]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd.exec.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
execute: properly enforce group
[thirdparty/systemd.git] / man / systemd.exec.xml
CommitLineData
dd1eb43b
LP		 1<?xml version='1.0'?> <!--*-nxml-*-->
2<?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?>
3<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
4 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
5
6<!--
7 This file is part of systemd.
8
9 Copyright 2010 Lennart Poettering
10
11 systemd is free software; you can redistribute it and/or modify it
12 under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
15
16 systemd is distributed in the hope that it will be useful, but
17 WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with systemd; If not, see <http://www.gnu.org/licenses/>.
23-->
24
25<refentry id="systemd.exec">
26 <refentryinfo>
27 <title>systemd.exec</title>
28 <productname>systemd</productname>
29
30 <authorgroup>
31 <author>
32 <contrib>Developer</contrib>
33 <firstname>Lennart</firstname>
34 <surname>Poettering</surname>
35 <email>lennart@poettering.net</email>
36 </author>
37 </authorgroup>
38 </refentryinfo>
39
40 <refmeta>
41 <refentrytitle>systemd.exec</refentrytitle>
42 <manvolnum>5</manvolnum>
43 </refmeta>
44
45 <refnamediv>
46 <refname>systemd.exec</refname>
47 <refpurpose>systemd execution environment configuration</refpurpose>
48 </refnamediv>
49
50 <refsynopsisdiv>
51 <para><filename>systemd.service</filename>,
52 <filename>systemd.socket</filename>,
2292707d
LP		 53 <filename>systemd.mount</filename>,
54 <filename>systemd.swap</filename></para>
dd1eb43b
LP		 55 </refsynopsisdiv>
56
57 <refsect1>
58 <title>Description</title>
59
9a666408 60 <para>Unit configuration files for services, sockets,
2292707d
LP		 61 mount points and swap devices share a subset of
62 configuration options which define the execution
63 environment of spawned processes.</para>
dd1eb43b
LP		 64
65 <para>This man page lists the configuration options
9a666408 66 shared by these four unit types. See
dd1eb43b
LP		 67 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
68 for the common options of all unit configuration
69 files, and
2292707d
LP		 70 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
71 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
72 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>
dd1eb43b
LP		 73 and
74 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
75 for more information on the specific unit
76 configuration files. The execution specific
77 configuration options are configured in the [Service],
2292707d 78 [Socket], [Mount] resp. [Swap] section, depending on the unit
dd1eb43b
LP		 79 type.</para>
80 </refsect1>
81
82 <refsect1>
83 <title>Options</title>
84
85 <variablelist>
86
87 <varlistentry>
88 <term><varname>WorkingDirectory=</varname></term>
89
90 <listitem><para>Takes an absolute
91 directory path. Sets the working
92 directory for executed
93 processes.</para></listitem>
94 </varlistentry>
95
96 <varlistentry>
97 <term><varname>RootDirectory=</varname></term>
98
99 <listitem><para>Takes an absolute
100 directory path. Sets the root
101 directory for executed processes, with
102 the
103 <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>
104 system call. If this is used it must
105 be ensured that the process and all
106 its auxiliary files are available in
107 the <function>chroot()</function>
108 jail.</para></listitem>
109 </varlistentry>
110
111 <varlistentry>
112 <term><varname>User=</varname></term>
113 <term><varname>Group=</varname></term>
114
115 <listitem><para>Sets the Unix user
116 resp. group the processes are executed
117 as. Takes a single user resp. group
118 name or ID as argument. If no group is
119 set the default group of the user is
120 chosen.</para></listitem>
121 </varlistentry>
122
123 <varlistentry>
124 <term><varname>SupplementaryGroups=</varname></term>
125
126 <listitem><para>Sets the supplementary
127 Unix groups the processes are executed
96d4ce01 128 as. This takes a space separated list
dd1eb43b
LP		 129 of group names or IDs. This option may
130 be specified more than once in which
131 case all listed groups are set as
132 supplementary groups. This option does
f8553ccb 133 not override but extends the list of
dd1eb43b
LP		 134 supplementary groups configured in the
135 system group database for the
136 user.</para></listitem>
137 </varlistentry>
138
139 <varlistentry>
140 <term><varname>Nice=</varname></term>
141
142 <listitem><para>Sets the default nice
143 level (scheduling priority) for
144 executed processes. Takes an integer
145 between -20 (highest priority) and 19
146 (lowest priority). See
147 <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>
148 for details.</para></listitem>
149 </varlistentry>
150
151 <varlistentry>
dd6c17b1 152 <term><varname>OOMScoreAdjust=</varname></term>
dd1eb43b
LP		 153
154 <listitem><para>Sets the adjustment
155 level for the Out-Of-Memory killer for
156 executed processes. Takes an integer
dd6c17b1
LP		 157 between -1000 (to disable OOM killing
158 for this process) and 1000 (to make
dd1eb43b
LP		 159 killing of this process under memory
160 pressure very likely). See <ulink
161 url="http://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
162 for details.</para></listitem>
163 </varlistentry>
164
165 <varlistentry>
166 <term><varname>IOSchedulingClass=</varname></term>
167
168 <listitem><para>Sets the IO scheduling
169 class for executed processes. Takes an
170 integer between 0 and 3 or one of the
171 strings <option>none</option>,
172 <option>realtime</option>,
173 <option>best-effort</option> or
174 <option>idle</option>. See
175 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
176 for details.</para></listitem>
177 </varlistentry>
178
179 <varlistentry>
180 <term><varname>IOSchedulingPriority=</varname></term>
181
182 <listitem><para>Sets the IO scheduling
183 priority for executed processes. Takes
184 an integer between 0 (highest
185 priority) and 7 (lowest priority). The
186 available priorities depend on the
187 selected IO scheduling class (see
188 above). See
189 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
190 for details.</para></listitem>
191 </varlistentry>
192
193 <varlistentry>
194 <term><varname>CPUSchedulingPolicy=</varname></term>
195
196 <listitem><para>Sets the CPU
197 scheduling policy for executed
198 processes. Takes one of
199 <option>other</option>,
200 <option>batch</option>,
201 <option>idle</option>,
202 <option>fifo</option> or
203 <option>rr</option>. See
204 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
205 for details.</para></listitem>
206 </varlistentry>
207
208 <varlistentry>
209 <term><varname>CPUSchedulingPriority=</varname></term>
210
211 <listitem><para>Sets the CPU
212 scheduling priority for executed
213 processes. Takes an integer between 1
214 (lowest priority) and 99 (highest
215 priority). The available priority
216 range depends on the selected CPU
217 scheduling policy (see above). See
218 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
219 for details.</para></listitem>
220 </varlistentry>
221
222 <varlistentry>
223 <term><varname>CPUSchedulingResetOnFork=</varname></term>
224
225 <listitem><para>Takes a boolean
226 argument. If true elevated CPU
227 scheduling priorities and policies
228 will be reset when the executed
229 processes fork, and can hence not leak
230 into child processes. See
231 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
232 for details. Defaults to false.</para></listitem>
233 </varlistentry>
234
235 <varlistentry>
236 <term><varname>CPUAffinity=</varname></term>
237
238 <listitem><para>Controls the CPU
239 affinity of the executed
96d4ce01 240 processes. Takes a space-separated
dd1eb43b
LP		 241 list of CPU indexes. See
242 <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
243 for details.</para></listitem>
244 </varlistentry>
245
246 <varlistentry>
247 <term><varname>UMask=</varname></term>
248
249 <listitem><para>Controls the file mode
250 creation mask. Takes an access mode in
251 octal notation. See
252 <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
253 for details. Defaults to
254 0002.</para></listitem>
255 </varlistentry>
256
257 <varlistentry>
258 <term><varname>Environment=</varname></term>
259
260 <listitem><para>Sets environment
261 variables for executed
96d4ce01 262 processes. Takes a space-separated
dd1eb43b
LP		 263 list of variable assignments. This
264 option may be specified more than once
265 in which case all listed variables
266 will be set. If the same variable is
267 set twice the later setting will
268 override the earlier setting. See
269 <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
270 for details.</para></listitem>
271 </varlistentry>
272 <varlistentry>
273 <term><varname>EnvironmentFile=</varname></term>
274 <listitem><para>Similar to
275 <varname>Environment=</varname> but
276 reads the environment variables from a
277 text file. The text file should
96d4ce01 278 contain new-line separated variable
dd1eb43b
LP		 279 assignments. Empty lines and lines
280 starting with ; or # will be ignored,
afe4bfe2
LP		 281 which may be used for commenting. The
282 argument passed should be an absolute
283 file name, optionally prefixed with
284 "-", which indicates that if the file
285 does not exist it won't be read and no
286 error or warning message is
f1779fd2
LP		 287 logged. The files listed with this
288 directive will be read shortly before
289 the process is executed. Settings from
290 these files override settings made
291 with
292 <varname>Environment=</varname>. If
293 the same variable is set twice from
294 these files the files will be read in
295 the order they are specified and the
296 later setting will override the
297 earlier setting. </para></listitem>
dd1eb43b
LP		 298 </varlistentry>
299
300 <varlistentry>
301 <term><varname>StandardInput=</varname></term>
302 <listitem><para>Controls where file
303 descriptor 0 (STDIN) of the executed
304 processes is connected to. Takes one
305 of <option>null</option>,
306 <option>tty</option>,
307 <option>tty-force</option>,
308 <option>tty-fail</option> or
309 <option>socket</option>. If
310 <option>null</option> is selected
311 standard input will be connected to
312 <filename>/dev/null</filename>,
313 i.e. all read attempts by the process
314 will result in immediate EOF. If
315 <option>tty</option> is selected
316 standard input is connected to a TTY
317 (as configured by
318 <varname>TTYPath=</varname>, see
319 below) and the executed process
320 becomes the controlling process of the
321 terminal. If the terminal is already
f8553ccb
AE		 322 being controlled by another process the
323 executed process waits until the current
324 controlling process releases the
325 terminal.
326 <option>tty-force</option>
dd1eb43b
LP		 327 is similar to <option>tty</option>,
328 but the executed process is forcefully
329 and immediately made the controlling
330 process of the terminal, potentially
331 removing previous controlling
332 processes from the
333 terminal. <option>tty-fail</option> is
334 similar to <option>tty</option> but if
335 the terminal already has a controlling
336 process start-up of the executed
337 process fails. The
338 <option>socket</option> option is only
339 valid in socket-activated services,
340 and only when the socket configuration
341 file (see
342 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
343 for details) specifies a single socket
344 only. If this option is set standard
345 input will be connected to the socket
346 the service was activated from, which
347 is primarily useful for compatibility
348 with daemons designed for use with the
349 traditional
350 <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
351 daemon. This setting defaults to
352 <option>null</option>.</para></listitem>
353 </varlistentry>
354 <varlistentry>
355 <term><varname>StandardOutput=</varname></term>
356 <listitem><para>Controls where file
357 descriptor 1 (STDOUT) of the executed
358 processes is connected to. Takes one
359 of <option>inherit</option>,
360 <option>null</option>,
361 <option>tty</option>,
362 <option>syslog</option>,
28dbc1e8
LP		 363 <option>kmsg</option>,
364 <option>kmsg+console</option>,
365 <option>syslog+console</option> or
dd1eb43b
LP		 366 <option>socket</option>. If set to
367 <option>inherit</option> the file
368 descriptor of standard input is
369 duplicated for standard output. If set
370 to <option>null</option> standard
371 output will be connected to
372 <filename>/dev/null</filename>,
373 i.e. everything written to it will be
374 lost. If set to <option>tty</option>
375 standard output will be connected to a
376 tty (as configured via
377 <varname>TTYPath=</varname>, see
378 below). If the TTY is used for output
379 only the executed process will not
380 become the controlling process of the
381 terminal, and will not fail or wait
382 for other processes to release the
383 terminal. <option>syslog</option>
384 connects standard output to the
385 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
386 system logger. <option>kmsg</option>
387 connects it with the kernel log buffer
388 which is accessible via
28dbc1e8
LP		 389 <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>syslog+console</option>
390 and <option>kmsg+console</option> work
391 similarly but copy the output to the
392 system console as
393 well. <option>socket</option> connects
394 standard output to a socket from
395 socket activation, semantics are
dd1eb43b
LP		 396 similar to the respective option of
397 <varname>StandardInput=</varname>.
398 This setting defaults to
399 <option>inherit</option>.</para></listitem>
400 </varlistentry>
401 <varlistentry>
ad678a06 402 <term><varname>StandardError=</varname></term>
dd1eb43b
LP		 403 <listitem><para>Controls where file
404 descriptor 2 (STDERR) of the executed
405 processes is connected to. The
406 available options are identical to
407 those of
ad678a06 408 <varname>StandardOutput=</varname>,
5471472d 409 with one exception: if set to
dd1eb43b
LP		 410 <option>inherit</option> the file
411 descriptor used for standard output is
412 duplicated for standard error. This
413 setting defaults to
414 <option>inherit</option>.</para></listitem>
415 </varlistentry>
416 <varlistentry>
417 <term><varname>TTYPath=</varname></term>
418 <listitem><para>Sets the terminal
419 device node to use if standard input,
420 output or stderr are connected to a
421 TTY (see above). Defaults to
422 <filename>/dev/console</filename>.</para></listitem>
423 </varlistentry>
6ea832a2
LP		 424 <varlistentry>
425 <term><varname>TTYReset=</varname></term>
426 <listitem><para>Reset the terminal
427 device specified with
428 <varname>TTYPath=</varname> before and
429 after execution. Defaults to
430 <literal>no</literal>.</para></listitem>
431 </varlistentry>
432 <varlistentry>
433 <term><varname>TTYVHangup=</varname></term>
434 <listitem><para>Disconnect all clients
435 which have opened the terminal device
436 specified with
437 <varname>TTYPath=</varname>
438 before and after execution. Defaults
439 to
440 <literal>no</literal>.</para></listitem>
441 </varlistentry>
442 <varlistentry>
443 <term><varname>TTYVTDisallocate=</varname></term>
444 <listitem><para>If the the terminal
445 device specified with
446 <varname>TTYPath=</varname> is a
447 virtual console terminal try to
448 deallocate the TTY before and after
449 execution. This ensures that the
450 screen and scrollback buffer is
451 cleared. Defaults to
452 <literal>no</literal>.</para></listitem>
453 </varlistentry>
dd1eb43b 454 <varlistentry>
48c4fad9 455 <term><varname>SyslogIdentifier=</varname></term>
dd1eb43b
LP		 456 <listitem><para>Sets the process name
457 to prefix log lines sent to syslog or
458 the kernel log buffer with. If not set
459 defaults to the process name of the
460 executed process. This option is only
461 useful when
462 <varname>StandardOutput=</varname> or
463 <varname>StandardError=</varname> are
464 set to <option>syslog</option> or
465 <option>kmsg</option>.</para></listitem>
466 </varlistentry>
467 <varlistentry>
468 <term><varname>SyslogFacility=</varname></term>
469 <listitem><para>Sets the syslog
470 facility to use when logging to
471 syslog. One of <option>kern</option>,
472 <option>user</option>,
473 <option>mail</option>,
474 <option>daemon</option>,
475 <option>auth</option>,
476 <option>syslog</option>,
477 <option>lpr</option>,
478 <option>news</option>,
479 <option>uucp</option>,
480 <option>cron</option>,
481 <option>authpriv</option>,
482 <option>ftp</option>,
483 <option>local0</option>,
484 <option>local1</option>,
485 <option>local2</option>,
486 <option>local3</option>,
487 <option>local4</option>,
488 <option>local5</option>,
489 <option>local6</option> or
490 <option>local7</option>. See
491 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
492 for details. This option is only
493 useful when
494 <varname>StandardOutput=</varname> or
495 <varname>StandardError=</varname> are
496 set to <option>syslog</option>.
497 Defaults to
498 <option>daemon</option>.</para></listitem>
499 </varlistentry>
500 <varlistentry>
501 <term><varname>SyslogLevel=</varname></term>
502 <listitem><para>Default syslog level
503 to use when logging to syslog or the
504 kernel log buffer. One of
505 <option>emerg</option>,
506 <option>alert</option>,
507 <option>crit</option>,
508 <option>err</option>,
509 <option>warning</option>,
510 <option>notice</option>,
511 <option>info</option>,
512 <option>debug</option>. See
513 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
514 for details. This option is only
515 useful when
516 <varname>StandardOutput=</varname> or
517 <varname>StandardError=</varname> are
518 set to <option>syslog</option> or
519 <option>kmsg</option>. Note that
520 individual lines output by the daemon
521 might be prefixed with a different log
522 level which can be used to override
523 the default log level specified
524 here. The interpretation of these
525 prefixes may be disabled with
74922904 526 <varname>SyslogLevelPrefix=</varname>,
dd1eb43b
LP		 527 see below. For details see
528 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
529
530 Defaults to
531 <option>info</option>.</para></listitem>
532 </varlistentry>
533
534 <varlistentry>
74922904 535 <term><varname>SyslogLevelPrefix=</varname></term>
dd1eb43b 536 <listitem><para>Takes a boolean
74922904 537 argument. If true and
dd1eb43b
LP		 538 <varname>StandardOutput=</varname> or
539 <varname>StandardError=</varname> are
540 set to <option>syslog</option> or
541 <option>kmsg</option> log lines
542 written by the executed process that
543 are prefixed with a log level will be
544 passed on to syslog with this log
545 level set but the prefix removed. If
74922904 546 set to false, the interpretation of
dd1eb43b
LP		 547 these prefixes is disabled and the
548 logged lines are passed on as-is. For
549 details about this prefixing see
550 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
74922904 551 Defaults to true.</para></listitem>
dd1eb43b
LP		 552 </varlistentry>
553
554 <varlistentry>
03fae018 555 <term><varname>TimerSlackNSec=</varname></term>
dd1eb43b
LP		 556 <listitem><para>Sets the timer slack
557 in nanoseconds for the executed
f8553ccb 558 processes. The timer slack controls the
03fae018
LP		 559 accuracy of wake-ups triggered by
560 timers. See
dd1eb43b 561 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
03fae018
LP		 562 for more information. Note that in
563 contrast to most other time span
f8553ccb
AE		 564 definitions this parameter takes an
565 integer value in nano-seconds and does
566 not understand any other
03fae018 567 units.</para></listitem>
dd1eb43b
LP		 568 </varlistentry>
569
570 <varlistentry>
571 <term><varname>LimitCPU=</varname></term>
572 <term><varname>LimitFSIZE=</varname></term>
573 <term><varname>LimitDATA=</varname></term>
574 <term><varname>LimitSTACK=</varname></term>
575 <term><varname>LimitCORE=</varname></term>
576 <term><varname>LimitRSS=</varname></term>
577 <term><varname>LimitNOFILE=</varname></term>
578 <term><varname>LimitAS=</varname></term>
579 <term><varname>LimitNPROC=</varname></term>
580 <term><varname>LimitMEMLOCK=</varname></term>
581 <term><varname>LimitLOCKS=</varname></term>
582 <term><varname>LimitSIGPENDING=</varname></term>
583 <term><varname>LimitMSGQUEUE=</varname></term>
584 <term><varname>LimitNICE=</varname></term>
585 <term><varname>LimitRTPRIO=</varname></term>
586 <term><varname>LimitRTTIME=</varname></term>
587 <listitem><para>These settings control
588 various resource limits for executed
589 processes. See
590 <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
3d57c6ab
LP		 591 for details. Use the string
592 <varname>infinity</varname> to
593 configure no limit on a specific
594 resource.</para></listitem>
dd1eb43b
LP		 595 </varlistentry>
596
597 <varlistentry>
598 <term><varname>PAMName=</varname></term>
599 <listitem><para>Sets the PAM service
600 name to set up a session as. If set
601 the executed process will be
602 registered as a PAM session under the
603 specified service name. This is only
604 useful in conjunction with the
605 <varname>User=</varname> setting. If
606 not set no PAM session will be opened
607 for the executed processes. See
608 <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
609 for details.</para></listitem>
610 </varlistentry>
611
612 <varlistentry>
613 <term><varname>TCPWrapName=</varname></term>
614 <listitem><para>If this is a
615 socket-activated service this sets the
616 tcpwrap service name to check the
617 permission for the current connection
618 with. This is only useful in
619 conjunction with socket-activated
620 services, and stream sockets (TCP) in
621 particular. It has no effect on other
622 socket types (e.g. datagram/UDP) and on processes
623 unrelated to socket-based
624 activation. If the tcpwrap
625 verification fails daemon start-up
626 will fail and the connection is
627 terminated. See
628 <citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
629 for details.</para></listitem>
630 </varlistentry>
631
64747e2d
LP		 632 <varlistentry>
633 <term><varname>ControlGroupModify=</varname></term>
634 <listitem><para>Takes a boolean
635 argument. If true, the control groups
636 created for this unit will be owned by
637 ther user specified with
638 <varname>User=</varname> (and the
639 configured group), and he can create
640 subgroups as well as add processes to
641 the group.</para></listitem>
642 </varlistentry>
643
dd1eb43b 644 <varlistentry>
260abb78
LP		 645 <term><varname>CapabilityBoundingSet=</varname></term>
646
647 <listitem><para>Controls which
648 capabilities to include in the
649 capability bounding set for the
650 executed process. See
dd1eb43b 651 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
260abb78 652 for details. Takes a whitespace
9f7dad77 653 separated list of capability names as
260abb78
LP		 654 read by
655 <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
656 Capabilities listed will be included
657 in the bounding set, all others are
658 removed. If the list of capabilities
659 is prefixed with ~ all but the listed
660 capabilities will be included, the
5f4b19f4 661 effect of the assignment
260abb78
LP		 662 inverted. Note that this option does
663 not actually set or unset any
664 capabilities in the effective,
665 permitted or inherited capability
666 sets. That's what
667 <varname>Capabilities=</varname> is
668 for. If this option is not used the
669 capability bounding set is not
670 modified on process execution, hence
671 no limits on the capabilities of the
672 process are enforced.</para></listitem>
dd1eb43b
LP		 673 </varlistentry>
674
675 <varlistentry>
676 <term><varname>SecureBits=</varname></term>
677 <listitem><para>Controls the secure
678 bits set for the executed process. See
679 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
680 for details. Takes a list of strings:
681 <option>keep-caps</option>,
682 <option>keep-caps-locked</option>,
683 <option>no-setuid-fixup</option>,
684 <option>no-setuid-fixup-locked</option>,
685 <option>no-setuid-noroot</option> and/or
686 <option>no-setuid-noroot-locked</option>.
687 </para></listitem>
688 </varlistentry>
689
690 <varlistentry>
260abb78 691 <term><varname>Capabilities=</varname></term>
dd1eb43b 692 <listitem><para>Controls the
dd1eb43b 693 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
260abb78
LP		 694 set for the executed process. Take a
695 capability string describing the
696 effective, permitted and inherited
697 capability sets as documented in
698 <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
699 Note that these capability sets are
700 usually influenced by the capabilities
701 attached to the executed file. Due to
702 that
703 <varname>CapabilityBoundingSet=</varname>
704 is probably the much more useful
705 setting.</para></listitem>
dd1eb43b
LP		 706 </varlistentry>
707
708 <varlistentry>
709 <term><varname>ControlGroup=</varname></term>
710
711 <listitem><para>Controls the control
712 groups the executed processes shall be
ad678a06 713 made members of. Takes a
96d4ce01 714 space-separated list of cgroup
dd1eb43b
LP		 715 identifiers. A cgroup identifier has a
716 format like
717 <filename>cpu:/foo/bar</filename>,
718 where "cpu" identifies the kernel
719 control group controller used, and
720 <filename>/foo/bar</filename> is the
721 control group path. The controller name
722 and ":" may be omitted in which case
723 the named systemd control group
724 hierarchy is implied. Alternatively,
725 the path and ":" may be omitted, in
726 which case the default control group
727 path for this unit is implied. This
728 option may be used to place executed
729 processes in arbitrary groups in
9f7dad77 730 arbitrary hierarchies -- which can be
dd1eb43b
LP		 731 configured externally with additional execution limits. By default
732 systemd will place all executed
96d4ce01 733 processes in separate per-unit control
dd1eb43b
LP		 734 groups (named after the unit) in the
735 systemd named hierarchy. Since every
736 process can be in one group per
737 hierarchy only overriding the control group
738 path in the named systemd hierarchy
739 will disable automatic placement in
740 the default group. For details about control
741 groups see <ulink
742 url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>.</para></listitem>
743 </varlistentry>
744
745 <varlistentry>
746 <term><varname>ReadWriteDirectories=</varname></term>
747 <term><varname>ReadOnlyDirectories=</varname></term>
748 <term><varname>InaccessibleDirectories=</varname></term>
749
750 <listitem><para>Sets up a new
751 file-system name space for executed
752 processes. These options may be used
753 to limit access a process might have
754 to the main file-system
755 hierarchy. Each setting takes a
96d4ce01 756 space-separated list of absolute
dd1eb43b
LP		 757 directory paths. Directories listed in
758 <varname>ReadWriteDirectories=</varname>
759 are accessible from within the
760 namespace with the same access rights
761 as from outside. Directories listed in
762 <varname>ReadOnlyDirectories=</varname>
763 are accessible for reading only,
764 writing will be refused even if the
765 usual file access controls would
766 permit this. Directories listed in
767 <varname>InaccessibleDirectories=</varname>
9f7dad77 768 will be made inaccessible for processes
dd1eb43b
LP		 769 inside the namespace. Note that
770 restricting access with these options
771 does not extend to submounts of a
772 directory. You must list submounts
5471472d 773 separately in these settings to
dd1eb43b
LP		 774 ensure the same limited access. These
775 options may be specified more than
776 once in which case all directories
777 listed will have limited access from
778 within the
779 namespace.</para></listitem>
780 </varlistentry>
781
782 <varlistentry>
783 <term><varname>PrivateTmp=</varname></term>
784
785 <listitem><para>Takes a boolean
786 argument. If true sets up a new
787 namespace for the executed processes
788 and mounts a private
789 <filename>/tmp</filename> directory
790 inside it, that is not shared by
791 processes outside of the
792 namespace. This is useful to secure
793 access to temporary files of the
794 process, but makes sharing between
795 processes via
796 <filename>/tmp</filename>
797 impossible. Defaults to false.</para></listitem>
798 </varlistentry>
799
800 <varlistentry>
801 <term><varname>MountFlags=</varname></term>
802
803 <listitem><para>Takes a mount
804 propagation flag:
805 <option>shared</option>,
806 <option>slave</option> or
807 <option>private</option>, which
808 control whether namespaces set up with
809 <varname>ReadWriteDirectories=</varname>,
810 <varname>ReadOnlyDirectories=</varname>
811 and
812 <varname>InaccessibleDirectories=</varname>
813 receive or propagate new mounts
814 from/to the main namespace. See
815 <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>1</manvolnum></citerefentry>
816 for details. Defaults to
817 <option>shared</option>, i.e. the new
818 namespace will both receive new mount
819 points from the main namespace as well
820 as propagate new mounts to
821 it.</para></listitem>
822 </varlistentry>
823
169c1bda
LP		 824 <varlistentry>
825 <term><varname>UtmpIdentifier=</varname></term>
826
827 <listitem><para>Takes a a four
828 character identifier string for an
829 utmp/wtmp entry for this service. This
830 should only be set for services such
831 as <command>getty</command>
832 implementations where utmp/wtmp
833 entries must be created and cleared
834 before and after execution. If the
835 configured string is longer than four
836 characters it is truncated and the
837 terminal four characters are
838 used. This setting interprets %I style
839 string replacements. This setting is
840 unset by default, i.e. no utmp/wtmp
841 entries are created or cleaned up for
842 this service.</para></listitem>
843 </varlistentry>
844
dd1eb43b
LP		 845 </variablelist>
846 </refsect1>
847
848 <refsect1>
849 <title>See Also</title>
850 <para>
f3e219a2 851 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
dd1eb43b
LP		 852 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
853 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
854 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
855 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
2292707d 856 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
dd1eb43b
LP		 857 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
858 </para>
859 </refsect1>
860
861</refentry>
Unnamed repository; edit this file 'description' to name the repository.