From 8ac5b047fc86f2913adee89eb97ae7dc49bc95f8 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Wed, 30 Apr 2025 02:27:16 +0900 Subject: [PATCH] man/systemd.exec: update documents for PrivateTmp= --- man/systemd.exec.xml | 124 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 101 insertions(+), 23 deletions(-) diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index b350c19dcb0..62c59308ef1 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -61,13 +61,18 @@ paths. This is equivalent to having them listed explicitly in RequiresMountsFor=. - Similarly, units with PrivateTmp= enabled automatically get mount - unit dependencies for all mounts required to access /tmp/ and - /var/tmp/. They will also gain an automatic After= dependency - on + Units with PrivateTmp=yes automatically gain dependencies of type + Wants= and After= on all mounts required to access + /tmp/ and /var/tmp/. They will also gain an automatic + After= dependency on systemd-tmpfiles-setup.service8. + Units with PrivateTmp=disconnected automatically gain dependencies + of type Wants= and After= on the mount required to access + /var/, unless DefaultDependencies=no and/or + RootDirectory=/RootImage= are specified. + Units whose standard output or error output is connected to or (or their combinations with console output, see below) automatically acquire dependencies of type After= on @@ -1797,28 +1802,89 @@ BindReadOnlyPaths=/var/lib/systemd Takes a boolean argument, or disconnected. If enabled, a new file system namespace will be set up for the executed processes, and /tmp/ and /var/tmp/ directories inside it are not shared with processes outside of - the namespace, plus all temporary files created by a service in these directories will be removed after - the service is stopped. If true, the backing storage of the private temporary directories - will remain on the host's /tmp/ and /var/tmp/ directories. - If disconnected, the directories will be backed by a completely new tmpfs instance, - meaning that the storage is fully disconnected from the host namespace. Defaults to false. - - This setting is useful to secure access to temporary files of the process, but makes sharing - between processes via /tmp/ or /var/tmp/ impossible. - If not set to disconnected, it is possible to run two or more units within - the same private /tmp/ and /var/tmp/ namespace by using - the JoinsNamespaceOf= directive, see - systemd.unit5 - for details. This setting is implied if DynamicUser= is set. For this setting, - the same restrictions regarding mount propagation and privileges apply as for - ReadOnlyPaths= and related calls, see above. If set to true - (as opposed to disconnected), this has the side effect of adding - Requires= and After= dependencies on all mount units necessary - to access /tmp/ and /var/tmp/ on the host. Moreover, an - implicitly After= ordering on + the namespace, plus all temporary files created by a service in these directories will be removed + after the service is stopped. For this setting, the same restrictions regarding mount propagation + and privileges apply as for ReadOnlyPaths= and related calls, see above. This + setting is useful to secure access to temporary files of the process, but makes sharing between + processes via /tmp/ or /var/tmp/ impossible. If + DynamicUser= is enabled, disconnected is implied. Otherwise, + defaults to false. + + If true, the backing storage of the private temporary directories will + remain on the host's /tmp/ and /var/tmp/ directories. It is + possible to run two or more units within the same private /tmp/ and + /var/tmp/ namespace by using the JoinsNamespaceOf= directive, + see systemd.unit5 + for details. This has the side effect of adding Wants= and + After= dependencies on all mount units necessary to access + /tmp/ and /var/tmp/ on the host. Moreover, an implicit + After= ordering on systemd-tmpfiles-setup.service8 is added. + If disconnected, the directories will be backed by a completely new tmpfs + instance, meaning that the storage is fully disconnected from the host namespace. The tmpfs instance + does not shared with other units even if the JoinsNamespaceOf= directive is used. + If DefaultDependencies=no is specified, + RequiresMountsFor=/WantsMountsFor= for /var/ is not + specified, and RootDirectory=/RootImage= is not specified, then a new tmpfs is + mounted only on /tmp/, hence the host's + /var/tmp is still accessible from the unit. In that case, + $TMPDIR environment variable is set to /tmp to suggest the + processes in the unit to use /tmp/. This automatically adds + WantsMountsFor=/var/ dependency, unless DefaultDependencies=no + and/or RootDirectory=/RootImage= are specified. + + + Summary for <varname>PrivateTmp=disconnected</varname> + + + + + + + + Other Settings + tmpfs on /var/tmp/ + $TMPVAR + implied dependencies + + + + + (none) + yes + (unset) + WantsMountsFor=/var/ + + + RootDirectory=/RootImage= + yes + (unset) + (none) + + + DefaultDependency=no, RequiresMountsFor=/var/ + yes + (unset) + (none) + + + DefaultDependency=no, WantsMountsFor=/var/ + yes + (unset) + (none) + + + DefaultDependency=no + no + $TMPDIR=/tmp + (none) + + + +
+ Note that the implementation of this setting might be impossible (for example if mount namespaces are not available), and the unit should be written in a way that does not solely rely on this setting for security. @@ -3944,6 +4010,18 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX + + $TMPDIR + + The environment variable is set to /tmp when + PrivateTmp=disconnected specified with DefaultDependencies=no + and without RootDirectory=/RootImage= and + RequiresMountsFor=/WantsMountsFor= for /var/. + See explanation for PrivateTmp= above. + + + + $MAINPID -- 2.47.3