]> git.ipfire.org Git - thirdparty/systemd.git/blob - man/systemd.exec.xml
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
man: Fix various typos
[thirdparty/systemd.git] / man / systemd.exec.xml
1 <?xml version='1.0'?> <!--*-nxml-*-->
2 <?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?>
3 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
4 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
5
6 <!--
7 This file is part of systemd.
8
9 Copyright 2010 Lennart Poettering
10
11 systemd is free software; you can redistribute it and/or modify it
12 under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
15
16 systemd is distributed in the hope that it will be useful, but
17 WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with systemd; If not, see <http://www.gnu.org/licenses/>.
23 -->
24
25 <refentry id="systemd.exec">
26 <refentryinfo>
27 <title>systemd.exec</title>
28 <productname>systemd</productname>
29
30 <authorgroup>
31 <author>
32 <contrib>Developer</contrib>
33 <firstname>Lennart</firstname>
34 <surname>Poettering</surname>
35 <email>lennart@poettering.net</email>
36 </author>
37 </authorgroup>
38 </refentryinfo>
39
40 <refmeta>
41 <refentrytitle>systemd.exec</refentrytitle>
42 <manvolnum>5</manvolnum>
43 </refmeta>
44
45 <refnamediv>
46 <refname>systemd.exec</refname>
47 <refpurpose>systemd execution environment configuration</refpurpose>
48 </refnamediv>
49
50 <refsynopsisdiv>
51 <para><filename>systemd.service</filename>,
52 <filename>systemd.socket</filename>,
53 <filename>systemd.mount</filename></para>
54 </refsynopsisdiv>
55
56 <refsect1>
57 <title>Description</title>
58
59 <para>Unit configuration files for services, sockets
60 and mount points share a subset of configuration
61 options which define the execution environment of
62 spawned processes.</para>
63
64 <para>This man page lists the configuration options
65 shared by these three unit types. See
66 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
67 for the common options of all unit configuration
68 files, and
69 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
70 and
71 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
72 for more information on the specific unit
73 configuration files. The execution specific
74 configuration options are configured in the [Service],
75 [Socket] resp. [Mount] section, depending on the unit
76 type.</para>
77 </refsect1>
78
79 <refsect1>
80 <title>Options</title>
81
82 <variablelist>
83
84 <varlistentry>
85 <term><varname>WorkingDirectory=</varname></term>
86
87 <listitem><para>Takes an absolute
88 directory path. Sets the working
89 directory for executed
90 processes.</para></listitem>
91 </varlistentry>
92
93 <varlistentry>
94 <term><varname>RootDirectory=</varname></term>
95
96 <listitem><para>Takes an absolute
97 directory path. Sets the root
98 directory for executed processes, with
99 the
100 <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>
101 system call. If this is used it must
102 be ensured that the process and all
103 its auxiliary files are available in
104 the <function>chroot()</function>
105 jail.</para></listitem>
106 </varlistentry>
107
108 <varlistentry>
109 <term><varname>User=</varname></term>
110 <term><varname>Group=</varname></term>
111
112 <listitem><para>Sets the Unix user
113 resp. group the processes are executed
114 as. Takes a single user resp. group
115 name or ID as argument. If no group is
116 set the default group of the user is
117 chosen.</para></listitem>
118 </varlistentry>
119
120 <varlistentry>
121 <term><varname>SupplementaryGroups=</varname></term>
122
123 <listitem><para>Sets the supplementary
124 Unix groups the processes are executed
125 as. This takes a space separated list
126 of group names or IDs. This option may
127 be specified more than once in which
128 case all listed groups are set as
129 supplementary groups. This option does
130 not override but extends the list of
131 supplementary groups configured in the
132 system group database for the
133 user.</para></listitem>
134 </varlistentry>
135
136 <varlistentry>
137 <term><varname>Nice=</varname></term>
138
139 <listitem><para>Sets the default nice
140 level (scheduling priority) for
141 executed processes. Takes an integer
142 between -20 (highest priority) and 19
143 (lowest priority). See
144 <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>
145 for details.</para></listitem>
146 </varlistentry>
147
148 <varlistentry>
149 <term><varname>OOMScoreAdjust=</varname></term>
150
151 <listitem><para>Sets the adjustment
152 level for the Out-Of-Memory killer for
153 executed processes. Takes an integer
154 between -1000 (to disable OOM killing
155 for this process) and 1000 (to make
156 killing of this process under memory
157 pressure very likely). See <ulink
158 url="http://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
159 for details.</para></listitem>
160 </varlistentry>
161
162 <varlistentry>
163 <term><varname>IOSchedulingClass=</varname></term>
164
165 <listitem><para>Sets the IO scheduling
166 class for executed processes. Takes an
167 integer between 0 and 3 or one of the
168 strings <option>none</option>,
169 <option>realtime</option>,
170 <option>best-effort</option> or
171 <option>idle</option>. See
172 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
173 for details.</para></listitem>
174 </varlistentry>
175
176 <varlistentry>
177 <term><varname>IOSchedulingPriority=</varname></term>
178
179 <listitem><para>Sets the IO scheduling
180 priority for executed processes. Takes
181 an integer between 0 (highest
182 priority) and 7 (lowest priority). The
183 available priorities depend on the
184 selected IO scheduling class (see
185 above). See
186 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
187 for details.</para></listitem>
188 </varlistentry>
189
190 <varlistentry>
191 <term><varname>CPUSchedulingPolicy=</varname></term>
192
193 <listitem><para>Sets the CPU
194 scheduling policy for executed
195 processes. Takes one of
196 <option>other</option>,
197 <option>batch</option>,
198 <option>idle</option>,
199 <option>fifo</option> or
200 <option>rr</option>. See
201 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
202 for details.</para></listitem>
203 </varlistentry>
204
205 <varlistentry>
206 <term><varname>CPUSchedulingPriority=</varname></term>
207
208 <listitem><para>Sets the CPU
209 scheduling priority for executed
210 processes. Takes an integer between 1
211 (lowest priority) and 99 (highest
212 priority). The available priority
213 range depends on the selected CPU
214 scheduling policy (see above). See
215 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
216 for details.</para></listitem>
217 </varlistentry>
218
219 <varlistentry>
220 <term><varname>CPUSchedulingResetOnFork=</varname></term>
221
222 <listitem><para>Takes a boolean
223 argument. If true elevated CPU
224 scheduling priorities and policies
225 will be reset when the executed
226 processes fork, and can hence not leak
227 into child processes. See
228 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
229 for details. Defaults to false.</para></listitem>
230 </varlistentry>
231
232 <varlistentry>
233 <term><varname>CPUAffinity=</varname></term>
234
235 <listitem><para>Controls the CPU
236 affinity of the executed
237 processes. Takes a space-separated
238 list of CPU indexes. See
239 <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
240 for details.</para></listitem>
241 </varlistentry>
242
243 <varlistentry>
244 <term><varname>UMask=</varname></term>
245
246 <listitem><para>Controls the file mode
247 creation mask. Takes an access mode in
248 octal notation. See
249 <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
250 for details. Defaults to
251 0002.</para></listitem>
252 </varlistentry>
253
254 <varlistentry>
255 <term><varname>Environment=</varname></term>
256
257 <listitem><para>Sets environment
258 variables for executed
259 processes. Takes a space-separated
260 list of variable assignments. This
261 option may be specified more than once
262 in which case all listed variables
263 will be set. If the same variable is
264 set twice the later setting will
265 override the earlier setting. See
266 <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
267 for details.</para></listitem>
268 </varlistentry>
269 <varlistentry>
270 <term><varname>EnvironmentFile=</varname></term>
271 <listitem><para>Similar to
272 <varname>Environment=</varname> but
273 reads the environment variables from a
274 text file. The text file should
275 contain new-line separated variable
276 assignments. Empty lines and lines
277 starting with ; or # will be ignored,
278 which may be used for
279 commenting.</para></listitem>
280 </varlistentry>
281
282 <varlistentry>
283 <term><varname>StandardInput=</varname></term>
284 <listitem><para>Controls where file
285 descriptor 0 (STDIN) of the executed
286 processes is connected to. Takes one
287 of <option>null</option>,
288 <option>tty</option>,
289 <option>tty-force</option>,
290 <option>tty-fail</option> or
291 <option>socket</option>. If
292 <option>null</option> is selected
293 standard input will be connected to
294 <filename>/dev/null</filename>,
295 i.e. all read attempts by the process
296 will result in immediate EOF. If
297 <option>tty</option> is selected
298 standard input is connected to a TTY
299 (as configured by
300 <varname>TTYPath=</varname>, see
301 below) and the executed process
302 becomes the controlling process of the
303 terminal. If the terminal is already
304 being controlled by another process the
305 executed process waits until the current
306 controlling process releases the
307 terminal.
308 <option>tty-force</option>
309 is similar to <option>tty</option>,
310 but the executed process is forcefully
311 and immediately made the controlling
312 process of the terminal, potentially
313 removing previous controlling
314 processes from the
315 terminal. <option>tty-fail</option> is
316 similar to <option>tty</option> but if
317 the terminal already has a controlling
318 process start-up of the executed
319 process fails. The
320 <option>socket</option> option is only
321 valid in socket-activated services,
322 and only when the socket configuration
323 file (see
324 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
325 for details) specifies a single socket
326 only. If this option is set standard
327 input will be connected to the socket
328 the service was activated from, which
329 is primarily useful for compatibility
330 with daemons designed for use with the
331 traditional
332 <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
333 daemon. This setting defaults to
334 <option>null</option>.</para></listitem>
335 </varlistentry>
336 <varlistentry>
337 <term><varname>StandardOutput=</varname></term>
338 <listitem><para>Controls where file
339 descriptor 1 (STDOUT) of the executed
340 processes is connected to. Takes one
341 of <option>inherit</option>,
342 <option>null</option>,
343 <option>tty</option>,
344 <option>syslog</option>,
345 <option>kmsg</option> or
346 <option>socket</option>. If set to
347 <option>inherit</option> the file
348 descriptor of standard input is
349 duplicated for standard output. If set
350 to <option>null</option> standard
351 output will be connected to
352 <filename>/dev/null</filename>,
353 i.e. everything written to it will be
354 lost. If set to <option>tty</option>
355 standard output will be connected to a
356 tty (as configured via
357 <varname>TTYPath=</varname>, see
358 below). If the TTY is used for output
359 only the executed process will not
360 become the controlling process of the
361 terminal, and will not fail or wait
362 for other processes to release the
363 terminal. <option>syslog</option>
364 connects standard output to the
365 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
366 system logger. <option>kmsg</option>
367 connects it with the kernel log buffer
368 which is accessible via
369 <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>socket</option>
370 connects standard output to a socket
371 from socket activation, semantics are
372 similar to the respective option of
373 <varname>StandardInput=</varname>.
374 This setting defaults to
375 <option>inherit</option>.</para></listitem>
376 </varlistentry>
377 <varlistentry>
378 <term><varname>StandardError=</varname></term>
379 <listitem><para>Controls where file
380 descriptor 2 (STDERR) of the executed
381 processes is connected to. The
382 available options are identical to
383 those of
384 <varname>StandardOutput=</varname>,
385 whith one exception: if set to
386 <option>inherit</option> the file
387 descriptor used for standard output is
388 duplicated for standard error. This
389 setting defaults to
390 <option>inherit</option>.</para></listitem>
391 </varlistentry>
392 <varlistentry>
393 <term><varname>TTYPath=</varname></term>
394 <listitem><para>Sets the terminal
395 device node to use if standard input,
396 output or stderr are connected to a
397 TTY (see above). Defaults to
398 <filename>/dev/console</filename>.</para></listitem>
399 </varlistentry>
400 <varlistentry>
401 <term><varname>SyslogIdentifer=</varname></term>
402 <listitem><para>Sets the process name
403 to prefix log lines sent to syslog or
404 the kernel log buffer with. If not set
405 defaults to the process name of the
406 executed process. This option is only
407 useful when
408 <varname>StandardOutput=</varname> or
409 <varname>StandardError=</varname> are
410 set to <option>syslog</option> or
411 <option>kmsg</option>.</para></listitem>
412 </varlistentry>
413 <varlistentry>
414 <term><varname>SyslogFacility=</varname></term>
415 <listitem><para>Sets the syslog
416 facility to use when logging to
417 syslog. One of <option>kern</option>,
418 <option>user</option>,
419 <option>mail</option>,
420 <option>daemon</option>,
421 <option>auth</option>,
422 <option>syslog</option>,
423 <option>lpr</option>,
424 <option>news</option>,
425 <option>uucp</option>,
426 <option>cron</option>,
427 <option>authpriv</option>,
428 <option>ftp</option>,
429 <option>local0</option>,
430 <option>local1</option>,
431 <option>local2</option>,
432 <option>local3</option>,
433 <option>local4</option>,
434 <option>local5</option>,
435 <option>local6</option> or
436 <option>local7</option>. See
437 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
438 for details. This option is only
439 useful when
440 <varname>StandardOutput=</varname> or
441 <varname>StandardError=</varname> are
442 set to <option>syslog</option>.
443 Defaults to
444 <option>daemon</option>.</para></listitem>
445 </varlistentry>
446 <varlistentry>
447 <term><varname>SyslogLevel=</varname></term>
448 <listitem><para>Default syslog level
449 to use when logging to syslog or the
450 kernel log buffer. One of
451 <option>emerg</option>,
452 <option>alert</option>,
453 <option>crit</option>,
454 <option>err</option>,
455 <option>warning</option>,
456 <option>notice</option>,
457 <option>info</option>,
458 <option>debug</option>. See
459 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
460 for details. This option is only
461 useful when
462 <varname>StandardOutput=</varname> or
463 <varname>StandardError=</varname> are
464 set to <option>syslog</option> or
465 <option>kmsg</option>. Note that
466 individual lines output by the daemon
467 might be prefixed with a different log
468 level which can be used to override
469 the default log level specified
470 here. The interpretation of these
471 prefixes may be disabled with
472 <varname>SyslogLevelPrefix=</varname>,
473 see below. For details see
474 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
475
476 Defaults to
477 <option>info</option>.</para></listitem>
478 </varlistentry>
479
480 <varlistentry>
481 <term><varname>SyslogLevelPrefix=</varname></term>
482 <listitem><para>Takes a boolean
483 argument. If true and
484 <varname>StandardOutput=</varname> or
485 <varname>StandardError=</varname> are
486 set to <option>syslog</option> or
487 <option>kmsg</option> log lines
488 written by the executed process that
489 are prefixed with a log level will be
490 passed on to syslog with this log
491 level set but the prefix removed. If
492 set to false, the interpretation of
493 these prefixes is disabled and the
494 logged lines are passed on as-is. For
495 details about this prefixing see
496 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
497 Defaults to true.</para></listitem>
498 </varlistentry>
499
500 <varlistentry>
501 <term><varname>TimerSlackNSec=</varname></term>
502 <listitem><para>Sets the timer slack
503 in nanoseconds for the executed
504 processes. The timer slack controls the
505 accuracy of wake-ups triggered by
506 timers. See
507 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
508 for more information. Note that in
509 contrast to most other time span
510 definitions this parameter takes an
511 integer value in nano-seconds and does
512 not understand any other
513 units.</para></listitem>
514 </varlistentry>
515
516 <varlistentry>
517 <term><varname>LimitCPU=</varname></term>
518 <term><varname>LimitFSIZE=</varname></term>
519 <term><varname>LimitDATA=</varname></term>
520 <term><varname>LimitSTACK=</varname></term>
521 <term><varname>LimitCORE=</varname></term>
522 <term><varname>LimitRSS=</varname></term>
523 <term><varname>LimitNOFILE=</varname></term>
524 <term><varname>LimitAS=</varname></term>
525 <term><varname>LimitNPROC=</varname></term>
526 <term><varname>LimitMEMLOCK=</varname></term>
527 <term><varname>LimitLOCKS=</varname></term>
528 <term><varname>LimitSIGPENDING=</varname></term>
529 <term><varname>LimitMSGQUEUE=</varname></term>
530 <term><varname>LimitNICE=</varname></term>
531 <term><varname>LimitRTPRIO=</varname></term>
532 <term><varname>LimitRTTIME=</varname></term>
533 <listitem><para>These settings control
534 various resource limits for executed
535 processes. See
536 <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
537 for details.</para></listitem>
538 </varlistentry>
539
540 <varlistentry>
541 <term><varname>PAMName=</varname></term>
542 <listitem><para>Sets the PAM service
543 name to set up a session as. If set
544 the executed process will be
545 registered as a PAM session under the
546 specified service name. This is only
547 useful in conjunction with the
548 <varname>User=</varname> setting. If
549 not set no PAM session will be opened
550 for the executed processes. See
551 <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
552 for details.</para></listitem>
553 </varlistentry>
554
555 <varlistentry>
556 <term><varname>TCPWrapName=</varname></term>
557 <listitem><para>If this is a
558 socket-activated service this sets the
559 tcpwrap service name to check the
560 permission for the current connection
561 with. This is only useful in
562 conjunction with socket-activated
563 services, and stream sockets (TCP) in
564 particular. It has no effect on other
565 socket types (e.g. datagram/UDP) and on processes
566 unrelated to socket-based
567 activation. If the tcpwrap
568 verification fails daemon start-up
569 will fail and the connection is
570 terminated. See
571 <citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
572 for details.</para></listitem>
573 </varlistentry>
574
575 <varlistentry>
576 <term><varname>Capabilities=</varname></term>
577 <listitem><para>Controls the
578 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
579 set for the executed process. Take a
580 capability string as described in
581 <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
582 Note that this capability set is
583 usually influenced by the capabilities
584 attached to the executed
585 file.</para></listitem>
586 </varlistentry>
587
588 <varlistentry>
589 <term><varname>SecureBits=</varname></term>
590 <listitem><para>Controls the secure
591 bits set for the executed process. See
592 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
593 for details. Takes a list of strings:
594 <option>keep-caps</option>,
595 <option>keep-caps-locked</option>,
596 <option>no-setuid-fixup</option>,
597 <option>no-setuid-fixup-locked</option>,
598 <option>no-setuid-noroot</option> and/or
599 <option>no-setuid-noroot-locked</option>.
600 </para></listitem>
601 </varlistentry>
602
603 <varlistentry>
604 <term><varname>CapabilityBoundingSetDrop=</varname></term>
605
606 <listitem><para>Controls the
607 capability bounding set drop set for
608 the executed process. See
609 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
610 for details. Takes a list of
611 capability names as read by
612 <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
613 </para></listitem>
614 </varlistentry>
615
616 <varlistentry>
617 <term><varname>ControlGroup=</varname></term>
618
619 <listitem><para>Controls the control
620 groups the executed processes shall be
621 made members of. Takes a
622 space-separated list of cgroup
623 identifiers. A cgroup identifier has a
624 format like
625 <filename>cpu:/foo/bar</filename>,
626 where "cpu" identifies the kernel
627 control group controller used, and
628 <filename>/foo/bar</filename> is the
629 control group path. The controller name
630 and ":" may be omitted in which case
631 the named systemd control group
632 hierarchy is implied. Alternatively,
633 the path and ":" may be omitted, in
634 which case the default control group
635 path for this unit is implied. This
636 option may be used to place executed
637 processes in arbitrary groups in
638 arbitrary hierachies -- which can be
639 configured externally with additional execution limits. By default
640 systemd will place all executed
641 processes in separate per-unit control
642 groups (named after the unit) in the
643 systemd named hierarchy. Since every
644 process can be in one group per
645 hierarchy only overriding the control group
646 path in the named systemd hierarchy
647 will disable automatic placement in
648 the default group. For details about control
649 groups see <ulink
650 url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>.</para></listitem>
651 </varlistentry>
652
653 <varlistentry>
654 <term><varname>ReadWriteDirectories=</varname></term>
655 <term><varname>ReadOnlyDirectories=</varname></term>
656 <term><varname>InaccessibleDirectories=</varname></term>
657
658 <listitem><para>Sets up a new
659 file-system name space for executed
660 processes. These options may be used
661 to limit access a process might have
662 to the main file-system
663 hierarchy. Each setting takes a
664 space-separated list of absolute
665 directory paths. Directories listed in
666 <varname>ReadWriteDirectories=</varname>
667 are accessible from within the
668 namespace with the same access rights
669 as from outside. Directories listed in
670 <varname>ReadOnlyDirectories=</varname>
671 are accessible for reading only,
672 writing will be refused even if the
673 usual file access controls would
674 permit this. Directories listed in
675 <varname>InaccessibleDirectories=</varname>
676 will be made inaccesible for processes
677 inside the namespace. Note that
678 restricting access with these options
679 does not extend to submounts of a
680 directory. You must list submounts
681 separately in these setttings to
682 ensure the same limited access. These
683 options may be specified more than
684 once in which case all directories
685 listed will have limited access from
686 within the
687 namespace.</para></listitem>
688 </varlistentry>
689
690 <varlistentry>
691 <term><varname>PrivateTmp=</varname></term>
692
693 <listitem><para>Takes a boolean
694 argument. If true sets up a new
695 namespace for the executed processes
696 and mounts a private
697 <filename>/tmp</filename> directory
698 inside it, that is not shared by
699 processes outside of the
700 namespace. This is useful to secure
701 access to temporary files of the
702 process, but makes sharing between
703 processes via
704 <filename>/tmp</filename>
705 impossible. Defaults to false.</para></listitem>
706 </varlistentry>
707
708 <varlistentry>
709 <term><varname>MountFlags=</varname></term>
710
711 <listitem><para>Takes a mount
712 propagation flag:
713 <option>shared</option>,
714 <option>slave</option> or
715 <option>private</option>, which
716 control whether namespaces set up with
717 <varname>ReadWriteDirectories=</varname>,
718 <varname>ReadOnlyDirectories=</varname>
719 and
720 <varname>InaccessibleDirectories=</varname>
721 receive or propagate new mounts
722 from/to the main namespace. See
723 <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>1</manvolnum></citerefentry>
724 for details. Defaults to
725 <option>shared</option>, i.e. the new
726 namespace will both receive new mount
727 points from the main namespace as well
728 as propagate new mounts to
729 it.</para></listitem>
730 </varlistentry>
731
732 <varlistentry>
733 <term><varname>UtmpIdentifier=</varname></term>
734
735 <listitem><para>Takes a a four
736 character identifier string for an
737 utmp/wtmp entry for this service. This
738 should only be set for services such
739 as <command>getty</command>
740 implementations where utmp/wtmp
741 entries must be created and cleared
742 before and after execution. If the
743 configured string is longer than four
744 characters it is truncated and the
745 terminal four characters are
746 used. This setting interprets %I style
747 string replacements. This setting is
748 unset by default, i.e. no utmp/wtmp
749 entries are created or cleaned up for
750 this service.</para></listitem>
751 </varlistentry>
752
753 </variablelist>
754 </refsect1>
755
756 <refsect1>
757 <title>See Also</title>
758 <para>
759 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
760 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
761 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
762 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
763 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
764 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
765 </para>
766 </refsect1>
767
768 </refentry>
Unnamed repository; edit this file 'description' to name the repository.