From 5bdf35c14e31549d1113a534ee7da8b937c80e2a Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 31 Oct 2022 12:13:26 +0100 Subject: [PATCH] man: make clear NNP has no effect on processes invoked through systemd-run/at/crontab and such things --- man/systemd.exec.xml | 43 ++++++++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 50da5e641da..29666b102bc 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -708,27 +708,28 @@ CapabilityBoundingSet=~CAP_B CAP_C setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that a process and its children can never elevate privileges again. Defaults to false, but certain settings override this and ignore the value of this setting. This is the case when - DynamicUser=, - LockPersonality=, - MemoryDenyWriteExecute=, - PrivateDevices=, - ProtectClock=, - ProtectHostname=, - ProtectKernelLogs=, - ProtectKernelModules=, - ProtectKernelTunables=, - RestrictAddressFamilies=, - RestrictNamespaces=, - RestrictRealtime=, - RestrictSUIDSGID=, - SystemCallArchitectures=, - SystemCallFilter=, or - SystemCallLog= are specified. Note that even if this setting is overridden - by them, systemctl show shows the original value of this setting. In case the - service will be run in a new mount namespace anyway and SELinux is disabled, all file systems - are mounted with MS_NOSUID flag. Also see - No New - Privileges Flag. + DynamicUser=, LockPersonality=, + MemoryDenyWriteExecute=, PrivateDevices=, + ProtectClock=, ProtectHostname=, + ProtectKernelLogs=, ProtectKernelModules=, + ProtectKernelTunables=, RestrictAddressFamilies=, + RestrictNamespaces=, RestrictRealtime=, + RestrictSUIDSGID=, SystemCallArchitectures=, + SystemCallFilter=, or SystemCallLog= are specified. Note that + even if this setting is overridden by them, systemctl show shows the original + value of this setting. In case the service will be run in a new mount namespace anyway and SELinux is + disabled, all file systems are mounted with MS_NOSUID flag. Also see No New Privileges + Flag. + + Note that this setting only has an effect on the unit's processes themselves (or any processes + directly or indirectly forked off them). It has no effect on processes potentially invoked on request + of them through tools such as at1p, + crontab1p, + systemd-run1, or + arbitrary IPC services.