man: document that PrivateTmp= is unaffected by ProtectSystem=strict

author Lennart Poettering <lennart@poettering.net>

Tue, 5 Nov 2024 12:33:53 +0000 (13:33 +0100)

committer Luca Boccassi <luca.boccassi@gmail.com>

Wed, 13 Nov 2024 19:48:10 +0000 (19:48 +0000)
author Lennart Poettering <lennart@poettering.net>
Tue, 5 Nov 2024 12:33:53 +0000 (13:33 +0100)
committer Luca Boccassi <luca.boccassi@gmail.com>
Wed, 13 Nov 2024 19:48:10 +0000 (19:48 +0000)
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml

index 8e72e9c0609558cf45428242750163a1e17c8031..9dc5a070dcb31dcfa52f422692e18e9e0d4cef8d 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1415,6 +1415,10 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
          set. This setting cannot ensure protection in all cases. In general it has the same limitations as
          <varname>ReadOnlyPaths=</varname>, see below. Defaults to off.</para>
  
+        <para>Note that if <varname>ProtectSystem=</varname> is set to <literal>strict</literal> and
+        <varname>PrivateTmp=</varname> is enabled, then <filename>/tmp/</filename> and
+        <filename>/var/tmp/</filename> will be writable.</para>
+
          <xi:include href="version-info.xml" xpointer="v214"/></listitem>
        </varlistentry>
author	Lennart Poettering <lennart@poettering.net>
	Tue, 5 Nov 2024 12:33:53 +0000 (13:33 +0100)
committer	Luca Boccassi <luca.boccassi@gmail.com>
	Wed, 13 Nov 2024 19:48:10 +0000 (19:48 +0000)