summaryrefslogtreecommitdiffstats
path: root/man
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2017-09-15 21:24:48 +0200
committerGitHub <noreply@github.com>2017-09-15 21:24:48 +0200
commit3d7d3cbbdafeb7910d86c386b7ba25c142d6b9ca (patch)
tree40a33c183435297c7d9a2d56119d4241dbd19552 /man
parentMerge pull request #6841 from poettering/doc-exit-codes (diff)
parentcryptsetup: make sure we invoke the cryptsetup tools with a shared keyring (diff)
downloadsystemd-3d7d3cbbdafeb7910d86c386b7ba25c142d6b9ca.tar.xz
systemd-3d7d3cbbdafeb7910d86c386b7ba25c142d6b9ca.zip
Merge pull request #6832 from poettering/keyring-mode
Add KeyringMode unit property to fix cryptsetup key caching
Diffstat (limited to 'man')
-rw-r--r--man/systemd.exec.xml20
1 files changed, 20 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 61e51becc6..f0b48e4a41 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1721,6 +1721,26 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
</varlistentry>
<varlistentry>
+ <term><varname>KeyringMode=</varname></term>
+
+ <listitem><para>Controls how the kernel session keyring is set up for the service (see <citerefentry
+ project='man-pages'><refentrytitle>session-keyring</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
+ details on the session keyring). Takes one of <option>inherit</option>, <option>private</option>,
+ <option>shared</option>. If set to <option>inherit</option> no special keyring setup is done, and the kernel's
+ default behaviour is applied. If <option>private</option> is used a new session keyring is allocated when a
+ service process is invoked, and it is not linked up with any user keyring. This is the recommended setting for
+ system services, as this ensures that multiple services running under the same system user ID (in particular
+ the root user) do not share their key material among each other. If <option>shared</option> is used a new
+ session keyring is allocated as for <option>private</option>, but the user keyring of the user configured with
+ <varname>User=</varname> is linked into it, so that keys assigned to the user may be requested by the unit's
+ processes. In this modes multiple units running processes under the same user ID may share key material. Unless
+ <option>inherit</option> is selected the unique invocation ID for the unit (see below) is added as a protected
+ key by the name <literal>invocation_id</literal> to the newly created session keyring. Defaults to
+ <option>private</option> for the system service manager and to <option>inherit</option> for the user service
+ manager.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>RuntimeDirectory=</varname></term>
<listitem><para>Takes a whitespace-separated list of directory names. The specified directory names must be