From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 5 Nov 2024 12:33:53 +0000 (+0100)
Subject: man: document that PrivateTmp= is unaffected by ProtectSystem=strict
X-Git-Tag: v257-rc1~21^2~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b71173709651102081c9d8c6d6e3d2a6ef5cf17e;p=thirdparty%2Fsystemd.git

man: document that PrivateTmp= is unaffected by ProtectSystem=strict

Fixes: #33130
---

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index ac17ab65a4b..a955f767e41 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1433,6 +1433,10 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
         set. This setting cannot ensure protection in all cases. In general it has the same limitations as
         <varname>ReadOnlyPaths=</varname>, see below. Defaults to off.</para>
 
+        <para>Note that if <varname>ProtectSystem=</varname> is set to <literal>strict</literal> and
+        <varname>PrivateTmp=</varname> is enabled, then <filename>/tmp/</filename> and
+        <filename>/var/tmp/</filename> will be writable.</para>
+
         <xi:include href="version-info.xml" xpointer="v214"/></listitem>
       </varlistentry>