> | |
2691 | <title>BSD exit codes</title> | |
2692 | <tgroup cols='3'> | |
2693 | <thead> | |
2694 | <row> | |
2695 | <entry>Exit Code</entry> | |
2696 | <entry>Symbolic Name</entry> | |
2697 | <entry>Description</entry> | |
2698 | </row> | |
2699 | </thead> | |
2700 | <tbody> | |
2701 | <row> | |
2702 | <entry>64</entry> | |
2703 | <entry><constant>EX_USAGE</constant></entry> | |
2704 | <entry>Command line usage error</entry> | |
2705 | </row> | |
2706 | <row> | |
2707 | <entry>65</entry> | |
2708 | <entry><constant>EX_DATAERR</constant></entry> | |
2709 | <entry>Data format error</entry> | |
2710 | </row> | |
2711 | <row> | |
2712 | <entry>66</entry> | |
2713 | <entry><constant>EX_NOINPUT</constant></entry> | |
2714 | <entry>Cannot open input</entry> | |
2715 | </row> | |
2716 | <row> | |
2717 | <entry>67</entry> | |
2718 | <entry><constant>EX_NOUSER</constant></entry> | |
2719 | <entry>Addressee unknown</entry> | |
2720 | </row> | |
2721 | <row> | |
2722 | <entry>68</entry> | |
2723 | <entry><constant>EX_NOHOST</constant></entry> | |
2724 | <entry>Host name unknown</entry> | |
2725 | </row> | |
2726 | <row> | |
2727 | <entry>69</entry> | |
2728 | <entry><constant>EX_UNAVAILABLE</constant></entry> | |
2729 | <entry>Service unavailable</entry> | |
2730 | </row> | |
2731 | <row> | |
2732 | <entry>70</entry> | |
2733 | <entry><constant>EX_SOFTWARE</constant></entry> | |
2734 | <entry>internal software error</entry> | |
2735 | </row> | |
2736 | <row> | |
2737 | <entry>71</entry> | |
2738 | <entry><constant>EX_OSERR</constant></entry> | |
2739 | <entry>System error (e.g., can't fork)</entry> | |
2740 | </row> | |
2741 | <row> | |
2742 | <entry>72</entry> | |
2743 | <entry><constant>EX_OSFILE</constant></entry> | |
2744 | <entry>Critical OS file missing</entry> | |
2745 | </row> | |
2746 | <row> | |
2747 | <entry>73</entry> | |
2748 | <entry><constant>EX_CANTCREAT</constant></entry> | |
2749 | <entry>Can't create (user) output file</entry> | |
2750 | </row> | |
2751 | <row> | |
2752 | <entry>74</entry> | |
2753 | <entry><constant>EX_IOERR</constant></entry> | |
2754 | <entry>Input/output error</entry> | |
2755 | </row> | |
2756 | <row> | |
2757 | <entry>75</entry> | |
2758 | <entry><constant>EX_TEMPFAIL</constant></entry> | |
2759 | <entry>Temporary failure; user is invited to retry</entry> | |
2760 | </row> | |
2761 | <row> | |
2762 | <entry>76</entry> | |
2763 | <entry><constant>EX_PROTOCOL</constant></entry> | |
2764 | <entry>Remote error in protocol</entry> | |
2765 | </row> | |
2766 | <row> | |
2767 | <entry>77</entry> | |
2768 | <entry><constant>EX_NOPERM</constant></entry> | |
2769 | <entry>Permission denied</entry> | |
2770 | </row> | |
2771 | <row> | |
2772 | <entry>78</entry> | |
2773 | <entry><constant>EX_CONFIG</constant></entry> | |
2774 | <entry>Configuration error</entry> | |
2775 | </row> | |
2776 | </tbody> | |
2777 | </tgroup> | |
2778 | </table> | |
91a8f867 JS |
2779 | </refsect1> |
2780 | ||
798d3a52 ZJS |
2781 | <refsect1> |
2782 | <title>See Also</title> | |
2783 | <para> | |
2784 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
2785 | <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
869feb33 | 2786 | <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
798d3a52 ZJS |
2787 | <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
2788 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
2789 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
2790 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
2791 | <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
2792 | <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
2793 | <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
2794 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
a4c18002 | 2795 | <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>, |
798d3a52 ZJS |
2796 | <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>, |
2797 | <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
2798 | <citerefentry project='man-pages'><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
2799 | </para> | |
2800 | </refsect1> | |
dd1eb43b LP |
2801 | |
2802 | </refentry> |