1
0
mirror of https://github.com/systemd/systemd.git synced 2025-01-11 09:18:07 +03:00

man: document explicitly tha ReadWritePaths= cannot undo superblock read-only settings

Fixes: 
This commit is contained in:
Lennart Poettering 2023-11-08 15:36:43 +01:00
parent 0bc649d6b0
commit b6be6a6721

View File

@ -1631,7 +1631,12 @@ StateDirectory=aaa/bbb ccc</programlisting>
permit this. Nest <varname>ReadWritePaths=</varname> inside of <varname>ReadOnlyPaths=</varname> in permit this. Nest <varname>ReadWritePaths=</varname> inside of <varname>ReadOnlyPaths=</varname> in
order to provide writable subdirectories within read-only directories. Use order to provide writable subdirectories within read-only directories. Use
<varname>ReadWritePaths=</varname> in order to allow-list specific paths for write access if <varname>ReadWritePaths=</varname> in order to allow-list specific paths for write access if
<varname>ProtectSystem=strict</varname> is used.</para> <varname>ProtectSystem=strict</varname> is used. Note that <varname>ReadWritePaths=</varname> cannot
be used to gain write access to a file system whose superblock is mounted read-only. On Linux, for
each mount point write access is granted only if the mount point itself <emphasis>and</emphasis> the
file system superblock backing it are not marked read-only. <varname>ReadWritePaths=</varname> only
controls the former, not the latter, hence a read-only file system superblock remains
protected.</para>
<para>Paths listed in <varname>InaccessiblePaths=</varname> will be made inaccessible for processes inside <para>Paths listed in <varname>InaccessiblePaths=</varname> will be made inaccessible for processes inside
the namespace along with everything below them in the file system hierarchy. This may be more restrictive than the namespace along with everything below them in the file system hierarchy. This may be more restrictive than