diff options
| author | dgcampea <dgcampea@outlook.com> | 2021-06-26 13:23:20 +0100 |
|---|---|---|
| committer | Luca Boccassi <luca.boccassi@gmail.com> | 2021-06-27 14:08:05 +0100 |
| commit | e8f4bf33d8a6123ad8ae3955c989e36972f4884d (patch) | |
| tree | 33de871afbca642737110e1d13243a8edfb016dc /man/systemd.exec.xml | |
| parent | 56175bc45d3f2df02c02db1255a5c196e35cf45e (diff) | |
| download | systemd-e8f4bf33d8a6123ad8ae3955c989e36972f4884d.tar.gz | |
man: fix incorrect description regarding DynamicUser= and StateDirectory=
Diffstat (limited to 'man/systemd.exec.xml')
| -rw-r--r-- | man/systemd.exec.xml | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index b17635c5d2..1789d97ce3 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1290,16 +1290,15 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> <varname>RootDirectory=</varname> or <varname>RootImage=</varname> these paths always reside on the host and are mounted from there into the unit's file system namespace.</para> - <para>If <varname>DynamicUser=</varname> is used in conjunction with - <varname>StateDirectory=</varname>, the logic for <varname>CacheDirectory=</varname> and - <varname>LogsDirectory=</varname> is slightly altered: the directories are created below - <filename>/var/lib/private</filename>, <filename>/var/cache/private</filename> and - <filename>/var/log/private</filename>, respectively, which are host directories made inaccessible to + <para>If <varname>DynamicUser=</varname> is used, the logic for <varname>CacheDirectory=</varname>, + <varname>LogsDirectory=</varname> and <varname>StateDirectory=</varname> is slightly altered: the directories are created below + <filename>/var/cache/private</filename>, <filename>/var/log/private</filename> and <filename>/var/lib/private</filename>, + respectively, which are host directories made inaccessible to unprivileged users, which ensures that access to these directories cannot be gained through dynamic user ID recycling. Symbolic links are created to hide this difference in behaviour. Both from perspective of the host and from inside the unit, the relevant directories hence always appear - directly below <filename>/var/lib</filename>, <filename>/var/cache</filename> and - <filename>/var/log</filename>.</para> + directly below <filename>/var/cache</filename>, <filename>/var/log</filename> and + <filename>/var/lib</filename>.</para> <para>Use <varname>RuntimeDirectory=</varname> to manage one or more runtime directories for the unit and bind their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create |