diff options
| author | Lennart Poettering <lennart@poettering.net> | 2024-01-16 16:56:12 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2024-01-30 17:07:47 +0100 |
| commit | 7704c3474d0f3176f5d84efee5f44f9d815e615f (patch) | |
| tree | 50dfd914d282870093f8ff43be2268be151c5bf7 /man/systemd.exec.xml | |
| parent | test: add integration test for per-user creds (diff) | |
| download | systemd-7704c3474d0f3176f5d84efee5f44f9d815e615f.tar.xz systemd-7704c3474d0f3176f5d84efee5f44f9d815e615f.zip | |
man: document new user-scoped credentials
Diffstat (limited to 'man/systemd.exec.xml')
| -rw-r--r-- | man/systemd.exec.xml | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 42e6ff8fd7..ca20e6e308 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -3396,6 +3396,12 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> for the details about <varname>DevicePolicy=</varname> or <varname>DeviceAllow=</varname>.</para> + <para>Note that encrypted credentials targeted for services of the per-user service manager must be + encrypted with <command>systemd-creds encrypt --user</command>, and those for the system service + manager without the <option>--user</option> switch. Encrypted credentials are always targeted to a + specific user or the system as a whole, and it is ensured that per-user service managers cannot + decrypt secrets intended for the system or for other users.</para> + <para>The credential files/IPC sockets must be accessible to the service manager, but don't have to be directly accessible to the unit's processes: the credential data is read and copied into separate, read-only copies for the unit that are accessible to appropriately privileged processes. This is |