diff options
| author | Lennart Poettering <lennart@poettering.net> | 2024-04-22 11:48:20 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2024-04-22 15:16:54 +0200 |
| commit | 04366e06938c64ff1140a7b82c6cbfd898449c92 (patch) | |
| tree | e53f219fd99cef271356dd15e78b51599c835d66 /man/systemd.exec.xml | |
| parent | man: document explicitly that LogExtraFields= and LogFilterPatterns= are for ... (diff) | |
| download | systemd-04366e06938c64ff1140a7b82c6cbfd898449c92.tar.xz systemd-04366e06938c64ff1140a7b82c6cbfd898449c92.zip | |
man: document that StateDirectory= trumps ProtectSystem=strict explicitly
Fixes: #29798
Diffstat (limited to 'man/systemd.exec.xml')
| -rw-r--r-- | man/systemd.exec.xml | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 7e49d8e267..c11c7db706 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1396,14 +1396,16 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> mounted read-only, except for the API file system subtrees <filename>/dev/</filename>, <filename>/proc/</filename> and <filename>/sys/</filename> (protect these directories using <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>, - <varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the vendor-supplied - operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is - recommended to enable this setting for all long-running services, unless they are involved with system updates - or need to modify the operating system in other ways. If this option is used, - <varname>ReadWritePaths=</varname> may be used to exclude specific directories from being made read-only. This - setting is implied if <varname>DynamicUser=</varname> is set. This setting cannot ensure protection in all - cases. In general it has the same limitations as <varname>ReadOnlyPaths=</varname>, see below. Defaults to - off.</para> + <varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the + vendor-supplied operating system (and optionally its configuration, and local mounts) is prohibited + for the service. It is recommended to enable this setting for all long-running services, unless they + are involved with system updates or need to modify the operating system in other ways. If this option + is used, <varname>ReadWritePaths=</varname> may be used to exclude specific directories from being + made read-only. Similar, <varname>StateDirectory=</varname>, <varname>LogsDirectory=</varname>, … and + related directory settings (see below) also exclude the specific directories from the effect of + <varname>ProtectSystem=</varname>. This setting is implied if <varname>DynamicUser=</varname> is + set. This setting cannot ensure protection in all cases. In general it has the same limitations as + <varname>ReadOnlyPaths=</varname>, see below. Defaults to off.</para> <xi:include href="version-info.xml" xpointer="v214"/></listitem> </varlistentry> |