diff options
Diffstat (limited to 'man/systemd.exec.xml')
| -rw-r--r-- | man/systemd.exec.xml | 2900 |
1 files changed, 1257 insertions, 1643 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index cbaec9f13b..74d698dbfc 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1,6 +1,6 @@ <?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?> <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" - "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> <!-- This file is part of systemd. @@ -22,1647 +22,1261 @@ --> <refentry id="systemd.exec"> - <refentryinfo> - <title>systemd.exec</title> - <productname>systemd</productname> - - <authorgroup> - <author> - <contrib>Developer</contrib> - <firstname>Lennart</firstname> - <surname>Poettering</surname> - <email>lennart@poettering.net</email> - </author> - </authorgroup> - </refentryinfo> - - <refmeta> - <refentrytitle>systemd.exec</refentrytitle> - <manvolnum>5</manvolnum> - </refmeta> - - <refnamediv> - <refname>systemd.exec</refname> - <refpurpose>Execution environment configuration</refpurpose> - </refnamediv> - - <refsynopsisdiv> - <para><filename><replaceable>service</replaceable>.service</filename>, - <filename><replaceable>socket</replaceable>.socket</filename>, - <filename><replaceable>mount</replaceable>.mount</filename>, - <filename><replaceable>swap</replaceable>.swap</filename></para> - </refsynopsisdiv> - - <refsect1> - <title>Description</title> - - <para>Unit configuration files for services, sockets, - mount points, and swap devices share a subset of - configuration options which define the execution - environment of spawned processes.</para> - - <para>This man page lists the configuration options - shared by these four unit types. See - <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> - for the common options of all unit configuration - files, and - <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - and - <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry> - for more information on the specific unit - configuration files. The execution specific - configuration options are configured in the [Service], - [Socket], [Mount], or [Swap] sections, depending on the unit - type.</para> - </refsect1> - - <refsect1> - <title>Options</title> - - <variablelist class='unit-directives'> - - <varlistentry> - <term><varname>WorkingDirectory=</varname></term> - - <listitem><para>Takes an absolute - directory path. Sets the working - directory for executed processes. If - not set, defaults to the root directory - when systemd is running as a system - instance and the respective user's - home directory if run as - user.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>RootDirectory=</varname></term> - - <listitem><para>Takes an absolute - directory path. Sets the root - directory for executed processes, with - the - <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry> - system call. If this is used, it must - be ensured that the process and all - its auxiliary files are available in - the <function>chroot()</function> - jail.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>User=</varname></term> - <term><varname>Group=</varname></term> - - <listitem><para>Sets the Unix user - or group that the processes are executed - as, respectively. Takes a single user or group - name or ID as argument. If no group is - set, the default group of the user is - chosen.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>SupplementaryGroups=</varname></term> - - <listitem><para>Sets the supplementary - Unix groups the processes are executed - as. This takes a space-separated list - of group names or IDs. This option may - be specified more than once in which - case all listed groups are set as - supplementary groups. When the empty - string is assigned the list of - supplementary groups is reset, and all - assignments prior to this one will - have no effect. In any way, this - option does not override, but extends - the list of supplementary groups - configured in the system group - database for the - user.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>Nice=</varname></term> - - <listitem><para>Sets the default nice - level (scheduling priority) for - executed processes. Takes an integer - between -20 (highest priority) and 19 - (lowest priority). See - <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry> - for details.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>OOMScoreAdjust=</varname></term> - - <listitem><para>Sets the adjustment - level for the Out-Of-Memory killer for - executed processes. Takes an integer - between -1000 (to disable OOM killing - for this process) and 1000 (to make - killing of this process under memory - pressure very likely). See <ulink - url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink> - for details.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>IOSchedulingClass=</varname></term> - - <listitem><para>Sets the IO scheduling - class for executed processes. Takes an - integer between 0 and 3 or one of the - strings <option>none</option>, - <option>realtime</option>, - <option>best-effort</option> or - <option>idle</option>. See - <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> - for details.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>IOSchedulingPriority=</varname></term> - - <listitem><para>Sets the IO scheduling - priority for executed processes. Takes - an integer between 0 (highest - priority) and 7 (lowest priority). The - available priorities depend on the - selected IO scheduling class (see - above). See - <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> - for details.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>CPUSchedulingPolicy=</varname></term> - - <listitem><para>Sets the CPU - scheduling policy for executed - processes. Takes one of - <option>other</option>, - <option>batch</option>, - <option>idle</option>, - <option>fifo</option> or - <option>rr</option>. See - <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> - for details.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>CPUSchedulingPriority=</varname></term> - - <listitem><para>Sets the CPU - scheduling priority for executed - processes. The available priority - range depends on the selected CPU - scheduling policy (see above). For - real-time scheduling policies an - integer between 1 (lowest priority) - and 99 (highest priority) can be used. - See <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> - for details. - </para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>CPUSchedulingResetOnFork=</varname></term> - - <listitem><para>Takes a boolean - argument. If true, elevated CPU - scheduling priorities and policies - will be reset when the executed - processes fork, and can hence not leak - into child processes. See - <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> - for details. Defaults to false.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>CPUAffinity=</varname></term> - - <listitem><para>Controls the CPU - affinity of the executed - processes. Takes a space-separated - list of CPU indices. This option may - be specified more than once in which - case the specified CPU affinity masks - are merged. If the empty string is - assigned, the mask is reset, all - assignments prior to this will have no - effect. See - <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry> - for details.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>UMask=</varname></term> - - <listitem><para>Controls the file mode - creation mask. Takes an access mode in - octal notation. See - <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry> - for details. Defaults to - 0022.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>Environment=</varname></term> - - <listitem><para>Sets environment - variables for executed - processes. Takes a space-separated - list of variable assignments. This - option may be specified more than once - in which case all listed variables - will be set. If the same variable is - set twice, the later setting will - override the earlier setting. If the - empty string is assigned to this - option, the list of environment - variables is reset, all prior - assignments have no effect. - Variable expansion is not performed - inside the strings, however, specifier - expansion is possible. The $ character has - no special meaning. - If you need to assign a value containing spaces - to a variable, use double quotes (") - for the assignment.</para> - - <para>Example: - <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting> - gives three variables <literal>VAR1</literal>, - <literal>VAR2</literal>, <literal>VAR3</literal> - with the values <literal>word1 word2</literal>, - <literal>word3</literal>, <literal>$word 5 6</literal>. - </para> - - <para> - See - <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> - for details about environment variables.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>EnvironmentFile=</varname></term> - <listitem><para>Similar to - <varname>Environment=</varname> but - reads the environment variables from a - text file. The text file should - contain new-line-separated variable - assignments. Empty lines and lines - starting with ; or # will be ignored, - which may be used for commenting. A line - ending with a backslash will be concatenated - with the following one, allowing multiline variable - definitions. The parser strips leading - and trailing whitespace from the values - of assignments, unless you use - double quotes (").</para> - - <para>The argument passed should be an - absolute filename or wildcard - expression, optionally prefixed with - <literal>-</literal>, which indicates - that if the file does not exist, it - will not be read and no error or warning - message is logged. This option may be - specified more than once in which case - all specified files are read. If the - empty string is assigned to this - option, the list of file to read is - reset, all prior assignments have no - effect.</para> - - <para>The files listed with this - directive will be read shortly before - the process is executed (more - specifically, after all - processes from a previous unit state - terminated. This means you can - generate these files in one unit - state, and read it with this option in - the next). Settings from these files - override settings made with - <varname>Environment=</varname>. If - the same variable is set twice from - these files, the files will be read in - the order they are specified and the - later setting will override the - earlier setting.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>StandardInput=</varname></term> - <listitem><para>Controls where file - descriptor 0 (STDIN) of the executed - processes is connected to. Takes one - of <option>null</option>, - <option>tty</option>, - <option>tty-force</option>, - <option>tty-fail</option> or - <option>socket</option>.</para> - - <para>If <option>null</option> is - selected, standard input will be - connected to - <filename>/dev/null</filename>, - i.e. all read attempts by the process - will result in immediate EOF.</para> - - <para>If <option>tty</option> is - selected, standard input is connected - to a TTY (as configured by - <varname>TTYPath=</varname>, see - below) and the executed process - becomes the controlling process of the - terminal. If the terminal is already - being controlled by another process, - the executed process waits until the - current controlling process releases - the terminal.</para> - - <para><option>tty-force</option> is similar - to <option>tty</option>, but the - executed process is forcefully and - immediately made the controlling - process of the terminal, potentially - removing previous controlling - processes from the - terminal.</para> - - <para><option>tty-fail</option> is - similar to <option>tty</option> but if - the terminal already has a controlling - process start-up of the executed - process fails.</para> - - <para>The <option>socket</option> - option is only valid in - socket-activated services, and only - when the socket configuration file - (see - <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry> - for details) specifies a single socket - only. If this option is set, standard - input will be connected to the socket - the service was activated from, which - is primarily useful for compatibility - with daemons designed for use with the - traditional - <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry> - daemon.</para> - - <para>This setting defaults to - <option>null</option>.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>StandardOutput=</varname></term> - <listitem><para>Controls where file - descriptor 1 (STDOUT) of the executed - processes is connected to. Takes one - of <option>inherit</option>, - <option>null</option>, - <option>tty</option>, - <option>journal</option>, - <option>syslog</option>, - <option>kmsg</option>, - <option>journal+console</option>, - <option>syslog+console</option>, - <option>kmsg+console</option> or - <option>socket</option>.</para> - - <para><option>inherit</option> - duplicates the file descriptor of - standard input for standard - output.</para> - - <para><option>null</option> connects - standard output to - <filename>/dev/null</filename>, - i.e. everything written to it will be - lost.</para> - - <para><option>tty</option> connects - standard output to a tty (as - configured via - <varname>TTYPath=</varname>, see - below). If the TTY is used for output - only, the executed process will not - become the controlling process of the - terminal, and will not fail or wait - for other processes to release the - terminal.</para> - - <para><option>journal</option> - connects standard output with the - journal which is accessible via - <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>. - Note that everything that is written - to syslog or kmsg (see below) is - implicitly stored in the journal as - well, the specific two options listed - below are hence supersets of this - one.</para> - - <para><option>syslog</option> connects - standard output to the <citerefentry - project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> - system syslog service, in addition to - the journal. Note that the journal - daemon is usually configured to - forward everything it receives to - syslog anyway, in which case this - option is no different from - <option>journal</option>.</para> - - <para><option>kmsg</option> connects - standard output with the kernel log - buffer which is accessible via - <citerefentry - project='man-pages'><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>, - in addition to the journal. The - journal daemon might be configured to - send all logs to kmsg anyway, in which - case this option is no different from - <option>journal</option>.</para> - - <para><option>journal+console</option>, - <option>syslog+console</option> and - <option>kmsg+console</option> work in - a similar way as the three options - above but copy the output to the - system console as well.</para> - - <para><option>socket</option> connects - standard output to a socket acquired - via socket activation. The semantics - are similar to the same option of - <varname>StandardInput=</varname>.</para> - - <para>This setting defaults to the - value set with - <option>DefaultStandardOutput=</option> - in - <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - which defaults to - <option>journal</option>.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>StandardError=</varname></term> - <listitem><para>Controls where file - descriptor 2 (STDERR) of the - executed processes is connected to. - The available options are identical to - those of - <varname>StandardOutput=</varname>, - with one exception: if set to - <option>inherit</option> the file - descriptor used for standard output is - duplicated for standard error. This - setting defaults to the value set with - <option>DefaultStandardError=</option> - in - <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - which defaults to - <option>inherit</option>.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>TTYPath=</varname></term> - <listitem><para>Sets the terminal - device node to use if standard input, output, - or error are connected to a - TTY (see above). Defaults to - <filename>/dev/console</filename>.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>TTYReset=</varname></term> - <listitem><para>Reset the terminal - device specified with - <varname>TTYPath=</varname> before and - after execution. Defaults to - <literal>no</literal>.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>TTYVHangup=</varname></term> - <listitem><para>Disconnect all clients - which have opened the terminal device - specified with - <varname>TTYPath=</varname> - before and after execution. Defaults - to - <literal>no</literal>.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>TTYVTDisallocate=</varname></term> - <listitem><para>If the terminal - device specified with - <varname>TTYPath=</varname> is a - virtual console terminal, try to - deallocate the TTY before and after - execution. This ensures that the - screen and scrollback buffer is - cleared. Defaults to - <literal>no</literal>.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>SyslogIdentifier=</varname></term> - <listitem><para>Sets the process name - to prefix log lines sent to the - logging system or the kernel log - buffer with. If not set, defaults to - the process name of the executed - process. This option is only useful - when - <varname>StandardOutput=</varname> or - <varname>StandardError=</varname> are - set to <option>syslog</option>, - <option>journal</option> or - <option>kmsg</option> (or to the same - settings in combination with - <option>+console</option>).</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>SyslogFacility=</varname></term> - <listitem><para>Sets the syslog - facility to use when logging to - syslog. One of <option>kern</option>, - <option>user</option>, - <option>mail</option>, - <option>daemon</option>, - <option>auth</option>, - <option>syslog</option>, - <option>lpr</option>, - <option>news</option>, - <option>uucp</option>, - <option>cron</option>, - <option>authpriv</option>, - <option>ftp</option>, - <option>local0</option>, - <option>local1</option>, - <option>local2</option>, - <option>local3</option>, - <option>local4</option>, - <option>local5</option>, - <option>local6</option> or - <option>local7</option>. See - <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> - for details. This option is only - useful when - <varname>StandardOutput=</varname> or - <varname>StandardError=</varname> are - set to <option>syslog</option>. - Defaults to - <option>daemon</option>.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>SyslogLevel=</varname></term> - <listitem><para>Default syslog level - to use when logging to syslog or the - kernel log buffer. One of - <option>emerg</option>, - <option>alert</option>, - <option>crit</option>, - <option>err</option>, - <option>warning</option>, - <option>notice</option>, - <option>info</option>, - <option>debug</option>. See - <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> - for details. This option is only - useful when - <varname>StandardOutput=</varname> or - <varname>StandardError=</varname> are - set to <option>syslog</option> or - <option>kmsg</option>. Note that - individual lines output by the daemon - might be prefixed with a different log - level which can be used to override - the default log level specified - here. The interpretation of these - prefixes may be disabled with - <varname>SyslogLevelPrefix=</varname>, - see below. For details see - <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>. - - Defaults to - <option>info</option>.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>SyslogLevelPrefix=</varname></term> - <listitem><para>Takes a boolean - argument. If true and - <varname>StandardOutput=</varname> or - <varname>StandardError=</varname> are - set to <option>syslog</option>, - <option>kmsg</option> or - <option>journal</option>, log lines - written by the executed process that - are prefixed with a log level will be - passed on to syslog with this log - level set but the prefix removed. If - set to false, the interpretation of - these prefixes is disabled and the - logged lines are passed on as-is. For - details about this prefixing see - <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>. - Defaults to true.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>TimerSlackNSec=</varname></term> - <listitem><para>Sets the timer slack - in nanoseconds for the executed - processes. The timer slack controls - the accuracy of wake-ups triggered by - timers. See - <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> - for more information. Note that in - contrast to most other time span - definitions this parameter takes an - integer value in nano-seconds if no - unit is specified. The usual time - units are understood - too.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>LimitCPU=</varname></term> - <term><varname>LimitFSIZE=</varname></term> - <term><varname>LimitDATA=</varname></term> - <term><varname>LimitSTACK=</varname></term> - <term><varname>LimitCORE=</varname></term> - <term><varname>LimitRSS=</varname></term> - <term><varname>LimitNOFILE=</varname></term> - <term><varname>LimitAS=</varname></term> - <term><varname>LimitNPROC=</varname></term> - <term><varname>LimitMEMLOCK=</varname></term> - <term><varname>LimitLOCKS=</varname></term> - <term><varname>LimitSIGPENDING=</varname></term> - <term><varname>LimitMSGQUEUE=</varname></term> - <term><varname>LimitNICE=</varname></term> - <term><varname>LimitRTPRIO=</varname></term> - <term><varname>LimitRTTIME=</varname></term> - <listitem><para>These settings set both - soft and hard limits of various resources for - executed processes. See - <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> - for details. Use the string - <varname>infinity</varname> to - configure no limit on a specific - resource.</para></listitem> - - <table> - <title>Limit directives and their equivalent with ulimit</title> - - <tgroup cols='2'> - <colspec colname='directive' /> - <colspec colname='equivalent' /> - <thead> - <row> - <entry>Directive</entry> - <entry>ulimit equivalent</entry> - </row> - </thead> - <tbody> - <row> - <entry>LimitCPU</entry> - <entry>ulimit -t</entry> - </row> - <row> - <entry>LimitFSIZE</entry> - <entry>ulimit -f</entry> - </row> - <row> - <entry>LimitDATA</entry> - <entry>ulimit -d</entry> - </row> - <row> - <entry>LimitSTACK</entry> - <entry>ulimit -s</entry> - </row> - <row> - <entry>LimitCORE</entry> - <entry>ulimit -c</entry> - </row> - <row> - <entry>LimitRSS</entry> - <entry>ulimit -m</entry> - </row> - <row> - <entry>LimitNOFILE</entry> - <entry>ulimit -n</entry> - </row> - <row> - <entry>LimitAS</entry> - <entry>ulimit -v</entry> - </row> - <row> - <entry>LimitNPROC</entry> - <entry>ulimit -u</entry> - </row> - <row> - <entry>LimitMEMLOCK</entry> - <entry>ulimit -l</entry> - </row> - <row> - <entry>LimitLOCKS</entry> - <entry>ulimit -x</entry> - </row> - <row> - <entry>LimitSIGPENDING</entry> - <entry>ulimit -i</entry> - </row> - <row> - <entry>LimitMSGQUEUE</entry> - <entry>ulimit -q</entry> - </row> - <row> - <entry>LimitNICE</entry> - <entry>ulimit -e</entry> - </row> - <row> - <entry>LimitRTPRIO</entry> - <entry>ulimit -r</entry> - </row> - <row> - <entry>LimitRTTIME</entry> - <entry>No equivalent</entry> - </row> - </tbody> - </tgroup> - </table> - </varlistentry> - - <varlistentry> - <term><varname>PAMName=</varname></term> - <listitem><para>Sets the PAM service - name to set up a session as. If set, - the executed process will be - registered as a PAM session under the - specified service name. This is only - useful in conjunction with the - <varname>User=</varname> setting. If - not set, no PAM session will be opened - for the executed processes. See - <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> - for details.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>CapabilityBoundingSet=</varname></term> - - <listitem><para>Controls which - capabilities to include in the - capability bounding set for the - executed process. See - <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> - for details. Takes a whitespace-separated - list of capability names as read by - <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - e.g. <constant>CAP_SYS_ADMIN</constant>, - <constant>CAP_DAC_OVERRIDE</constant>, - <constant>CAP_SYS_PTRACE</constant>. - Capabilities listed will be included - in the bounding set, all others are - removed. If the list of capabilities - is prefixed with <literal>~</literal>, - all but the listed capabilities will - be included, the effect of the - assignment inverted. Note that this - option also affects the respective - capabilities in the effective, - permitted and inheritable capability - sets, on top of what - <varname>Capabilities=</varname> - does. If this option is not used, the - capability bounding set is not - modified on process execution, hence - no limits on the capabilities of the - process are enforced. This option may - appear more than once in which case - the bounding sets are merged. If the - empty string is assigned to this - option, the bounding set is reset to - the empty capability set, and all - prior settings have no effect. If set - to <literal>~</literal> (without any - further argument), the bounding set is - reset to the full set of available - capabilities, also undoing any - previous settings.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>SecureBits=</varname></term> - <listitem><para>Controls the secure - bits set for the executed process. - Takes a space-separated combination of - options from the following list: - <option>keep-caps</option>, - <option>keep-caps-locked</option>, - <option>no-setuid-fixup</option>, - <option>no-setuid-fixup-locked</option>, - <option>noroot</option>, and - <option>noroot-locked</option>. This - option may appear more than once in - which case the secure bits are ORed. - If the empty string is assigned to - this option, the bits are reset to 0. - See <citerefentry - project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> - for details.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>Capabilities=</varname></term> - <listitem><para>Controls the - <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> - set for the executed process. Take a - capability string describing the - effective, permitted and inherited - capability sets as documented in - <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>. - Note that these capability sets are - usually influenced (and filtered) by the capabilities - attached to the executed file. Due to - that - <varname>CapabilityBoundingSet=</varname> - is probably a much more useful - setting.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>ReadWriteDirectories=</varname></term> - <term><varname>ReadOnlyDirectories=</varname></term> - <term><varname>InaccessibleDirectories=</varname></term> - - <listitem><para>Sets up a new file - system namespace for executed - processes. These options may be used - to limit access a process might have - to the main file system - hierarchy. Each setting takes a - space-separated list of absolute - directory paths. Directories listed in - <varname>ReadWriteDirectories=</varname> - are accessible from within the - namespace with the same access rights - as from outside. Directories listed in - <varname>ReadOnlyDirectories=</varname> - are accessible for reading only, - writing will be refused even if the - usual file access controls would - permit this. Directories listed in - <varname>InaccessibleDirectories=</varname> - will be made inaccessible for - processes inside the namespace. Note - that restricting access with these - options does not extend to submounts - of a directory that are created later - on. These options may be specified - more than once in which case all - directories listed will have limited - access from within the namespace. If - the empty string is assigned to this - option, the specific list is reset, - and all prior assignments have no - effect.</para> - <para>Paths in - <varname>ReadOnlyDirectories=</varname> - and - <varname>InaccessibleDirectories=</varname> - may be prefixed with - <literal>-</literal>, in which case - they will be ignored when they do not - exist. Note that using this - setting will disconnect propagation of - mounts from the service to the host - (propagation in the opposite direction - continues to work). This means that - this setting may not be used for - services which shall be able to - install mount points in the main mount - namespace.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>PrivateTmp=</varname></term> - - <listitem><para>Takes a boolean - argument. If true, sets up a new file - system namespace for the executed - processes and mounts private - <filename>/tmp</filename> and - <filename>/var/tmp</filename> - directories inside it that is not - shared by processes outside of the - namespace. This is useful to secure - access to temporary files of the - process, but makes sharing between - processes via - <filename>/tmp</filename> or - <filename>/var/tmp</filename> - impossible. If this is enabled, all - temporary files created by a service - in these directories will be removed - after the service is stopped. Defaults - to false. It is possible to run two or - more units within the same private - <filename>/tmp</filename> and - <filename>/var/tmp</filename> - namespace by using the - <varname>JoinsNamespaceOf=</varname> - directive, see - <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> - for details. Note that using this - setting will disconnect propagation of - mounts from the service to the host - (propagation in the opposite direction - continues to work). This means that - this setting may not be used for - services which shall be able to install - mount points in the main mount - namespace.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>PrivateDevices=</varname></term> - - <listitem><para>Takes a boolean - argument. If true, sets up a new /dev - namespace for the executed processes - and only adds API pseudo devices such - as <filename>/dev/null</filename>, - <filename>/dev/zero</filename> or - <filename>/dev/random</filename> (as - well as the pseudo TTY subsystem) to - it, but no physical devices such as - <filename>/dev/sda</filename>. This is - useful to securely turn off physical - device access by the executed - process. Defaults to false. Enabling - this option will also remove - <constant>CAP_MKNOD</constant> from - the capability bounding set for the - unit (see above), and set - <varname>DevicePolicy=closed</varname> - (see - <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> - for details). Note that using this - setting will disconnect propagation of - mounts from the service to the host - (propagation in the opposite direction - continues to work). This means that - this setting may not be used for - services which shall be able to - install mount points in the main mount - namespace.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>PrivateNetwork=</varname></term> - - <listitem><para>Takes a boolean - argument. If true, sets up a new - network namespace for the executed - processes and configures only the - loopback network device - <literal>lo</literal> inside it. No - other network devices will be - available to the executed process. - This is useful to securely turn off - network access by the executed - process. Defaults to false. It is - possible to run two or more units - within the same private network - namespace by using the - <varname>JoinsNamespaceOf=</varname> - directive, see - <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> - for details. Note that this option - will disconnect all socket families - from the host, this includes - AF_NETLINK and AF_UNIX. The latter has - the effect that AF_UNIX sockets in the - abstract socket namespace will become - unavailable to the processes (however, - those located in the file system will - continue to be - accessible).</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>ProtectSystem=</varname></term> - - <listitem><para>Takes a boolean - argument or - <literal>full</literal>. If true, - mounts the <filename>/usr</filename> - and <filename>/boot</filename> - directories read-only for processes - invoked by this unit. If set to - <literal>full</literal>, the - <filename>/etc</filename> directory is - mounted read-only, too. This setting - ensures that any modification of the - vendor supplied operating system (and - optionally its configuration) is - prohibited for the service. It is - recommended to enable this setting for - all long-running services, unless they - are involved with system updates or - need to modify the operating system in - other ways. Note however that - processes retaining the CAP_SYS_ADMIN - capability can undo the effect of this - setting. This setting is hence - particularly useful for daemons which - have this capability removed, for - example with - <varname>CapabilityBoundingSet=</varname>. Defaults - to off.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>ProtectHome=</varname></term> - - <listitem><para>Takes a boolean - argument or - <literal>read-only</literal>. If true, - the directories - <filename>/home</filename> and - <filename>/run/user</filename> are - made inaccessible and empty for - processes invoked by this unit. If set - to <literal>read-only</literal>, the - two directories are made read-only - instead. It is recommended to enable - this setting for all long-running - services (in particular network-facing - ones), to ensure they cannot get access - to private user data, unless the - services actually require access to - the user's private data. Note however - that processes retaining the - CAP_SYS_ADMIN capability can undo the - effect of this setting. This setting - is hence particularly useful for - daemons which have this capability - removed, for example with - <varname>CapabilityBoundingSet=</varname>. Defaults - to off.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>MountFlags=</varname></term> - - <listitem><para>Takes a mount - propagation flag: - <option>shared</option>, - <option>slave</option> or - <option>private</option>, which - control whether mounts in the file - system namespace set up for this - unit's processes will receive or - propagate mounts or unmounts. See - <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry> - for details. Defaults to - <option>shared</option>. Use - <option>shared</option> to ensure that - mounts and unmounts are propagated - from the host to the container and - vice versa. Use <option>slave</option> - to run processes so that none of their - mounts and unmounts will propagate to - the host. Use <option>private</option> - to also ensure that no mounts and - unmounts from the host will propagate - into the unit processes' - namespace. Note that - <option>slave</option> means that file - systems mounted on the host might stay - mounted continuously in the unit's - namespace, and thus keep the device - busy. Note that the file system - namespace related options - (<varname>PrivateTmp=</varname>, - <varname>PrivateDevices=</varname>, - <varname>ProtectSystem=</varname>, - <varname>ProtectHome=</varname>, - <varname>ReadOnlyDirectories=</varname>, - <varname>InaccessibleDirectories=</varname> - and - <varname>ReadWriteDirectories=</varname>) - require that mount and unmount - propagation from the unit's file - system namespace is disabled, and - hence downgrade - <option>shared</option> to - <option>slave</option>. - </para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>UtmpIdentifier=</varname></term> - - <listitem><para>Takes a four - character identifier string for an - utmp/wtmp entry for this service. This - should only be set for services such - as <command>getty</command> - implementations where utmp/wtmp - entries must be created and cleared - before and after execution. If the - configured string is longer than four - characters, it is truncated and the - terminal four characters are - used. This setting interprets %I style - string replacements. This setting is - unset by default, i.e. no utmp/wtmp - entries are created or cleaned up for - this service.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>SELinuxContext=</varname></term> - - <listitem><para>Set the SELinux - security context of the executed - process. If set, this will override - the automated domain - transition. However, the policy still - needs to authorize the transition. This - directive is ignored if SELinux is - disabled. If prefixed by - <literal>-</literal>, all errors will - be ignored. See - <citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry> - for details.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>AppArmorProfile=</varname></term> - - <listitem><para>Takes a profile name as argument. - The process executed by the unit will switch to - this profile when started. Profiles must already - be loaded in the kernel, or the unit will fail. - This result in a non operation if AppArmor is not - enabled. If prefixed by <literal>-</literal>, all errors - will be ignored. - </para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>SmackProcessLabel=</varname></term> - - <listitem><para>Takes a - <option>SMACK64</option> security - label as argument. The process - executed by the unit will be started - under this label and SMACK will decide - whether the processes is allowed to - run or not based on it. The process - will continue to run under the label - specified here unless the executable - has its own - <option>SMACK64EXEC</option> label, in - which case the process will transition - to run under that label. When not - specified, the label that systemd is - running under is used. This directive - is ignored if SMACK is - disabled.</para> - - <para>The value may be prefixed by - <literal>-</literal>, in which case - all errors will be ignored. An empty - value may be specified to unset - previous assignments.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><varname>IgnoreSIGPIPE=</varname></term> - - <listitem><para>Takes a boolean - argument. If true, causes <constant>SIGPIPE</constant> to be - ignored in the executed - process. Defaults to true because - <constant>SIGPIPE</constant> generally is useful only in - shell pipelines.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>NoNewPrivileges=</varname></term> - - <listitem><para>Takes a boolean - argument. If true, ensures that the - service process and all its children - can never gain new privileges. This - option is more powerful than the respective - secure bits flags (see above), as it - also prohibits UID changes of any - kind. This is the simplest, most - effective way to ensure that a process - and its children can never elevate - privileges again.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>SystemCallFilter=</varname></term> - - <listitem><para>Takes a - space-separated list of system call - names. If this setting is used, all - system calls executed by the unit - processes except for the listed ones - will result in immediate process - termination with the - <constant>SIGSYS</constant> signal - (whitelisting). If the first character - of the list is <literal>~</literal>, - the effect is inverted: only the - listed system calls will result in - immediate process termination - (blacklisting). If running in user - mode and this option is used, - <varname>NoNewPrivileges=yes</varname> - is implied. This feature makes use of the - Secure Computing Mode 2 interfaces of - the kernel ('seccomp filtering') and - is useful for enforcing a minimal - sandboxing environment. Note that the - <function>execve</function>, - <function>rt_sigreturn</function>, - <function>sigreturn</function>, - <function>exit_group</function>, - <function>exit</function> system calls - are implicitly whitelisted and do not - need to be listed explicitly. This - option may be specified more than once - in which case the filter masks are - merged. If the empty string is - assigned, the filter is reset, all - prior assignments will have no - effect.</para> - - <para>If you specify both types of - this option (i.e. whitelisting and - blacklisting), the first encountered - will take precedence and will dictate - the default action (termination or - approval of a system call). Then the - next occurrences of this option will - add or delete the listed system calls - from the set of the filtered system - calls, depending of its type and the - default action. (For example, if you have started - with a whitelisting of - <function>read</function> and - <function>write</function>, and right - after it add a blacklisting of - <function>write</function>, then - <function>write</function> will be - removed from the set.) - </para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>SystemCallErrorNumber=</varname></term> - - <listitem><para>Takes an - <literal>errno</literal> error number - name to return when the system call - filter configured with - <varname>SystemCallFilter=</varname> - is triggered, instead of terminating - the process immediately. Takes an - error name such as - <constant>EPERM</constant>, - <constant>EACCES</constant> or - <constant>EUCLEAN</constant>. When this - setting is not used, or when the empty - string is assigned, the process will be - terminated immediately when the filter - is triggered.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>SystemCallArchitectures=</varname></term> - - <listitem><para>Takes a space - separated list of architecture - identifiers to include in the system - call filter. The known architecture - identifiers are - <constant>x86</constant>, - <constant>x86-64</constant>, - <constant>x32</constant>, - <constant>arm</constant> as well as - the special identifier - <constant>native</constant>. Only - system calls of the specified - architectures will be permitted to - processes of this unit. This is an - effective way to disable compatibility - with non-native architectures for - processes, for example to prohibit - execution of 32-bit x86 binaries on - 64-bit x86-64 systems. The special - <constant>native</constant> identifier - implicitly maps to the native - architecture of the system (or more - strictly: to the architecture the - system manager is compiled for). If - running in user mode and this option - is used, - <varname>NoNewPrivileges=yes</varname> - is implied. Note that setting this - option to a non-empty list implies - that <constant>native</constant> is - included too. By default, this option - is set to the empty list, i.e. no - architecture system call filtering is - applied.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>RestrictAddressFamilies=</varname></term> - - <listitem><para>Restricts the set of - socket address families accessible to - the processes of this unit. Takes a - space-separated list of address family - names to whitelist, such as - <constant>AF_UNIX</constant>, - <constant>AF_INET</constant> or - <constant>AF_INET6</constant>. When - prefixed with <constant>~</constant> - the listed address families will be - applied as blacklist, otherwise as - whitelist. Note that this restricts - access to the - <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry> - system call only. Sockets passed into - the process by other means (for - example, by using socket activation - with socket units, see - <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>) - are unaffected. Also, sockets created - with <function>socketpair()</function> - (which creates connected AF_UNIX - sockets only) are unaffected. Note - that this option has no effect on - 32-bit x86 and is ignored (but works - correctly on x86-64). If running in user - mode and this option is used, - <varname>NoNewPrivileges=yes</varname> - is implied. By default, no - restriction applies, all address - families are accessible to - processes. If assigned the empty - string, any previous list changes are - undone.</para> - - <para>Use this option to limit - exposure of processes to remote - systems, in particular via exotic - network protocols. Note that in most - cases, the local - <constant>AF_UNIX</constant> address - family should be included in the - configured whitelist as it is - frequently used for local - communication, including for - <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry> - logging.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>Personality=</varname></term> - - <listitem><para>Controls which - kernel architecture - <citerefentry><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> - shall report, when invoked by unit - processes. Takes one of - <constant>x86</constant> and - <constant>x86-64</constant>. This is - useful when running 32-bit services on - a 64-bit host system. If not specified, - the personality is left unmodified and - thus reflects the personality of the - host system's - kernel.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>RuntimeDirectory=</varname></term> - <term><varname>RuntimeDirectoryMode=</varname></term> - - <listitem><para>Takes a list of - directory names. If set, one or more - directories by the specified names - will be created below - <filename>/run</filename> (for system - services) or below - <varname>$XDG_RUNTIME_DIR</varname> - (for user services) when the unit is - started, and removed when the unit is - stopped. The directories will have the - access mode specified in - <varname>RuntimeDirectoryMode=</varname>, - and will be owned by the user and - group specified in - <varname>User=</varname> and - <varname>Group=</varname>. Use this to - manage one or more runtime directories - of the unit and bind their lifetime to - the daemon runtime. The specified - directory names must be relative, and - may not include a - <literal>/</literal>, i.e. must refer - to simple directories to create or - remove. This is particularly useful - for unprivileged daemons that cannot - create runtime directories in - <filename>/run</filename> due to lack - of privileges, and to make sure the - runtime directory is cleaned up - automatically after use. For runtime - directories that require more complex - or different configuration or lifetime - guarantees, please consider using - <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem> - </varlistentry> - - </variablelist> - </refsect1> - - <refsect1> - <title>Environment variables in spawned processes</title> - - <para>Processes started by the system are executed in - a clean environment in which select variables - listed below are set. System processes started by systemd - do not inherit variables from PID 1, but processes - started by user systemd instances inherit all - environment variables from the user systemd instance. - </para> - - <variablelist class='environment-variables'> - <varlistentry> - <term><varname>$PATH</varname></term> - - <listitem><para>Colon-separated list - of directories to use when launching - executables. Systemd uses a fixed - value of - <filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename>:<filename>/sbin</filename>:<filename>/bin</filename>. - </para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>$LANG</varname></term> - - <listitem><para>Locale. Can be set in - <citerefentry><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> - or on the kernel command line (see - <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> - and - <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>). - </para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>$USER</varname></term> - <term><varname>$LOGNAME</varname></term> - <term><varname>$HOME</varname></term> - <term><varname>$SHELL</varname></term> - - <listitem><para>User name (twice), home - directory, and the login shell. - The variables are set for the units that - have <varname>User=</varname> set, - which includes user - <command>systemd</command> instances. - See - <citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>. - </para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>$XDG_RUNTIME_DIR</varname></term> - - <listitem><para>The directory for volatile - state. Set for the user <command>systemd</command> - instance, and also in user sessions. - See - <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>. - </para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>$XDG_SESSION_ID</varname></term> - <term><varname>$XDG_SEAT</varname></term> - <term><varname>$XDG_VTNR</varname></term> - - <listitem><para>The identifier of the - session, the seat name, and - virtual terminal of the session. Set - by - <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> - for login sessions. - <varname>$XDG_SEAT</varname> and - <varname>$XDG_VTNR</varname> will - only be set when attached to a seat and a - tty.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>$MAINPID</varname></term> - - <listitem><para>The PID of the units - main process if it is known. This is - only set for control processes as - invoked by - <varname>ExecReload=</varname> and - similar. </para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>$MANAGERPID</varname></term> - - <listitem><para>The PID of the user - <command>systemd</command> instance, - set for processes spawned by it. - </para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>$LISTEN_FDS</varname></term> - <term><varname>$LISTEN_PID</varname></term> - - <listitem><para>Information about file - descriptors passed to a service for - socket activation. See - <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>. - </para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>$TERM</varname></term> - - <listitem><para>Terminal type, set - only for units connected to a terminal - (<varname>StandardInput=tty</varname>, - <varname>StandardOutput=tty</varname>, - or - <varname>StandardError=tty</varname>). - See - <citerefentry project='man-pages'><refentrytitle>termcap</refentrytitle><manvolnum>5</manvolnum></citerefentry>. - </para></listitem> - </varlistentry> - </variablelist> - - <para>Additional variables may be configured by the - following means: for processes spawned in specific - units, use the <varname>Environment=</varname> and - <varname>EnvironmentFile=</varname> options above; to - specify variables globally, use - <varname>DefaultEnvironment=</varname> (see - <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>) - or the kernel option - <varname>systemd.setenv=</varname> (see - <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Additional - variables may also be set through PAM, - cf. <citerefentry project='man-pages'><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> - </refsect1> - - <refsect1> - <title>See Also</title> - <para> - <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, - <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>, - <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry project='man-pages'><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry> - </para> - </refsect1> + <refentryinfo> + <title>systemd.exec</title> + <productname>systemd</productname> + + <authorgroup> + <author> + <contrib>Developer</contrib> + <firstname>Lennart</firstname> + <surname>Poettering</surname> + <email>lennart@poettering.net</email> + </author> + </authorgroup> + </refentryinfo> + + <refmeta> + <refentrytitle>systemd.exec</refentrytitle> + <manvolnum>5</manvolnum> + </refmeta> + + <refnamediv> + <refname>systemd.exec</refname> + <refpurpose>Execution environment configuration</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <para><filename><replaceable>service</replaceable>.service</filename>, + <filename><replaceable>socket</replaceable>.socket</filename>, + <filename><replaceable>mount</replaceable>.mount</filename>, + <filename><replaceable>swap</replaceable>.swap</filename></para> + </refsynopsisdiv> + + <refsect1> + <title>Description</title> + + <para>Unit configuration files for services, sockets, mount + points, and swap devices share a subset of configuration options + which define the execution environment of spawned + processes.</para> + + <para>This man page lists the configuration options shared by + these four unit types. See + <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> + for the common options of all unit configuration files, and + <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + and + <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry> + for more information on the specific unit configuration files. The + execution specific configuration options are configured in the + [Service], [Socket], [Mount], or [Swap] sections, depending on the + unit type.</para> + </refsect1> + + <refsect1> + <title>Options</title> + + <variablelist class='unit-directives'> + + <varlistentry> + <term><varname>WorkingDirectory=</varname></term> + + <listitem><para>Takes an absolute directory path. Sets the + working directory for executed processes. If not set, defaults + to the root directory when systemd is running as a system + instance and the respective user's home directory if run as + user.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>RootDirectory=</varname></term> + + <listitem><para>Takes an absolute directory path. Sets the + root directory for executed processes, with the + <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry> + system call. If this is used, it must be ensured that the + process and all its auxiliary files are available in the + <function>chroot()</function> jail.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>User=</varname></term> + <term><varname>Group=</varname></term> + + <listitem><para>Sets the Unix user or group that the processes + are executed as, respectively. Takes a single user or group + name or ID as argument. If no group is set, the default group + of the user is chosen.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>SupplementaryGroups=</varname></term> + + <listitem><para>Sets the supplementary Unix groups the + processes are executed as. This takes a space-separated list + of group names or IDs. This option may be specified more than + once in which case all listed groups are set as supplementary + groups. When the empty string is assigned the list of + supplementary groups is reset, and all assignments prior to + this one will have no effect. In any way, this option does not + override, but extends the list of supplementary groups + configured in the system group database for the + user.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Nice=</varname></term> + + <listitem><para>Sets the default nice level (scheduling + priority) for executed processes. Takes an integer between -20 + (highest priority) and 19 (lowest priority). See + <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry> + for details.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>OOMScoreAdjust=</varname></term> + + <listitem><para>Sets the adjustment level for the + Out-Of-Memory killer for executed processes. Takes an integer + between -1000 (to disable OOM killing for this process) and + 1000 (to make killing of this process under memory pressure + very likely). See <ulink + url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink> + for details.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>IOSchedulingClass=</varname></term> + + <listitem><para>Sets the IO scheduling class for executed + processes. Takes an integer between 0 and 3 or one of the + strings <option>none</option>, <option>realtime</option>, + <option>best-effort</option> or <option>idle</option>. See + <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> + for details.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>IOSchedulingPriority=</varname></term> + + <listitem><para>Sets the IO scheduling priority for executed + processes. Takes an integer between 0 (highest priority) and 7 + (lowest priority). The available priorities depend on the + selected IO scheduling class (see above). See + <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> + for details.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>CPUSchedulingPolicy=</varname></term> + + <listitem><para>Sets the CPU scheduling policy for executed + processes. Takes one of + <option>other</option>, + <option>batch</option>, + <option>idle</option>, + <option>fifo</option> or + <option>rr</option>. See + <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> + for details.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>CPUSchedulingPriority=</varname></term> + + <listitem><para>Sets the CPU scheduling priority for executed + processes. The available priority range depends on the + selected CPU scheduling policy (see above). For real-time + scheduling policies an integer between 1 (lowest priority) and + 99 (highest priority) can be used. See + <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> + for details. </para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>CPUSchedulingResetOnFork=</varname></term> + + <listitem><para>Takes a boolean argument. If true, elevated + CPU scheduling priorities and policies will be reset when the + executed processes fork, and can hence not leak into child + processes. See + <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> + for details. Defaults to false.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>CPUAffinity=</varname></term> + + <listitem><para>Controls the CPU affinity of the executed + processes. Takes a space-separated list of CPU indices. This + option may be specified more than once in which case the + specified CPU affinity masks are merged. If the empty string + is assigned, the mask is reset, all assignments prior to this + will have no effect. See + <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry> + for details.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>UMask=</varname></term> + + <listitem><para>Controls the file mode creation mask. Takes an + access mode in octal notation. See + <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry> + for details. Defaults to 0022.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Environment=</varname></term> + + <listitem><para>Sets environment variables for executed + processes. Takes a space-separated list of variable + assignments. This option may be specified more than once in + which case all listed variables will be set. If the same + variable is set twice, the later setting will override the + earlier setting. If the empty string is assigned to this + option, the list of environment variables is reset, all prior + assignments have no effect. Variable expansion is not + performed inside the strings, however, specifier expansion is + possible. The $ character has no special meaning. If you need + to assign a value containing spaces to a variable, use double + quotes (") for the assignment.</para> + + <para>Example: + <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting> + gives three variables <literal>VAR1</literal>, + <literal>VAR2</literal>, <literal>VAR3</literal> + with the values <literal>word1 word2</literal>, + <literal>word3</literal>, <literal>$word 5 6</literal>. + </para> + + <para> + See + <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for details about environment variables.</para></listitem> + </varlistentry> + <varlistentry> + <term><varname>EnvironmentFile=</varname></term> + <listitem><para>Similar to <varname>Environment=</varname> but + reads the environment variables from a text file. The text + file should contain new-line-separated variable assignments. + Empty lines and lines starting with ; or # will be ignored, + which may be used for commenting. A line ending with a + backslash will be concatenated with the following one, + allowing multiline variable definitions. The parser strips + leading and trailing whitespace from the values of + assignments, unless you use double quotes (").</para> + + <para>The argument passed should be an absolute filename or + wildcard expression, optionally prefixed with + <literal>-</literal>, which indicates that if the file does + not exist, it will not be read and no error or warning message + is logged. This option may be specified more than once in + which case all specified files are read. If the empty string + is assigned to this option, the list of file to read is reset, + all prior assignments have no effect.</para> + + <para>The files listed with this directive will be read + shortly before the process is executed (more specifically, + after all processes from a previous unit state terminated. + This means you can generate these files in one unit state, and + read it with this option in the next). Settings from these + files override settings made with + <varname>Environment=</varname>. If the same variable is set + twice from these files, the files will be read in the order + they are specified and the later setting will override the + earlier setting.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>StandardInput=</varname></term> + <listitem><para>Controls where file descriptor 0 (STDIN) of + the executed processes is connected to. Takes one of + <option>null</option>, + <option>tty</option>, + <option>tty-force</option>, + <option>tty-fail</option> or + <option>socket</option>.</para> + + <para>If <option>null</option> is selected, standard input + will be connected to <filename>/dev/null</filename>, i.e. all + read attempts by the process will result in immediate + EOF.</para> + + <para>If <option>tty</option> is selected, standard input is + connected to a TTY (as configured by + <varname>TTYPath=</varname>, see below) and the executed + process becomes the controlling process of the terminal. If + the terminal is already being controlled by another process, + the executed process waits until the current controlling + process releases the terminal.</para> + + <para><option>tty-force</option> is similar to + <option>tty</option>, but the executed process is forcefully + and immediately made the controlling process of the terminal, + potentially removing previous controlling processes from the + terminal.</para> + + <para><option>tty-fail</option> is similar to + <option>tty</option> but if the terminal already has a + controlling process start-up of the executed process + fails.</para> + + <para>The <option>socket</option> option is only valid in + socket-activated services, and only when the socket + configuration file (see + <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry> + for details) specifies a single socket only. If this option is + set, standard input will be connected to the socket the + service was activated from, which is primarily useful for + compatibility with daemons designed for use with the + traditional + <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry> + daemon.</para> + + <para>This setting defaults to + <option>null</option>.</para></listitem> + </varlistentry> + <varlistentry> + <term><varname>StandardOutput=</varname></term> + <listitem><para>Controls where file descriptor 1 (STDOUT) of + the executed processes is connected to. Takes one of + <option>inherit</option>, + <option>null</option>, + <option>tty</option>, + <option>journal</option>, + <option>syslog</option>, + <option>kmsg</option>, + <option>journal+console</option>, + <option>syslog+console</option>, + <option>kmsg+console</option> or + <option>socket</option>.</para> + + <para><option>inherit</option> duplicates the file descriptor + of standard input for standard output.</para> + + <para><option>null</option> connects standard output to + <filename>/dev/null</filename>, i.e. everything written to it + will be lost.</para> + + <para><option>tty</option> connects standard output to a tty + (as configured via <varname>TTYPath=</varname>, see below). If + the TTY is used for output only, the executed process will not + become the controlling process of the terminal, and will not + fail or wait for other processes to release the + terminal.</para> + + <para><option>journal</option> connects standard output with + the journal which is accessible via + <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>. + Note that everything that is written to syslog or kmsg (see + below) is implicitly stored in the journal as well, the + specific two options listed below are hence supersets of this + one.</para> + + <para><option>syslog</option> connects standard output to the + <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> + system syslog service, in addition to the journal. Note that + the journal daemon is usually configured to forward everything + it receives to syslog anyway, in which case this option is no + different from <option>journal</option>.</para> + + <para><option>kmsg</option> connects standard output with the + kernel log buffer which is accessible via + <citerefentry project='man-pages'><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + in addition to the journal. The journal daemon might be + configured to send all logs to kmsg anyway, in which case this + option is no different from <option>journal</option>.</para> + + <para><option>journal+console</option>, + <option>syslog+console</option> and + <option>kmsg+console</option> work in a similar way as the + three options above but copy the output to the system console + as well.</para> + + <para><option>socket</option> connects standard output to a + socket acquired via socket activation. The semantics are + similar to the same option of + <varname>StandardInput=</varname>.</para> + + <para>This setting defaults to the value set with + <option>DefaultStandardOutput=</option> in + <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + which defaults to <option>journal</option>.</para></listitem> + </varlistentry> + <varlistentry> + <term><varname>StandardError=</varname></term> + <listitem><para>Controls where file descriptor 2 (STDERR) of + the executed processes is connected to. The available options + are identical to those of <varname>StandardOutput=</varname>, + with one exception: if set to <option>inherit</option> the + file descriptor used for standard output is duplicated for + standard error. This setting defaults to the value set with + <option>DefaultStandardError=</option> in + <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + which defaults to <option>inherit</option>.</para></listitem> + </varlistentry> + <varlistentry> + <term><varname>TTYPath=</varname></term> + <listitem><para>Sets the terminal device node to use if + standard input, output, or error are connected to a TTY (see + above). Defaults to + <filename>/dev/console</filename>.</para></listitem> + </varlistentry> + <varlistentry> + <term><varname>TTYReset=</varname></term> + <listitem><para>Reset the terminal device specified with + <varname>TTYPath=</varname> before and after execution. + Defaults to <literal>no</literal>.</para></listitem> + </varlistentry> + <varlistentry> + <term><varname>TTYVHangup=</varname></term> + <listitem><para>Disconnect all clients which have opened the + terminal device specified with <varname>TTYPath=</varname> + before and after execution. Defaults to + <literal>no</literal>.</para></listitem> + </varlistentry> + <varlistentry> + <term><varname>TTYVTDisallocate=</varname></term> + <listitem><para>If the terminal device specified with + <varname>TTYPath=</varname> is a virtual console terminal, try + to deallocate the TTY before and after execution. This ensures + that the screen and scrollback buffer is cleared. Defaults to + <literal>no</literal>.</para></listitem> + </varlistentry> + <varlistentry> + <term><varname>SyslogIdentifier=</varname></term> + <listitem><para>Sets the process name to prefix log lines sent + to the logging system or the kernel log buffer with. If not + set, defaults to the process name of the executed process. + This option is only useful when + <varname>StandardOutput=</varname> or + <varname>StandardError=</varname> are set to + <option>syslog</option>, <option>journal</option> or + <option>kmsg</option> (or to the same settings in combination + with <option>+console</option>).</para></listitem> + </varlistentry> + <varlistentry> + <term><varname>SyslogFacility=</varname></term> + <listitem><para>Sets the syslog facility to use when logging + to syslog. One of <option>kern</option>, + <option>user</option>, <option>mail</option>, + <option>daemon</option>, <option>auth</option>, + <option>syslog</option>, <option>lpr</option>, + <option>news</option>, <option>uucp</option>, + <option>cron</option>, <option>authpriv</option>, + <option>ftp</option>, <option>local0</option>, + <option>local1</option>, <option>local2</option>, + <option>local3</option>, <option>local4</option>, + <option>local5</option>, <option>local6</option> or + <option>local7</option>. See + <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> + for details. This option is only useful when + <varname>StandardOutput=</varname> or + <varname>StandardError=</varname> are set to + <option>syslog</option>. Defaults to + <option>daemon</option>.</para></listitem> + </varlistentry> + <varlistentry> + <term><varname>SyslogLevel=</varname></term> + <listitem><para>Default syslog level to use when logging to + syslog or the kernel log buffer. One of + <option>emerg</option>, + <option>alert</option>, + <option>crit</option>, + <option>err</option>, + <option>warning</option>, + <option>notice</option>, + <option>info</option>, + <option>debug</option>. See + <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> + for details. This option is only useful when + <varname>StandardOutput=</varname> or + <varname>StandardError=</varname> are set to + <option>syslog</option> or <option>kmsg</option>. Note that + individual lines output by the daemon might be prefixed with a + different log level which can be used to override the default + log level specified here. The interpretation of these prefixes + may be disabled with <varname>SyslogLevelPrefix=</varname>, + see below. For details see + <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>. + + Defaults to + <option>info</option>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>SyslogLevelPrefix=</varname></term> + <listitem><para>Takes a boolean argument. If true and + <varname>StandardOutput=</varname> or + <varname>StandardError=</varname> are set to + <option>syslog</option>, <option>kmsg</option> or + <option>journal</option>, log lines written by the executed + process that are prefixed with a log level will be passed on + to syslog with this log level set but the prefix removed. If + set to false, the interpretation of these prefixes is disabled + and the logged lines are passed on as-is. For details about + this prefixing see + <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>. + Defaults to true.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>TimerSlackNSec=</varname></term> + <listitem><para>Sets the timer slack in nanoseconds for the + executed processes. The timer slack controls the accuracy of + wake-ups triggered by timers. See + <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> + for more information. Note that in contrast to most other time + span definitions this parameter takes an integer value in + nano-seconds if no unit is specified. The usual time units are + understood too.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>LimitCPU=</varname></term> + <term><varname>LimitFSIZE=</varname></term> + <term><varname>LimitDATA=</varname></term> + <term><varname>LimitSTACK=</varname></term> + <term><varname>LimitCORE=</varname></term> + <term><varname>LimitRSS=</varname></term> + <term><varname>LimitNOFILE=</varname></term> + <term><varname>LimitAS=</varname></term> + <term><varname>LimitNPROC=</varname></term> + <term><varname>LimitMEMLOCK=</varname></term> + <term><varname>LimitLOCKS=</varname></term> + <term><varname>LimitSIGPENDING=</varname></term> + <term><varname>LimitMSGQUEUE=</varname></term> + <term><varname>LimitNICE=</varname></term> + <term><varname>LimitRTPRIO=</varname></term> + <term><varname>LimitRTTIME=</varname></term> + <listitem><para>These settings set both soft and hard limits + of various resources for executed processes. See + <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> + for details. Use the string <varname>infinity</varname> to + configure no limit on a specific resource.</para></listitem> + + <table> + <title>Limit directives and their equivalent with ulimit</title> + + <tgroup cols='2'> + <colspec colname='directive' /> + <colspec colname='equivalent' /> + <thead> + <row> + <entry>Directive</entry> + <entry>ulimit equivalent</entry> + </row> + </thead> + <tbody> + <row> + <entry>LimitCPU</entry> + <entry>ulimit -t</entry> + </row> + <row> + <entry>LimitFSIZE</entry> + <entry>ulimit -f</entry> + </row> + <row> + <entry>LimitDATA</entry> + <entry>ulimit -d</entry> + </row> + <row> + <entry>LimitSTACK</entry> + <entry>ulimit -s</entry> + </row> + <row> + <entry>LimitCORE</entry> + <entry>ulimit -c</entry> + </row> + <row> + <entry>LimitRSS</entry> + <entry>ulimit -m</entry> + </row> + <row> + <entry>LimitNOFILE</entry> + <entry>ulimit -n</entry> + </row> + <row> + <entry>LimitAS</entry> + <entry>ulimit -v</entry> + </row> + <row> + <entry>LimitNPROC</entry> + <entry>ulimit -u</entry> + </row> + <row> + <entry>LimitMEMLOCK</entry> + <entry>ulimit -l</entry> + </row> + <row> + <entry>LimitLOCKS</entry> + <entry>ulimit -x</entry> + </row> + <row> + <entry>LimitSIGPENDING</entry> + <entry>ulimit -i</entry> + </row> + <row> + <entry>LimitMSGQUEUE</entry> + <entry>ulimit -q</entry> + </row> + <row> + <entry>LimitNICE</entry> + <entry>ulimit -e</entry> + </row> + <row> + <entry>LimitRTPRIO</entry> + <entry>ulimit -r</entry> + </row> + <row> + <entry>LimitRTTIME</entry> + <entry>No equivalent</entry> + </row> + </tbody> + </tgroup> + </table> + </varlistentry> + + <varlistentry> + <term><varname>PAMName=</varname></term> + <listitem><para>Sets the PAM service name to set up a session + as. If set, the executed process will be registered as a PAM + session under the specified service name. This is only useful + in conjunction with the <varname>User=</varname> setting. If + not set, no PAM session will be opened for the executed + processes. See + <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + for details.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>CapabilityBoundingSet=</varname></term> + + <listitem><para>Controls which capabilities to include in the + capability bounding set for the executed process. See + <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for details. Takes a whitespace-separated list of capability + names as read by + <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>, + e.g. <constant>CAP_SYS_ADMIN</constant>, + <constant>CAP_DAC_OVERRIDE</constant>, + <constant>CAP_SYS_PTRACE</constant>. Capabilities listed will + be included in the bounding set, all others are removed. If + the list of capabilities is prefixed with + <literal>~</literal>, all but the listed capabilities will be + included, the effect of the assignment inverted. Note that + this option also affects the respective capabilities in the + effective, permitted and inheritable capability sets, on top + of what <varname>Capabilities=</varname> does. If this option + is not used, the capability bounding set is not modified on + process execution, hence no limits on the capabilities of the + process are enforced. This option may appear more than once in + which case the bounding sets are merged. If the empty string + is assigned to this option, the bounding set is reset to the + empty capability set, and all prior settings have no effect. + If set to <literal>~</literal> (without any further argument), + the bounding set is reset to the full set of available + capabilities, also undoing any previous + settings.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>SecureBits=</varname></term> + <listitem><para>Controls the secure bits set for the executed + process. Takes a space-separated combination of options from + the following list: + <option>keep-caps</option>, + <option>keep-caps-locked</option>, + <option>no-setuid-fixup</option>, + <option>no-setuid-fixup-locked</option>, + <option>noroot</option>, and + <option>noroot-locked</option>. + This option may appear more than once in which case the secure + bits are ORed. If the empty string is assigned to this option, + the bits are reset to 0. See + <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for details.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Capabilities=</varname></term> + <listitem><para>Controls the + <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> + set for the executed process. Take a capability string + describing the effective, permitted and inherited capability + sets as documented in + <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>. + Note that these capability sets are usually influenced (and + filtered) by the capabilities attached to the executed file. + Due to that <varname>CapabilityBoundingSet=</varname> is + probably a much more useful setting.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>ReadWriteDirectories=</varname></term> + <term><varname>ReadOnlyDirectories=</varname></term> + <term><varname>InaccessibleDirectories=</varname></term> + + <listitem><para>Sets up a new file system namespace for + executed processes. These options may be used to limit access + a process might have to the main file system hierarchy. Each + setting takes a space-separated list of absolute directory + paths. Directories listed in + <varname>ReadWriteDirectories=</varname> are accessible from + within the namespace with the same access rights as from + outside. Directories listed in + <varname>ReadOnlyDirectories=</varname> are accessible for + reading only, writing will be refused even if the usual file + access controls would permit this. Directories listed in + <varname>InaccessibleDirectories=</varname> will be made + inaccessible for processes inside the namespace. Note that + restricting access with these options does not extend to + submounts of a directory that are created later on. These + options may be specified more than once in which case all + directories listed will have limited access from within the + namespace. If the empty string is assigned to this option, the + specific list is reset, and all prior assignments have no + effect.</para> + <para>Paths in + <varname>ReadOnlyDirectories=</varname> + and + <varname>InaccessibleDirectories=</varname> + may be prefixed with + <literal>-</literal>, in which case + they will be ignored when they do not + exist. Note that using this + setting will disconnect propagation of + mounts from the service to the host + (propagation in the opposite direction + continues to work). This means that + this setting may not be used for + services which shall be able to + install mount points in the main mount + namespace.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>PrivateTmp=</varname></term> + + <listitem><para>Takes a boolean argument. If true, sets up a + new file system namespace for the executed processes and + mounts private <filename>/tmp</filename> and + <filename>/var/tmp</filename> directories inside it that is + not shared by processes outside of the namespace. This is + useful to secure access to temporary files of the process, but + makes sharing between processes via <filename>/tmp</filename> + or <filename>/var/tmp</filename> impossible. If this is + enabled, all temporary files created by a service in these + directories will be removed after the service is stopped. + Defaults to false. It is possible to run two or more units + within the same private <filename>/tmp</filename> and + <filename>/var/tmp</filename> namespace by using the + <varname>JoinsNamespaceOf=</varname> directive, see + <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> + for details. Note that using this setting will disconnect + propagation of mounts from the service to the host + (propagation in the opposite direction continues to work). + This means that this setting may not be used for services + which shall be able to install mount points in the main mount + namespace.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>PrivateDevices=</varname></term> + + <listitem><para>Takes a boolean argument. If true, sets up a + new /dev namespace for the executed processes and only adds + API pseudo devices such as <filename>/dev/null</filename>, + <filename>/dev/zero</filename> or + <filename>/dev/random</filename> (as well as the pseudo TTY + subsystem) to it, but no physical devices such as + <filename>/dev/sda</filename>. This is useful to securely turn + off physical device access by the executed process. Defaults + to false. Enabling this option will also remove + <constant>CAP_MKNOD</constant> from the capability bounding + set for the unit (see above), and set + <varname>DevicePolicy=closed</varname> (see + <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> + for details). Note that using this setting will disconnect + propagation of mounts from the service to the host + (propagation in the opposite direction continues to work). + This means that this setting may not be used for services + which shall be able to install mount points in the main mount + namespace.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>PrivateNetwork=</varname></term> + + <listitem><para>Takes a boolean argument. If true, sets up a + new network namespace for the executed processes and + configures only the loopback network device + <literal>lo</literal> inside it. No other network devices will + be available to the executed process. This is useful to + securely turn off network access by the executed process. + Defaults to false. It is possible to run two or more units + within the same private network namespace by using the + <varname>JoinsNamespaceOf=</varname> directive, see + <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> + for details. Note that this option will disconnect all socket + families from the host, this includes AF_NETLINK and AF_UNIX. + The latter has the effect that AF_UNIX sockets in the abstract + socket namespace will become unavailable to the processes + (however, those located in the file system will continue to be + accessible).</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>ProtectSystem=</varname></term> + + <listitem><para>Takes a boolean argument or + <literal>full</literal>. If true, mounts the + <filename>/usr</filename> and <filename>/boot</filename> + directories read-only for processes invoked by this unit. If + set to <literal>full</literal>, the <filename>/etc</filename> + directory is mounted read-only, too. This setting ensures that + any modification of the vendor supplied operating system (and + optionally its configuration) is prohibited for the service. + It is recommended to enable this setting for all long-running + services, unless they are involved with system updates or need + to modify the operating system in other ways. Note however + that processes retaining the CAP_SYS_ADMIN capability can undo + the effect of this setting. This setting is hence particularly + useful for daemons which have this capability removed, for + example with <varname>CapabilityBoundingSet=</varname>. + Defaults to off.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>ProtectHome=</varname></term> + + <listitem><para>Takes a boolean argument or + <literal>read-only</literal>. If true, the directories + <filename>/home</filename> and <filename>/run/user</filename> + are made inaccessible and empty for processes invoked by this + unit. If set to <literal>read-only</literal>, the two + directories are made read-only instead. It is recommended to + enable this setting for all long-running services (in + particular network-facing ones), to ensure they cannot get + access to private user data, unless the services actually + require access to the user's private data. Note however that + processes retaining the CAP_SYS_ADMIN capability can undo the + effect of this setting. This setting is hence particularly + useful for daemons which have this capability removed, for + example with <varname>CapabilityBoundingSet=</varname>. + Defaults to off.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>MountFlags=</varname></term> + + <listitem><para>Takes a mount propagation flag: + <option>shared</option>, <option>slave</option> or + <option>private</option>, which control whether mounts in the + file system namespace set up for this unit's processes will + receive or propagate mounts or unmounts. See + <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry> + for details. Defaults to <option>shared</option>. Use + <option>shared</option> to ensure that mounts and unmounts are + propagated from the host to the container and vice versa. Use + <option>slave</option> to run processes so that none of their + mounts and unmounts will propagate to the host. Use + <option>private</option> to also ensure that no mounts and + unmounts from the host will propagate into the unit processes' + namespace. Note that <option>slave</option> means that file + systems mounted on the host might stay mounted continuously in + the unit's namespace, and thus keep the device busy. Note that + the file system namespace related options + (<varname>PrivateTmp=</varname>, + <varname>PrivateDevices=</varname>, + <varname>ProtectSystem=</varname>, + <varname>ProtectHome=</varname>, + <varname>ReadOnlyDirectories=</varname>, + <varname>InaccessibleDirectories=</varname> and + <varname>ReadWriteDirectories=</varname>) require that mount + and unmount propagation from the unit's file system namespace + is disabled, and hence downgrade <option>shared</option> to + <option>slave</option>. </para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>UtmpIdentifier=</varname></term> + + <listitem><para>Takes a four character identifier string for + an utmp/wtmp entry for this service. This should only be set + for services such as <command>getty</command> implementations + where utmp/wtmp entries must be created and cleared before and + after execution. If the configured string is longer than four + characters, it is truncated and the terminal four characters + are used. This setting interprets %I style string + replacements. This setting is unset by default, i.e. no + utmp/wtmp entries are created or cleaned up for this + service.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>SELinuxContext=</varname></term> + + <listitem><para>Set the SELinux security context of the + executed process. If set, this will override the automated + domain transition. However, the policy still needs to + authorize the transition. This directive is ignored if SELinux + is disabled. If prefixed by <literal>-</literal>, all errors + will be ignored. See + <citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry> + for details.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>AppArmorProfile=</varname></term> + + <listitem><para>Takes a profile name as argument. The process + executed by the unit will switch to this profile when started. + Profiles must already be loaded in the kernel, or the unit + will fail. This result in a non operation if AppArmor is not + enabled. If prefixed by <literal>-</literal>, all errors will + be ignored. </para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>SmackProcessLabel=</varname></term> + + <listitem><para>Takes a <option>SMACK64</option> security + label as argument. The process executed by the unit will be + started under this label and SMACK will decide whether the + processes is allowed to run or not based on it. The process + will continue to run under the label specified here unless the + executable has its own <option>SMACK64EXEC</option> label, in + which case the process will transition to run under that + label. When not specified, the label that systemd is running + under is used. This directive is ignored if SMACK is + disabled.</para> + + <para>The value may be prefixed by <literal>-</literal>, in + which case all errors will be ignored. An empty value may be + specified to unset previous assignments.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><varname>IgnoreSIGPIPE=</varname></term> + + <listitem><para>Takes a boolean argument. If true, causes + <constant>SIGPIPE</constant> to be ignored in the executed + process. Defaults to true because <constant>SIGPIPE</constant> + generally is useful only in shell pipelines.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>NoNewPrivileges=</varname></term> + + <listitem><para>Takes a boolean argument. If true, ensures + that the service process and all its children can never gain + new privileges. This option is more powerful than the + respective secure bits flags (see above), as it also prohibits + UID changes of any kind. This is the simplest, most effective + way to ensure that a process and its children can never + elevate privileges again.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>SystemCallFilter=</varname></term> + + <listitem><para>Takes a space-separated list of system call + names. If this setting is used, all system calls executed by + the unit processes except for the listed ones will result in + immediate process termination with the + <constant>SIGSYS</constant> signal (whitelisting). If the + first character of the list is <literal>~</literal>, the + effect is inverted: only the listed system calls will result + in immediate process termination (blacklisting). If running in + user mode and this option is used, + <varname>NoNewPrivileges=yes</varname> is implied. This + feature makes use of the Secure Computing Mode 2 interfaces of + the kernel ('seccomp filtering') and is useful for enforcing a + minimal sandboxing environment. Note that the + <function>execve</function>, + <function>rt_sigreturn</function>, + <function>sigreturn</function>, + <function>exit_group</function>, <function>exit</function> + system calls are implicitly whitelisted and do not need to be + listed explicitly. This option may be specified more than once + in which case the filter masks are merged. If the empty string + is assigned, the filter is reset, all prior assignments will + have no effect.</para> + + <para>If you specify both types of this option (i.e. + whitelisting and blacklisting), the first encountered will + take precedence and will dictate the default action + (termination or approval of a system call). Then the next + occurrences of this option will add or delete the listed + system calls from the set of the filtered system calls, + depending of its type and the default action. (For example, if + you have started with a whitelisting of + <function>read</function> and <function>write</function>, and + right after it add a blacklisting of + <function>write</function>, then <function>write</function> + will be removed from the set.) </para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>SystemCallErrorNumber=</varname></term> + + <listitem><para>Takes an <literal>errno</literal> error number + name to return when the system call filter configured with + <varname>SystemCallFilter=</varname> is triggered, instead of + terminating the process immediately. Takes an error name such + as <constant>EPERM</constant>, <constant>EACCES</constant> or + <constant>EUCLEAN</constant>. When this setting is not used, + or when the empty string is assigned, the process will be + terminated immediately when the filter is + triggered.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>SystemCallArchitectures=</varname></term> + + <listitem><para>Takes a space separated list of architecture + identifiers to include in the system call filter. The known + architecture identifiers are <constant>x86</constant>, + <constant>x86-64</constant>, <constant>x32</constant>, + <constant>arm</constant> as well as the special identifier + <constant>native</constant>. Only system calls of the + specified architectures will be permitted to processes of this + unit. This is an effective way to disable compatibility with + non-native architectures for processes, for example to + prohibit execution of 32-bit x86 binaries on 64-bit x86-64 + systems. The special <constant>native</constant> identifier + implicitly maps to the native architecture of the system (or + more strictly: to the architecture the system manager is + compiled for). If running in user mode and this option is + used, <varname>NoNewPrivileges=yes</varname> is implied. Note + that setting this option to a non-empty list implies that + <constant>native</constant> is included too. By default, this + option is set to the empty list, i.e. no architecture system + call filtering is applied.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>RestrictAddressFamilies=</varname></term> + + <listitem><para>Restricts the set of socket address families + accessible to the processes of this unit. Takes a + space-separated list of address family names to whitelist, + such as + <constant>AF_UNIX</constant>, + <constant>AF_INET</constant> or + <constant>AF_INET6</constant>. When + prefixed with <constant>~</constant> the listed address + families will be applied as blacklist, otherwise as whitelist. + Note that this restricts access to the + <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry> + system call only. Sockets passed into the process by other + means (for example, by using socket activation with socket + units, see + <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>) + are unaffected. Also, sockets created with + <function>socketpair()</function> (which creates connected + AF_UNIX sockets only) are unaffected. Note that this option + has no effect on 32-bit x86 and is ignored (but works + correctly on x86-64). If running in user mode and this option + is used, <varname>NoNewPrivileges=yes</varname> is implied. By + default, no restriction applies, all address families are + accessible to processes. If assigned the empty string, any + previous list changes are undone.</para> + + <para>Use this option to limit exposure of processes to remote + systems, in particular via exotic network protocols. Note that + in most cases, the local <constant>AF_UNIX</constant> address + family should be included in the configured whitelist as it is + frequently used for local communication, including for + <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry> + logging.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Personality=</varname></term> + + <listitem><para>Controls which kernel architecture + <citerefentry><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> + shall report, when invoked by unit processes. Takes one of + <constant>x86</constant> and <constant>x86-64</constant>. This + is useful when running 32-bit services on a 64-bit host + system. If not specified, the personality is left unmodified + and thus reflects the personality of the host system's + kernel.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>RuntimeDirectory=</varname></term> + <term><varname>RuntimeDirectoryMode=</varname></term> + + <listitem><para>Takes a list of directory names. If set, one + or more directories by the specified names will be created + below <filename>/run</filename> (for system services) or below + <varname>$XDG_RUNTIME_DIR</varname> (for user services) when + the unit is started, and removed when the unit is stopped. The + directories will have the access mode specified in + <varname>RuntimeDirectoryMode=</varname>, and will be owned by + the user and group specified in <varname>User=</varname> and + <varname>Group=</varname>. Use this to manage one or more + runtime directories of the unit and bind their lifetime to the + daemon runtime. The specified directory names must be + relative, and may not include a <literal>/</literal>, i.e. + must refer to simple directories to create or remove. This is + particularly useful for unprivileged daemons that cannot + create runtime directories in <filename>/run</filename> due to + lack of privileges, and to make sure the runtime directory is + cleaned up automatically after use. For runtime directories + that require more complex or different configuration or + lifetime guarantees, please consider using + <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1> + <title>Environment variables in spawned processes</title> + + <para>Processes started by the system are executed in a clean + environment in which select variables listed below are set. System + processes started by systemd do not inherit variables from PID 1, + but processes started by user systemd instances inherit all + environment variables from the user systemd instance. + </para> + + <variablelist class='environment-variables'> + <varlistentry> + <term><varname>$PATH</varname></term> + + <listitem><para>Colon-separated list of directories to use + when launching executables. Systemd uses a fixed value of + <filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename>:<filename>/sbin</filename>:<filename>/bin</filename>. + </para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>$LANG</varname></term> + + <listitem><para>Locale. Can be set in + <citerefentry><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> + or on the kernel command line (see + <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> + and + <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>). + </para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>$USER</varname></term> + <term><varname>$LOGNAME</varname></term> + <term><varname>$HOME</varname></term> + <term><varname>$SHELL</varname></term> + + <listitem><para>User name (twice), home directory, and the + login shell. The variables are set for the units that have + <varname>User=</varname> set, which includes user + <command>systemd</command> instances. See + <citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>. + </para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>$XDG_RUNTIME_DIR</varname></term> + + <listitem><para>The directory for volatile state. Set for the + user <command>systemd</command> instance, and also in user + sessions. See + <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>. + </para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>$XDG_SESSION_ID</varname></term> + <term><varname>$XDG_SEAT</varname></term> + <term><varname>$XDG_VTNR</varname></term> + + <listitem><para>The identifier of the session, the seat name, + and virtual terminal of the session. Set by + <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> + for login sessions. <varname>$XDG_SEAT</varname> and + <varname>$XDG_VTNR</varname> will only be set when attached to + a seat and a tty.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>$MAINPID</varname></term> + + <listitem><para>The PID of the units main process if it is + known. This is only set for control processes as invoked by + <varname>ExecReload=</varname> and similar. </para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>$MANAGERPID</varname></term> + + <listitem><para>The PID of the user <command>systemd</command> + instance, set for processes spawned by it. </para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>$LISTEN_FDS</varname></term> + <term><varname>$LISTEN_PID</varname></term> + + <listitem><para>Information about file descriptors passed to a + service for socket activation. See + <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>. + </para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>$TERM</varname></term> + + <listitem><para>Terminal type, set only for units connected to + a terminal (<varname>StandardInput=tty</varname>, + <varname>StandardOutput=tty</varname>, or + <varname>StandardError=tty</varname>). See + <citerefentry project='man-pages'><refentrytitle>termcap</refentrytitle><manvolnum>5</manvolnum></citerefentry>. + </para></listitem> + </varlistentry> + </variablelist> + + <para>Additional variables may be configured by the following + means: for processes spawned in specific units, use the + <varname>Environment=</varname> and + <varname>EnvironmentFile=</varname> options above; to specify + variables globally, use <varname>DefaultEnvironment=</varname> + (see + <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>) + or the kernel option <varname>systemd.setenv=</varname> (see + <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>). + Additional variables may also be set through PAM, + cf. <citerefentry project='man-pages'><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> + </refsect1> + + <refsect1> + <title>See Also</title> + <para> + <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>, + <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry project='man-pages'><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry> + </para> + </refsect1> </refentry> |