system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-07-21 18:24:38 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity

man: document that StateDirectory= trumps ProtectSystem=strict explicitly

Browse source 
Fixes: #29798
This commit is contained in:
Lennart Poettering 2024-04-22 11:48:20 +02:00
parent 552dc4a97c
commit 04366e0693
1 changed files with 10 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
man/systemd.exec.xml
View file

@ -1396,14 +1396,16 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
mounted read-only, except for the API file system subtrees <filename>/dev/</filename>,
<filename>/proc/</filename> and <filename>/sys/</filename> (protect these directories using
<varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>,
<varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the vendor-supplied
operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is
recommended to enable this setting for all long-running services, unless they are involved with system updates
or need to modify the operating system in other ways. If this option is used,
<varname>ReadWritePaths=</varname> may be used to exclude specific directories from being made read-only. This
setting is implied if <varname>DynamicUser=</varname> is set. This setting cannot ensure protection in all
cases. In general it has the same limitations as <varname>ReadOnlyPaths=</varname>, see below. Defaults to
off.</para>
<varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the
vendor-supplied operating system (and optionally its configuration, and local mounts) is prohibited
for the service. It is recommended to enable this setting for all long-running services, unless they
are involved with system updates or need to modify the operating system in other ways. If this option
is used, <varname>ReadWritePaths=</varname> may be used to exclude specific directories from being
made read-only. Similar, <varname>StateDirectory=</varname>, <varname>LogsDirectory=</varname>, … and
related directory settings (see below) also exclude the specific directories from the effect of
<varname>ProtectSystem=</varname>. This setting is implied if <varname>DynamicUser=</varname> is
set. This setting cannot ensure protection in all cases. In general it has the same limitations as
<varname>ReadOnlyPaths=</varname>, see below. Defaults to off.</para>
<xi:include href="version-info.xml" xpointer="v214"/></listitem>
</varlistentry>