1 files changed, 28 insertions, 18 deletions

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 202b912b55..07da57e11a 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -93,10 +93,10 @@
     the specified paths. This is equivalent to having them listed
     explicitly in <varname>RequiresMountsFor=</varname>.</para>
 
-    <para>Similar, units with <varname>PrivateTmp=</varname> enabled
-    automatically get mount unit dependencies for all mounts
-    required to access <filename>/tmp</filename> and
-    <filename>/var/tmp</filename>.</para>
+    <para>Similar, units with <varname>PrivateTmp=</varname> enabled automatically get mount unit dependencies for all
+    mounts required to access <filename>/tmp</filename> and <filename>/var/tmp</filename>. They will also gain an
+    automatic <varname>After=</varname> dependency on
+    <citerefentry><refentrytitle>systemd-tmpfiles-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
 
     <para>Units whose standard output or error output is connected to <option>journal</option>, <option>syslog</option>
     or <option>kmsg</option> (or their combinations with console output, see below) automatically acquire dependencies
@@ -859,14 +859,17 @@
 
       <varlistentry>
         <term><varname>PAMName=</varname></term>
-        <listitem><para>Sets the PAM service name to set up a session
-        as. If set, the executed process will be registered as a PAM
-        session under the specified service name. This is only useful
-        in conjunction with the <varname>User=</varname> setting. If
-        not set, no PAM session will be opened for the executed
-        processes. See
-        <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
-        for details.</para></listitem>
+        <listitem><para>Sets the PAM service name to set up a session as. If set, the executed process will be
+        registered as a PAM session under the specified service name. This is only useful in conjunction with the
+        <varname>User=</varname> setting, and is otherwise ignored. If not set, no PAM session will be opened for the
+        executed processes. See <citerefentry
+        project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
+        details.</para>
+
+        <para>Note that for each unit making use of this option a PAM session handler process will be maintained as
+        part of the unit and stays around as long as the unit is active, to ensure that appropriate actions can be
+        taken when the unit and hence the PAM session terminates. This process is named <literal>(sd-pam)</literal> and
+        is an immediate child process of the unit's main process.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -1006,8 +1009,11 @@
         <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
         details. This setting is implied if <varname>DynamicUser=</varname> is set. For this setting the same
         restrictions regarding mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and
-        related calls, see above.</para></listitem>
-
+        related calls, see above. Enabling this setting has the side effect of adding <varname>Requires=</varname> and
+        <varname>After=</varname> dependencies on all mount units necessary to access <filename>/tmp</filename> and
+        <filename>/var/tmp</filename>. Moreover an implicitly <varname>After=</varname> ordering on
+        <citerefentry><refentrytitle>systemd-tmpfiles-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+        is added.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -1173,12 +1179,16 @@
 
         <listitem><para>Takes a mount propagation flag: <option>shared</option>, <option>slave</option> or
         <option>private</option>, which control whether mounts in the file system namespace set up for this unit's
-        processes will receive or propagate mounts or unmounts. See <citerefentry
+        processes will receive or propagate mounts and unmounts. See <citerefentry
         project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
         details. Defaults to <option>shared</option>. Use <option>shared</option> to ensure that mounts and unmounts
-        are propagated from the host to the container and vice versa. Use <option>slave</option> to run processes so
-        that none of their mounts and unmounts will propagate to the host. Use <option>private</option> to also ensure
-        that no mounts and unmounts from the host will propagate into the unit processes' namespace. Note that
+        are propagated from systemd's namespace to the service's namespace and vice versa. Use <option>slave</option>
+        to run processes so that none of their mounts and unmounts will propagate to the host. Use <option>private</option>
+        to also ensure that no mounts and unmounts from the host will propagate into the unit processes' namespace.
+        If this is set to <option>slave</option> or <option>private</option>, any mounts created by spawned processes
+        will be unmounted after the completion of the current command line of <varname>ExecStartPre=</varname>,
+        <varname>ExecStartPost=</varname>, <varname>ExecStart=</varname>,
+        and <varname>ExecStopPost=</varname>. Note that
         <option>slave</option> means that file systems mounted on the host might stay mounted continuously in the
         unit's namespace, and thus keep the device busy. Note that the file system namespace related options
         (<varname>PrivateTmp=</varname>, <varname>PrivateDevices=</varname>, <varname>ProtectSystem=</varname>,