diff options
author | Lennart Poettering <lennart@poettering.net> | 2022-10-31 12:13:26 +0100 |
---|---|---|
committer | Luca Boccassi <luca.boccassi@gmail.com> | 2022-10-31 12:53:52 +0100 |
commit | 5bdf35c14e31549d1113a534ee7da8b937c80e2a (patch) | |
tree | 76db385c35f9c51bf5ab86ca74cc3261382da6ed /man/systemd.exec.xml | |
parent | 6d040d84f58f853ca1a2e0cbb8639a186154bc6a (diff) | |
download | systemd-5bdf35c14e31549d1113a534ee7da8b937c80e2a.tar.gz |
man: make clear NNP has no effect on processes invoked through systemd-run/at/crontab and such things
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r-- | man/systemd.exec.xml | 43 |
1 files changed, 22 insertions, 21 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 50da5e641d..29666b102b 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -708,27 +708,28 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that a process and its children can never elevate privileges again. Defaults to false, but certain settings override this and ignore the value of this setting. This is the case when - <varname>DynamicUser=</varname>, - <varname>LockPersonality=</varname>, - <varname>MemoryDenyWriteExecute=</varname>, - <varname>PrivateDevices=</varname>, - <varname>ProtectClock=</varname>, - <varname>ProtectHostname=</varname>, - <varname>ProtectKernelLogs=</varname>, - <varname>ProtectKernelModules=</varname>, - <varname>ProtectKernelTunables=</varname>, - <varname>RestrictAddressFamilies=</varname>, - <varname>RestrictNamespaces=</varname>, - <varname>RestrictRealtime=</varname>, - <varname>RestrictSUIDSGID=</varname>, - <varname>SystemCallArchitectures=</varname>, - <varname>SystemCallFilter=</varname>, or - <varname>SystemCallLog=</varname> are specified. Note that even if this setting is overridden - by them, <command>systemctl show</command> shows the original value of this setting. In case the - service will be run in a new mount namespace anyway and SELinux is disabled, all file systems - are mounted with <constant>MS_NOSUID</constant> flag. Also see - <ulink url="https://docs.kernel.org/userspace-api/no_new_privs.html">No New - Privileges Flag</ulink>.</para></listitem> + <varname>DynamicUser=</varname>, <varname>LockPersonality=</varname>, + <varname>MemoryDenyWriteExecute=</varname>, <varname>PrivateDevices=</varname>, + <varname>ProtectClock=</varname>, <varname>ProtectHostname=</varname>, + <varname>ProtectKernelLogs=</varname>, <varname>ProtectKernelModules=</varname>, + <varname>ProtectKernelTunables=</varname>, <varname>RestrictAddressFamilies=</varname>, + <varname>RestrictNamespaces=</varname>, <varname>RestrictRealtime=</varname>, + <varname>RestrictSUIDSGID=</varname>, <varname>SystemCallArchitectures=</varname>, + <varname>SystemCallFilter=</varname>, or <varname>SystemCallLog=</varname> are specified. Note that + even if this setting is overridden by them, <command>systemctl show</command> shows the original + value of this setting. In case the service will be run in a new mount namespace anyway and SELinux is + disabled, all file systems are mounted with <constant>MS_NOSUID</constant> flag. Also see <ulink + url="https://docs.kernel.org/userspace-api/no_new_privs.html">No New Privileges + Flag</ulink>.</para> + + <para>Note that this setting only has an effect on the unit's processes themselves (or any processes + directly or indirectly forked off them). It has no effect on processes potentially invoked on request + of them through tools such as <citerefentry + project='man-pages'><refentrytitle>at</refentrytitle><manvolnum>1p</manvolnum></citerefentry>, + <citerefentry + project='man-pages'><refentrytitle>crontab</refentrytitle><manvolnum>1p</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>, or + arbitrary IPC services.</para></listitem> </varlistentry> <varlistentry> |