core: change ExecStart=! syntax to ExecStart=+ (#3797)

As suggested by @mbiebl we already use the "!" special char in unit file
assignments for negation, hence we should not use it in a different context for
privileged execution. Let's use "+" instead.

4 files changed, 20 insertions, 24 deletions

diff --git a/NEWS b/NEWS
index 36fb84b26f..0ffe025400 100644
--- a/NEWS
+++ b/NEWS
@@ -4,7 +4,7 @@ CHANGES WITH 231:
 
         * In service units the various ExecXYZ= settings have been extended
           with an additional special character as first argument of the
-          assigned value: if the character '!' is used the specified command
+          assigned value: if the character '+' is used the specified command
           line it will be run with full privileges, regardless of User=,
           Group=, CapabilityBoundingSet= and similar options. The effect is
           similar to the existing PermissionsStartOnly= option, but allows
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 49fea98a95..41ae6e76de 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -146,7 +146,7 @@
         <listitem><para>Sets the Unix user or group that the processes
         are executed as, respectively. Takes a single user or group
         name or ID as argument. If no group is set, the default group
-        of the user is chosen. These do not affect commands prefixed with <literal>!</literal>.</para></listitem>
+        of the user is chosen. These do not affect commands prefixed with <literal>+</literal>.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -161,7 +161,7 @@
         this one will have no effect. In any way, this option does not
         override, but extends the list of supplementary groups
         configured in the system group database for the
-        user. This does not affect commands prefixed with <literal>!</literal>.</para></listitem>
+        user. This does not affect commands prefixed with <literal>+</literal>.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -796,7 +796,7 @@
         empty string is assigned to this option, the bounding set is reset to the empty capability set, and all prior
         settings have no effect.  If set to <literal>~</literal> (without any further argument), the bounding set is
         reset to the full set of available capabilities, also undoing any previous settings. This does not affect
-        commands prefixed with <literal>!</literal>.</para></listitem>
+        commands prefixed with <literal>+</literal>.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -826,7 +826,7 @@
         Note that in this case option <constant>keep-caps</constant> is
         automatically added to <varname>SecureBits=</varname> to retain the
         capabilities over the user change. <varname>AmbientCapabilities=</varname> does not affect
-        commands prefixed with <literal>!</literal>.</para></listitem>
+        commands prefixed with <literal>+</literal>.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -842,7 +842,7 @@
         <option>noroot-locked</option>.
         This option may appear more than once, in which case the secure
         bits are ORed. If the empty string is assigned to this option,
-        the bits are reset to 0. This does not affect commands prefixed with <literal>!</literal>.
+        the bits are reset to 0. This does not affect commands prefixed with <literal>+</literal>.
         See <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
         for details.</para></listitem>
       </varlistentry>
@@ -1101,7 +1101,7 @@
         domain transition. However, the policy still needs to
         authorize the transition. This directive is ignored if SELinux
         is disabled. If prefixed by <literal>-</literal>, all errors
-        will be ignored. This does not affect commands prefixed with <literal>!</literal>.
+        will be ignored. This does not affect commands prefixed with <literal>+</literal>.
         See <citerefentry project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
         for details.</para></listitem>
       </varlistentry>
@@ -1114,7 +1114,7 @@
         Profiles must already be loaded in the kernel, or the unit
         will fail. This result in a non operation if AppArmor is not
         enabled. If prefixed by <literal>-</literal>, all errors will
-        be ignored. This does not affect commands prefixed with <literal>!</literal>.</para></listitem>
+        be ignored. This does not affect commands prefixed with <literal>+</literal>.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -1134,7 +1134,7 @@
         <para>The value may be prefixed by <literal>-</literal>, in
         which case all errors will be ignored. An empty value may be
         specified to unset previous assignments. This does not affect
-        commands prefixed with <literal>!</literal>.</para>
+        commands prefixed with <literal>+</literal>.</para>
         </listitem>
       </varlistentry>
 
@@ -1185,7 +1185,7 @@
         listed explicitly. This option may be specified more than once,
         in which case the filter masks are merged. If the empty string
         is assigned, the filter is reset, all prior assignments will
-        have no effect. This does not affect commands prefixed with <literal>!</literal>.</para>
+        have no effect. This does not affect commands prefixed with <literal>+</literal>.</para>
 
         <para>If you specify both types of this option (i.e.
         whitelisting and blacklisting), the first encountered will
@@ -1354,7 +1354,7 @@
         family should be included in the configured whitelist as it is
         frequently used for local communication, including for
         <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry>
-        logging. This does not affect commands prefixed with <literal>!</literal>.</para></listitem>
+        logging. This does not affect commands prefixed with <literal>+</literal>.</para></listitem>
       </varlistentry>
 
       <varlistentry>
diff --git a/man/systemd.service.xml b/man/systemd.service.xml
index 70f12b2d32..875d368fcf 100644
--- a/man/systemd.service.xml
+++ b/man/systemd.service.xml
@@ -288,18 +288,14 @@
         <varname>ExecStart=</varname> is specified, then the service
         must have <varname>RemainAfterExit=yes</varname> set.</para>
 
-        <para>For each of the specified commands, the first argument
-        must be an absolute path to an executable. Optionally, if this
-        file name is prefixed with <literal>@</literal>, the second
-        token will be passed as <literal>argv[0]</literal> to the
-        executed process, followed by the further arguments specified.
-        If the absolute filename is prefixed with
-        <literal>-</literal>, an exit code of the command normally
-        considered a failure (i.e. non-zero exit status or abnormal
-        exit due to signal) is ignored and considered success.
-        If the absolute path is prefixed with <literal>!</literal> then
-        it is executed with full privileges. <literal>-</literal>, <literal>@</literal>, and <literal>!</literal>
-        may be used together and they can appear in any order.</para>
+        <para>For each of the specified commands, the first argument must be an absolute path to an
+        executable. Optionally, if this file name is prefixed with <literal>@</literal>, the second token will be
+        passed as <literal>argv[0]</literal> to the executed process, followed by the further arguments specified.  If
+        the absolute filename is prefixed with <literal>-</literal>, an exit code of the command normally considered a
+        failure (i.e. non-zero exit status or abnormal exit due to signal) is ignored and considered success.  If the
+        absolute path is prefixed with <literal>+</literal> then it is executed with full
+        privileges. <literal>-</literal>, <literal>@</literal>, and <literal>+</literal> may be used together and they
+        can appear in any order.</para>
 
         <para>If more than one command is specified, the commands are
         invoked sequentially in the order they appear in the unit
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index ae306de4ae..a36953f766 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -620,7 +620,7 @@ int config_parse_exec(
                                 ignore = true;
                         else if (*f == '@' && !separate_argv0)
                                 separate_argv0 = true;
-                        else if (*f == '!' && !privileged)
+                        else if (*f == '+' && !privileged)
                                 privileged = true;
                         else
                                 break;