aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYu Watanabe <watanabe.yu+github@gmail.com>2018-02-21 09:13:11 +0900
committerYu Watanabe <watanabe.yu+github@gmail.com>2018-02-21 09:18:17 +0900
commite4da7d8c796a1fd11ecfa80fb8a48eac9e823f06 (patch)
tree27888844d9a4772a1bd94b7bba7620145d9c6935 /man/systemd.exec.xml
parenttest: add tests for TemporaryFileSystem= (diff)
downloadsystemd-e4da7d8c796a1fd11ecfa80fb8a48eac9e823f06.tar.gz
systemd-e4da7d8c796a1fd11ecfa80fb8a48eac9e823f06.tar.bz2
systemd-e4da7d8c796a1fd11ecfa80fb8a48eac9e823f06.zip
core: add new option 'tmpfs' to ProtectHome=
This make ProtectHome= setting can take 'tmpfs'. This is mostly equivalent to `TemporaryFileSystem=/home /run/user /root`.
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r--man/systemd.exec.xml26
1 files changed, 18 insertions, 8 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 169a44963..3e4a7f335 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -788,14 +788,24 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
<varlistentry>
<term><varname>ProtectHome=</varname></term>
- <listitem><para>Takes a boolean argument or <literal>read-only</literal>. If true, the directories
- <filename>/home</filename>, <filename>/root</filename> and <filename>/run/user</filename> are made inaccessible
- and empty for processes invoked by this unit. If set to <literal>read-only</literal>, the three directories are
- made read-only instead. It is recommended to enable this setting for all long-running services (in particular
- network-facing ones), to ensure they cannot get access to private user data, unless the services actually
- require access to the user's private data. This setting is implied if <varname>DynamicUser=</varname> is
- set. For this setting the same restrictions regarding mount propagation and privileges apply as for
- <varname>ReadOnlyPaths=</varname> and related calls, see below.</para></listitem>
+ <listitem><para>Takes a boolean argument or the special values <literal>read-only</literal> or
+ <literal>tmpfs</literal>. If true, the directories <filename>/home</filename>, <filename>/root</filename> and
+ <filename>/run/user</filename> are made inaccessible and empty for processes invoked by this unit. If set to
+ <literal>read-only</literal>, the three directories are made read-only instead. If set to <literal>tmpfs</literal>,
+ temporary file systems are mounted on the three directories in read-only mode. The value <literal>tmpfs</literal>
+ is useful to hide home directories not relevant to the processes invoked by the unit, while necessary directories
+ are still visible by combining with <varname>BindPaths=</varname> or <varname>BindReadOnlyPaths=</varname>.</para>
+
+ <para>Setting this to <literal>yes</literal> is mostly equivalent to set the three directories in
+ <varname>InaccessiblePaths=</varname>. Similary, <literal>read-only</literal> is mostly equivalent to
+ <varname>ReadOnlyPaths=</varname>, and <literal>tmpfs</literal> is mostly equivalent to
+ <varname>TemporaryFileSystem=</varname>.</para>
+
+ <para> It is recommended to enable this setting for all long-running services (in particular network-facing ones),
+ to ensure they cannot get access to private user data, unless the services actually require access to the user's
+ private data. This setting is implied if <varname>DynamicUser=</varname> is set. For this setting the same
+ restrictions regarding mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and related
+ calls, see below.</para></listitem>
</varlistentry>
<varlistentry>