mirror of
https://github.com/systemd/systemd.git
synced 2025-01-26 10:24:17 +08:00
man: add warnings that Private*= settings are not always applied
This commit is contained in:
parent
2c75fb7330
commit
b023856884
@ -1038,14 +1038,19 @@
|
||||
<varname>After=</varname> dependencies on all mount units necessary to access <filename>/tmp</filename> and
|
||||
<filename>/var/tmp</filename>. Moreover an implicitly <varname>After=</varname> ordering on
|
||||
<citerefentry><refentrytitle>systemd-tmpfiles-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||||
is added.</para></listitem>
|
||||
is added.</para>
|
||||
|
||||
<para>Note that the implementation of this setting might be impossible (for example if mount namespaces
|
||||
are not available), and the unit should be written in a way that does not solely rely on this setting for
|
||||
security.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>PrivateDevices=</varname></term>
|
||||
|
||||
<listitem><para>Takes a boolean argument. If true, sets up a new /dev namespace for the executed processes and
|
||||
only adds API pseudo devices such as <filename>/dev/null</filename>, <filename>/dev/zero</filename> or
|
||||
<listitem><para>Takes a boolean argument. If true, sets up a new <filename>/dev</filename> mount for the
|
||||
executed processes and only adds API pseudo devices such as <filename>/dev/null</filename>,
|
||||
<filename>/dev/zero</filename> or
|
||||
<filename>/dev/random</filename> (as well as the pseudo TTY subsystem) to it, but no physical devices such as
|
||||
<filename>/dev/sda</filename>, system memory <filename>/dev/mem</filename>, system ports
|
||||
<filename>/dev/port</filename> and others. This is useful to securely turn off physical device access by the
|
||||
@ -1056,8 +1061,8 @@
|
||||
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||
for details). Note that using this setting will disconnect propagation of mounts from the service to the host
|
||||
(propagation in the opposite direction continues to work). This means that this setting may not be used for
|
||||
services which shall be able to install mount points in the main mount namespace. The /dev namespace will be
|
||||
mounted read-only and 'noexec'. The latter may break old programs which try to set up executable memory by
|
||||
services which shall be able to install mount points in the main mount namespace. The new <filename>/dev</filename>
|
||||
will be mounted read-only and 'noexec'. The latter may break old programs which try to set up executable memory by
|
||||
using <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> of
|
||||
<filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>. This setting is implied if
|
||||
<varname>DynamicUser=</varname> is set. For this setting the same restrictions regarding mount propagation and
|
||||
@ -1065,7 +1070,11 @@
|
||||
If turned on and if running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
|
||||
capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname>
|
||||
is implied.
|
||||
</para></listitem>
|
||||
</para>
|
||||
|
||||
<para>Note that the implementation of this setting might be impossible (for example if mount namespaces
|
||||
are not available), and the unit should be written in a way that does not solely rely on this setting for
|
||||
security.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
@ -1076,7 +1085,7 @@
|
||||
configures only the loopback network device
|
||||
<literal>lo</literal> inside it. No other network devices will
|
||||
be available to the executed process. This is useful to
|
||||
securely turn off network access by the executed process.
|
||||
turn off network access by the executed process.
|
||||
Defaults to false. It is possible to run two or more units
|
||||
within the same private network namespace by using the
|
||||
<varname>JoinsNamespaceOf=</varname> directive, see
|
||||
@ -1086,7 +1095,11 @@
|
||||
The latter has the effect that AF_UNIX sockets in the abstract
|
||||
socket namespace will become unavailable to the processes
|
||||
(however, those located in the file system will continue to be
|
||||
accessible).</para></listitem>
|
||||
accessible).</para>
|
||||
|
||||
<para>Note that the implementation of this setting might be impossible (for example if network namespaces
|
||||
are not available), and the unit should be written in a way that does not solely rely on this setting for
|
||||
security.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
@ -1108,7 +1121,11 @@
|
||||
<para>This setting is particularly useful in conjunction with
|
||||
<varname>RootDirectory=</varname>/<varname>RootImage=</varname>, as the need to synchronize the user and group
|
||||
databases in the root directory and on the host is reduced, as the only users and groups who need to be matched
|
||||
are <literal>root</literal>, <literal>nobody</literal> and the unit's own user and group.</para></listitem>
|
||||
are <literal>root</literal>, <literal>nobody</literal> and the unit's own user and group.</para>
|
||||
|
||||
<para>Note that the implementation of this setting might be impossible (for example if user namespaces
|
||||
are not available), and the unit should be written in a way that does not solely rely on this setting for
|
||||
security.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
|
Loading…
Reference in New Issue
Block a user