mirror of
https://github.com/systemd/systemd.git
synced 2024-11-23 10:13:34 +08:00
6ef721cbc7
Enabling these options when not running as root requires a user namespace, so implicitly enable PrivateUsers=. This has a side effect as it changes which users are visible to the unit. However until now these options did not work at all for user units, and in practice just a handful of user units in Fedora, Debian and Ubuntu mistakenly used them (and they have been all fixed since). This fixes the long-standing confusing issue that the user and system units take the same options but the behaviour is wildly (and sometimes silently) different depending on which is which, with user units requiring manually specifiying PrivateUsers= in order for sandboxing options to actually work and not be silently ignored.
21 lines
950 B
XML
21 lines
950 B
XML
<?xml version="1.0"?>
|
|
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
|
|
|
|
<!--
|
|
SPDX-License-Identifier: LGPL-2.1-or-later
|
|
-->
|
|
|
|
<refsect1>
|
|
|
|
<para id="singular">This option is only available for system services, or for services running in per-user
|
|
instances of the service manager in which case <varname>PrivateUsers=</varname> is implicitly enabled
|
|
(requires unprivileged user namespaces support to be enabled in the kernel via the
|
|
<literal>kernel.unprivileged_userns_clone=</literal> sysctl).</para>
|
|
|
|
<para id="plural">These options are only available for system services, or for services running in per-user
|
|
instances of the service manager in which case <varname>PrivateUsers=</varname> is implicitly enabled
|
|
(requires unprivileged user namespaces support to be enabled in the kernel via the
|
|
<literal>kernel.unprivileged_userns_clone=</literal> sysctl).</para>
|
|
|
|
</refsect1>
|