diff options
| author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2018-02-21 09:13:11 +0900 |
|---|---|---|
| committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2018-02-21 09:18:17 +0900 |
| commit | e4da7d8c796a1fd11ecfa80fb8a48eac9e823f06 (patch) | |
| tree | 27888844d9a4772a1bd94b7bba7620145d9c6935 /man/systemd.exec.xml | |
| parent | 4cac89bd7c449dad262e4b306b76611b80fb51cc (diff) | |
| download | systemd-e4da7d8c796a1fd11ecfa80fb8a48eac9e823f06.tar.gz | |
core: add new option 'tmpfs' to ProtectHome=
This make ProtectHome= setting can take 'tmpfs'. This is mostly
equivalent to `TemporaryFileSystem=/home /run/user /root`.
Diffstat (limited to 'man/systemd.exec.xml')
| -rw-r--r-- | man/systemd.exec.xml | 26 |
1 files changed, 18 insertions, 8 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 169a449632..3e4a7f3359 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -788,14 +788,24 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> <varlistentry> <term><varname>ProtectHome=</varname></term> - <listitem><para>Takes a boolean argument or <literal>read-only</literal>. If true, the directories - <filename>/home</filename>, <filename>/root</filename> and <filename>/run/user</filename> are made inaccessible - and empty for processes invoked by this unit. If set to <literal>read-only</literal>, the three directories are - made read-only instead. It is recommended to enable this setting for all long-running services (in particular - network-facing ones), to ensure they cannot get access to private user data, unless the services actually - require access to the user's private data. This setting is implied if <varname>DynamicUser=</varname> is - set. For this setting the same restrictions regarding mount propagation and privileges apply as for - <varname>ReadOnlyPaths=</varname> and related calls, see below.</para></listitem> + <listitem><para>Takes a boolean argument or the special values <literal>read-only</literal> or + <literal>tmpfs</literal>. If true, the directories <filename>/home</filename>, <filename>/root</filename> and + <filename>/run/user</filename> are made inaccessible and empty for processes invoked by this unit. If set to + <literal>read-only</literal>, the three directories are made read-only instead. If set to <literal>tmpfs</literal>, + temporary file systems are mounted on the three directories in read-only mode. The value <literal>tmpfs</literal> + is useful to hide home directories not relevant to the processes invoked by the unit, while necessary directories + are still visible by combining with <varname>BindPaths=</varname> or <varname>BindReadOnlyPaths=</varname>.</para> + + <para>Setting this to <literal>yes</literal> is mostly equivalent to set the three directories in + <varname>InaccessiblePaths=</varname>. Similary, <literal>read-only</literal> is mostly equivalent to + <varname>ReadOnlyPaths=</varname>, and <literal>tmpfs</literal> is mostly equivalent to + <varname>TemporaryFileSystem=</varname>.</para> + + <para> It is recommended to enable this setting for all long-running services (in particular network-facing ones), + to ensure they cannot get access to private user data, unless the services actually require access to the user's + private data. This setting is implied if <varname>DynamicUser=</varname> is set. For this setting the same + restrictions regarding mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and related + calls, see below.</para></listitem> </varlistentry> <varlistentry> |