From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 8 Nov 2023 14:36:43 +0000 (+0100)
Subject: man: document explicitly tha ReadWritePaths= cannot undo superblock read-only settings
X-Git-Tag: v255-rc2~67
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b6be6a6721e3d7ba0f01cfba135d2d6cf526087b;p=thirdparty%2Fsystemd.git

man: document explicitly tha ReadWritePaths= cannot undo superblock read-only settings

Fixes: #29266
---

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index d81154a339f..525303c6ebf 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1631,7 +1631,12 @@ StateDirectory=aaa/bbb ccc</programlisting>
         permit this. Nest <varname>ReadWritePaths=</varname> inside of <varname>ReadOnlyPaths=</varname> in
         order to provide writable subdirectories within read-only directories. Use
         <varname>ReadWritePaths=</varname> in order to allow-list specific paths for write access if
-        <varname>ProtectSystem=strict</varname> is used.</para>
+        <varname>ProtectSystem=strict</varname> is used. Note that <varname>ReadWritePaths=</varname> cannot
+        be used to gain write access to a file system whose superblock is mounted read-only. On Linux, for
+        each mount point write access is granted only if the mount point itself <emphasis>and</emphasis> the
+        file system superblock backing it are not marked read-only. <varname>ReadWritePaths=</varname> only
+        controls the former, not the latter, hence a read-only file system superblock remains
+        protected.</para>
 
         <para>Paths listed in <varname>InaccessiblePaths=</varname> will be made inaccessible for processes inside
         the namespace along with everything below them in the file system hierarchy. This may be more restrictive than