diff options
| author | Lennart Poettering <lennart@poettering.net> | 2024-04-22 13:02:08 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2024-04-22 15:16:54 +0200 |
| commit | fef46ffb5b3a98cb557c9f77d230fbb220355b9e (patch) | |
| tree | 6208e2068a424bc9b5da4454779e91120b8c7ca2 /man/systemd.exec.xml | |
| parent | man: document that "systemctl set-environment" cannot be used to unset env va... (diff) | |
| download | systemd-fef46ffb5b3a98cb557c9f77d230fbb220355b9e.tar.xz systemd-fef46ffb5b3a98cb557c9f77d230fbb220355b9e.zip | |
man: document that ReadOnlyPaths= doesn't affect ability to connect to AF_UNIX
Fixes: #23470
Diffstat (limited to 'man/systemd.exec.xml')
| -rw-r--r-- | man/systemd.exec.xml | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index c11c7db706..44233d0265 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1383,6 +1383,11 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> accessible to privileged processes. However, most namespacing settings, that will not work on their own in user services, will work when used in conjunction with <varname>PrivateUsers=</varname><option>true</option>.</para> + <para>Note that the various options that turn directories read-only (such as + <varname>ProtectSystem=</varname>, <varname>ReadOnlyPaths=</varname>, …) do not affect the ability for + programs to connect to and communicate with <constant>AF_UNIX</constant> sockets in these + directores. These options cannot be used to lock down access to IPC services hence.</para> + <variablelist class='unit-directives'> <varlistentry> |