1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-23 17:34:00 +03:00

man: add warnings that Private*= settings are not always applied

This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2017-07-11 13:36:15 -04:00
parent 2c75fb7330
commit b023856884

View File

@ -1038,14 +1038,19 @@
<varname>After=</varname> dependencies on all mount units necessary to access <filename>/tmp</filename> and
<filename>/var/tmp</filename>. Moreover an implicitly <varname>After=</varname> ordering on
<citerefentry><refentrytitle>systemd-tmpfiles-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
is added.</para></listitem>
is added.</para>
<para>Note that the implementation of this setting might be impossible (for example if mount namespaces
are not available), and the unit should be written in a way that does not solely rely on this setting for
security.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>PrivateDevices=</varname></term>
<listitem><para>Takes a boolean argument. If true, sets up a new /dev namespace for the executed processes and
only adds API pseudo devices such as <filename>/dev/null</filename>, <filename>/dev/zero</filename> or
<listitem><para>Takes a boolean argument. If true, sets up a new <filename>/dev</filename> mount for the
executed processes and only adds API pseudo devices such as <filename>/dev/null</filename>,
<filename>/dev/zero</filename> or
<filename>/dev/random</filename> (as well as the pseudo TTY subsystem) to it, but no physical devices such as
<filename>/dev/sda</filename>, system memory <filename>/dev/mem</filename>, system ports
<filename>/dev/port</filename> and others. This is useful to securely turn off physical device access by the
@ -1056,8 +1061,8 @@
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details). Note that using this setting will disconnect propagation of mounts from the service to the host
(propagation in the opposite direction continues to work). This means that this setting may not be used for
services which shall be able to install mount points in the main mount namespace. The /dev namespace will be
mounted read-only and 'noexec'. The latter may break old programs which try to set up executable memory by
services which shall be able to install mount points in the main mount namespace. The new <filename>/dev</filename>
will be mounted read-only and 'noexec'. The latter may break old programs which try to set up executable memory by
using <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> of
<filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>. This setting is implied if
<varname>DynamicUser=</varname> is set. For this setting the same restrictions regarding mount propagation and
@ -1065,7 +1070,11 @@
If turned on and if running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname>
is implied.
</para></listitem>
</para>
<para>Note that the implementation of this setting might be impossible (for example if mount namespaces
are not available), and the unit should be written in a way that does not solely rely on this setting for
security.</para></listitem>
</varlistentry>
<varlistentry>
@ -1076,7 +1085,7 @@
configures only the loopback network device
<literal>lo</literal> inside it. No other network devices will
be available to the executed process. This is useful to
securely turn off network access by the executed process.
turn off network access by the executed process.
Defaults to false. It is possible to run two or more units
within the same private network namespace by using the
<varname>JoinsNamespaceOf=</varname> directive, see
@ -1086,7 +1095,11 @@
The latter has the effect that AF_UNIX sockets in the abstract
socket namespace will become unavailable to the processes
(however, those located in the file system will continue to be
accessible).</para></listitem>
accessible).</para>
<para>Note that the implementation of this setting might be impossible (for example if network namespaces
are not available), and the unit should be written in a way that does not solely rely on this setting for
security.</para></listitem>
</varlistentry>
<varlistentry>
@ -1108,7 +1121,11 @@
<para>This setting is particularly useful in conjunction with
<varname>RootDirectory=</varname>/<varname>RootImage=</varname>, as the need to synchronize the user and group
databases in the root directory and on the host is reduced, as the only users and groups who need to be matched
are <literal>root</literal>, <literal>nobody</literal> and the unit's own user and group.</para></listitem>
are <literal>root</literal>, <literal>nobody</literal> and the unit's own user and group.</para>
<para>Note that the implementation of this setting might be impossible (for example if user namespaces
are not available), and the unit should be written in a way that does not solely rely on this setting for
security.</para></listitem>
</varlistentry>
<varlistentry>