1SYSTEMD.EXEC(5) systemd.exec SYSTEMD.EXEC(5)
2
3
4
6 systemd.exec - Execution environment configuration
7
9 service.service, socket.socket, mount.mount, swap.swap
10
12 Unit configuration files for services, sockets, mount points, and swap
13 devices share a subset of configuration options which define the
14 execution environment of spawned processes.
15
16 This man page lists the configuration options shared by these four unit
17 types. See systemd.unit(5) for the common options of all unit
18 configuration files, and systemd.service(5), systemd.socket(5),
19 systemd.swap(5), and systemd.mount(5) for more information on the
20 specific unit configuration files. The execution specific configuration
21 options are configured in the [Service], [Socket], [Mount], or [Swap]
22 sections, depending on the unit type.
23
24 In addition, options which control resources through Linux Control
25 Groups (cgroups) are listed in systemd.resource-control(5). Those
26 options complement options listed here.
27
29 A few execution parameters result in additional, automatic dependencies
30 to be added:
31
32 • Units with WorkingDirectory=, RootDirectory=, RootImage=,
33 RuntimeDirectory=, StateDirectory=, CacheDirectory=, LogsDirectory=
34 or ConfigurationDirectory= set automatically gain dependencies of
35 type Requires= and After= on all mount units required to access the
36 specified paths. This is equivalent to having them listed
37 explicitly in RequiresMountsFor=.
38
39 • Similarly, units with PrivateTmp= enabled automatically get mount
40 unit dependencies for all mounts required to access /tmp/ and
41 /var/tmp/. They will also gain an automatic After= dependency on
42 systemd-tmpfiles-setup.service(8).
43
44 • Units whose standard output or error output is connected to journal
45 or kmsg (or their combinations with console output, see below)
46 automatically acquire dependencies of type After= on
47 systemd-journald.socket.
48
49 • Units using LogNamespace= will automatically gain ordering and
50 requirement dependencies on the two socket units associated with
51 systemd-journald@.service instances.
52
54 The following settings may be used to change a service's view of the
55 filesystem. Please note that the paths must be absolute and must not
56 contain a ".." path component.
57
58 WorkingDirectory=
59 Takes a directory path relative to the service's root directory
60 specified by RootDirectory=, or the special value "~". Sets the
61 working directory for executed processes. If set to "~", the home
62 directory of the user specified in User= is used. If not set,
63 defaults to the root directory when systemd is running as a system
64 instance and the respective user's home directory if run as user.
65 If the setting is prefixed with the "-" character, a missing
66 working directory is not considered fatal. If
67 RootDirectory=/RootImage= is not set, then WorkingDirectory= is
68 relative to the root of the system running the service manager.
69 Note that setting this parameter might result in additional
70 dependencies to be added to the unit (see above).
71
72 RootDirectory=
73 Takes a directory path relative to the host's root directory (i.e.
74 the root of the system running the service manager). Sets the root
75 directory for executed processes, with the chroot(2) system call.
76 If this is used, it must be ensured that the process binary and all
77 its auxiliary files are available in the chroot() jail. Note that
78 setting this parameter might result in additional dependencies to
79 be added to the unit (see above).
80
81 The MountAPIVFS= and PrivateUsers= settings are particularly useful
82 in conjunction with RootDirectory=. For details, see below.
83
84 If RootDirectory=/RootImage= are used together with NotifyAccess=
85 the notification socket is automatically mounted from the host into
86 the root environment, to ensure the notification interface can work
87 correctly.
88
89 Note that services using RootDirectory=/RootImage= will not be able
90 to log via the syslog or journal protocols to the host logging
91 infrastructure, unless the relevant sockets are mounted from the
92 host, specifically:
93
94 Example 1. Mounting logging sockets into root environment
95
96 BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
97
98 This option is only available for system services and is not
99 supported for services running in per-user instances of the service
100 manager.
101
102 RootImage=
103 Takes a path to a block device node or regular file as argument.
104 This call is similar to RootDirectory= however mounts a file system
105 hierarchy from a block device node or loopback file instead of a
106 directory. The device node or file system image file needs to
107 contain a file system without a partition table, or a file system
108 within an MBR/MS-DOS or GPT partition table with only a single
109 Linux-compatible partition, or a set of file systems within a GPT
110 partition table that follows the Discoverable Partitions
111 Specification[1].
112
113 When DevicePolicy= is set to "closed" or "strict", or set to "auto"
114 and DeviceAllow= is set, then this setting adds /dev/loop-control
115 with rw mode, "block-loop" and "block-blkext" with rwm mode to
116 DeviceAllow=. See systemd.resource-control(5) for the details about
117 DevicePolicy= or DeviceAllow=. Also, see PrivateDevices= below, as
118 it may change the setting of DevicePolicy=.
119
120 Units making use of RootImage= automatically gain an After=
121 dependency on systemd-udevd.service.
122
123 This option is only available for system services and is not
124 supported for services running in per-user instances of the service
125 manager.
126
127 RootImageOptions=
128 Takes a comma-separated list of mount options that will be used on
129 disk images specified by RootImage=. Optionally a partition name
130 can be prefixed, followed by colon, in case the image has multiple
131 partitions, otherwise partition name "root" is implied. Options for
132 multiple partitions can be specified in a single line with space
133 separators. Assigning an empty string removes previous assignments.
134 Duplicated options are ignored. For a list of valid mount options,
135 please refer to mount(8).
136
137 Valid partition names follow the Discoverable Partitions
138 Specification[1]: root, usr, home, srv, esp, xbootldr, tmp, var.
139
140 This option is only available for system services and is not
141 supported for services running in per-user instances of the service
142 manager.
143
144 RootHash=
145 Takes a data integrity (dm-verity) root hash specified in
146 hexadecimal, or the path to a file containing a root hash in ASCII
147 hexadecimal format. This option enables data integrity checks using
148 dm-verity, if the used image contains the appropriate integrity
149 data (see above) or if RootVerity= is used. The specified hash must
150 match the root hash of integrity data, and is usually at least 256
151 bits (and hence 64 formatted hexadecimal characters) long (in case
152 of SHA256 for example). If this option is not specified, but the
153 image file carries the "user.verity.roothash" extended file
154 attribute (see xattr(7)), then the root hash is read from it, also
155 as formatted hexadecimal characters. If the extended file attribute
156 is not found (or is not supported by the underlying file system),
157 but a file with the .roothash suffix is found next to the image
158 file, bearing otherwise the same name (except if the image has the
159 .raw suffix, in which case the root hash file must not have it in
160 its name), the root hash is read from it and automatically used,
161 also as formatted hexadecimal characters.
162
163 If the disk image contains a separate /usr/ partition it may also
164 be Verity protected, in which case the root hash may configured via
165 an extended attribute "user.verity.usrhash" or a .usrhash file
166 adjacent to the disk image. There's currently no option to
167 configure the root hash for the /usr/ file system via the unit file
168 directly.
169
170 This option is only available for system services and is not
171 supported for services running in per-user instances of the service
172 manager.
173
174 RootHashSignature=
175 Takes a PKCS7 signature of the RootHash= option as a path to a
176 DER-encoded signature file, or as an ASCII base64 string encoding
177 of a DER-encoded signature prefixed by "base64:". The dm-verity
178 volume will only be opened if the signature of the root hash is
179 valid and signed by a public key present in the kernel keyring. If
180 this option is not specified, but a file with the .roothash.p7s
181 suffix is found next to the image file, bearing otherwise the same
182 name (except if the image has the .raw suffix, in which case the
183 signature file must not have it in its name), the signature is read
184 from it and automatically used.
185
186 If the disk image contains a separate /usr/ partition it may also
187 be Verity protected, in which case the signature for the root hash
188 may configured via a .usrhash.p7s file adjacent to the disk image.
189 There's currently no option to configure the root hash signature
190 for the /usr/ via the unit file directly.
191
192 This option is only available for system services and is not
193 supported for services running in per-user instances of the service
194 manager.
195
196 RootVerity=
197 Takes the path to a data integrity (dm-verity) file. This option
198 enables data integrity checks using dm-verity, if RootImage= is
199 used and a root-hash is passed and if the used image itself does
200 not contains the integrity data. The integrity data must be matched
201 by the root hash. If this option is not specified, but a file with
202 the .verity suffix is found next to the image file, bearing
203 otherwise the same name (except if the image has the .raw suffix,
204 in which case the verity data file must not have it in its name),
205 the verity data is read from it and automatically used.
206
207 This option is supported only for disk images that contain a single
208 file system, without an enveloping partition table. Images that
209 contain a GPT partition table should instead include both root file
210 system and matching Verity data in the same image, implementing the
211 Discoverable Partitions Specification[1].
212
213 This option is only available for system services and is not
214 supported for services running in per-user instances of the service
215 manager.
216
217 MountAPIVFS=
218 Takes a boolean argument. If on, a private mount namespace for the
219 unit's processes is created and the API file systems /proc/, /sys/,
220 /dev/ and /run/ (as an empty "tmpfs") are mounted inside of it,
221 unless they are already mounted. Note that this option has no
222 effect unless used in conjunction with RootDirectory=/RootImage= as
223 these four mounts are generally mounted in the host anyway, and
224 unless the root directory is changed, the private mount namespace
225 will be a 1:1 copy of the host's, and include these four mounts.
226 Note that the /dev/ file system of the host is bind mounted if this
227 option is used without PrivateDevices=. To run the service with a
228 private, minimal version of /dev/, combine this option with
229 PrivateDevices=.
230
231 In order to allow propagating mounts at runtime in a safe manner,
232 /run/systemd/propagate on the host will be used to set up new
233 mounts, and /run/host/incoming/ in the private namespace will be
234 used as an intermediate step to store them before being moved to
235 the final mount point.
236
237 This option is only available for system services and is not
238 supported for services running in per-user instances of the service
239 manager.
240
241 ProtectProc=
242 Takes one of "noaccess", "invisible", "ptraceable" or "default"
243 (which it defaults to). When set, this controls the "hidepid="
244 mount option of the "procfs" instance for the unit that controls
245 which directories with process metainformation (/proc/PID) are
246 visible and accessible: when set to "noaccess" the ability to
247 access most of other users' process metadata in /proc/ is taken
248 away for processes of the service. When set to "invisible"
249 processes owned by other users are hidden from /proc/. If
250 "ptraceable" all processes that cannot be ptrace()'ed by a process
251 are hidden to it. If "default" no restrictions on /proc/ access or
252 visibility are made. For further details see The /proc
253 Filesystem[2]. It is generally recommended to run most system
254 services with this option set to "invisible". This option is
255 implemented via file system namespacing, and thus cannot be used
256 with services that shall be able to install mount points in the
257 host file system hierarchy. Note that the root user is unaffected
258 by this option, so to be effective it has to be used together with
259 User= or DynamicUser=yes, and also without the "CAP_SYS_PTRACE"
260 capability, which also allows a process to bypass this feature. It
261 cannot be used for services that need to access metainformation
262 about other users' processes. This option implies MountAPIVFS=.
263
264 If the kernel doesn't support per-mount point hidepid= mount
265 options this setting remains without effect, and the unit's
266 processes will be able to access and see other process as if the
267 option was not used.
268
269 This option is only available for system services and is not
270 supported for services running in per-user instances of the service
271 manager.
272
273 ProcSubset=
274 Takes one of "all" (the default) and "pid". If "pid", all files and
275 directories not directly associated with process management and
276 introspection are made invisible in the /proc/ file system
277 configured for the unit's processes. This controls the "subset="
278 mount option of the "procfs" instance for the unit. For further
279 details see The /proc Filesystem[2]. Note that Linux exposes
280 various kernel APIs via /proc/, which are made unavailable with
281 this setting. Since these APIs are used frequently this option is
282 useful only in a few, specific cases, and is not suitable for most
283 non-trivial programs.
284
285 Much like ProtectProc= above, this is implemented via file system
286 mount namespacing, and hence the same restrictions apply: it is
287 only available to system services, it disables mount propagation to
288 the host mount table, and it implies MountAPIVFS=. Also, like
289 ProtectProc= this setting is gracefully disabled if the used kernel
290 does not support the "subset=" mount option of "procfs".
291
292 BindPaths=, BindReadOnlyPaths=
293 Configures unit-specific bind mounts. A bind mount makes a
294 particular file or directory available at an additional place in
295 the unit's view of the file system. Any bind mounts created with
296 this option are specific to the unit, and are not visible in the
297 host's mount table. This option expects a whitespace separated list
298 of bind mount definitions. Each definition consists of a
299 colon-separated triple of source path, destination path and option
300 string, where the latter two are optional. If only a source path is
301 specified the source and destination is taken to be the same. The
302 option string may be either "rbind" or "norbind" for configuring a
303 recursive or non-recursive bind mount. If the destination path is
304 omitted, the option string must be omitted too. Each bind mount
305 definition may be prefixed with "-", in which case it will be
306 ignored when its source path does not exist.
307
308 BindPaths= creates regular writable bind mounts (unless the source
309 file system mount is already marked read-only), while
310 BindReadOnlyPaths= creates read-only bind mounts. These settings
311 may be used more than once, each usage appends to the unit's list
312 of bind mounts. If the empty string is assigned to either of these
313 two options the entire list of bind mounts defined prior to this is
314 reset. Note that in this case both read-only and regular bind
315 mounts are reset, regardless which of the two settings is used.
316
317 This option is particularly useful when RootDirectory=/RootImage=
318 is used. In this case the source path refers to a path on the host
319 file system, while the destination path refers to a path below the
320 root directory of the unit.
321
322 Note that the destination directory must exist or systemd must be
323 able to create it. Thus, it is not possible to use those options
324 for mount points nested underneath paths specified in
325 InaccessiblePaths=, or under /home/ and other protected directories
326 if ProtectHome=yes is specified. TemporaryFileSystem= with ":ro"
327 or ProtectHome=tmpfs should be used instead.
328
329 This option is only available for system services and is not
330 supported for services running in per-user instances of the service
331 manager.
332
333 MountImages=
334 This setting is similar to RootImage= in that it mounts a file
335 system hierarchy from a block device node or loopback file, but the
336 destination directory can be specified as well as mount options.
337 This option expects a whitespace separated list of mount
338 definitions. Each definition consists of a colon-separated tuple of
339 source path and destination definitions, optionally followed by
340 another colon and a list of mount options.
341
342 Mount options may be defined as a single comma-separated list of
343 options, in which case they will be implicitly applied to the root
344 partition on the image, or a series of colon-separated tuples of
345 partition name and mount options. Valid partition names and mount
346 options are the same as for RootImageOptions= setting described
347 above.
348
349 Each mount definition may be prefixed with "-", in which case it
350 will be ignored when its source path does not exist. The source
351 argument is a path to a block device node or regular file. If
352 source or destination contain a ":", it needs to be escaped as
353 "\:". The device node or file system image file needs to follow the
354 same rules as specified for RootImage=. Any mounts created with
355 this option are specific to the unit, and are not visible in the
356 host's mount table.
357
358 These settings may be used more than once, each usage appends to
359 the unit's list of mount paths. If the empty string is assigned,
360 the entire list of mount paths defined prior to this is reset.
361
362 Note that the destination directory must exist or systemd must be
363 able to create it. Thus, it is not possible to use those options
364 for mount points nested underneath paths specified in
365 InaccessiblePaths=, or under /home/ and other protected directories
366 if ProtectHome=yes is specified.
367
368 When DevicePolicy= is set to "closed" or "strict", or set to "auto"
369 and DeviceAllow= is set, then this setting adds /dev/loop-control
370 with rw mode, "block-loop" and "block-blkext" with rwm mode to
371 DeviceAllow=. See systemd.resource-control(5) for the details about
372 DevicePolicy= or DeviceAllow=. Also, see PrivateDevices= below, as
373 it may change the setting of DevicePolicy=.
374
375 This option is only available for system services and is not
376 supported for services running in per-user instances of the service
377 manager.
378
379 ExtensionImages=
380 This setting is similar to MountImages= in that it mounts a file
381 system hierarchy from a block device node or loopback file, but
382 instead of providing a destination path, an overlay will be set up.
383 This option expects a whitespace separated list of mount
384 definitions. Each definition consists of a source path, optionally
385 followed by a colon and a list of mount options.
386
387 A read-only OverlayFS will be set up on top of /usr/ and /opt/
388 hierarchies. The order in which the images are listed will
389 determine the order in which the overlay is laid down: images
390 specified first to last will result in overlayfs layers bottom to
391 top.
392
393 Mount options may be defined as a single comma-separated list of
394 options, in which case they will be implicitly applied to the root
395 partition on the image, or a series of colon-separated tuples of
396 partition name and mount options. Valid partition names and mount
397 options are the same as for RootImageOptions= setting described
398 above.
399
400 Each mount definition may be prefixed with "-", in which case it
401 will be ignored when its source path does not exist. The source
402 argument is a path to a block device node or regular file. If the
403 source path contains a ":", it needs to be escaped as "\:". The
404 device node or file system image file needs to follow the same
405 rules as specified for RootImage=. Any mounts created with this
406 option are specific to the unit, and are not visible in the host's
407 mount table.
408
409 These settings may be used more than once, each usage appends to
410 the unit's list of image paths. If the empty string is assigned,
411 the entire list of mount paths defined prior to this is reset.
412
413 When DevicePolicy= is set to "closed" or "strict", or set to "auto"
414 and DeviceAllow= is set, then this setting adds /dev/loop-control
415 with rw mode, "block-loop" and "block-blkext" with rwm mode to
416 DeviceAllow=. See systemd.resource-control(5) for the details about
417 DevicePolicy= or DeviceAllow=. Also, see PrivateDevices= below, as
418 it may change the setting of DevicePolicy=.
419
420 This option is only available for system services and is not
421 supported for services running in per-user instances of the service
422 manager.
423
425 These options are only available for system services and are not
426 supported for services running in per-user instances of the service
427 manager.
428
429 User=, Group=
430 Set the UNIX user or group that the processes are executed as,
431 respectively. Takes a single user or group name, or a numeric ID as
432 argument. For system services (services run by the system service
433 manager, i.e. managed by PID 1) and for user services of the root
434 user (services managed by root's instance of systemd --user), the
435 default is "root", but User= may be used to specify a different
436 user. For user services of any other user, switching user identity
437 is not permitted, hence the only valid setting is the same user the
438 user's service manager is running as. If no group is set, the
439 default group of the user is used. This setting does not affect
440 commands whose command line is prefixed with "+".
441
442 Note that this enforces only weak restrictions on the user/group
443 name syntax, but will generate warnings in many cases where
444 user/group names do not adhere to the following rules: the
445 specified name should consist only of the characters a-z, A-Z, 0-9,
446 "_" and "-", except for the first character which must be one of
447 a-z, A-Z and "_" (i.e. digits and "-" are not permitted as first
448 character). The user/group name must have at least one character,
449 and at most 31. These restrictions are made in order to avoid
450 ambiguities and to ensure user/group names and unit files remain
451 portable among Linux systems. For further details on the names
452 accepted and the names warned about see User/Group Name Syntax[3].
453
454 When used in conjunction with DynamicUser= the user/group name
455 specified is dynamically allocated at the time the service is
456 started, and released at the time the service is stopped — unless
457 it is already allocated statically (see below). If DynamicUser= is
458 not used the specified user and group must have been created
459 statically in the user database no later than the moment the
460 service is started, for example using the sysusers.d(5) facility,
461 which is applied at boot or package install time. If the user does
462 not exist by then program invocation will fail.
463
464 If the User= setting is used the supplementary group list is
465 initialized from the specified user's default group list, as
466 defined in the system's user and group database. Additional groups
467 may be configured through the SupplementaryGroups= setting (see
468 below).
469
470 DynamicUser=
471 Takes a boolean parameter. If set, a UNIX user and group pair is
472 allocated dynamically when the unit is started, and released as
473 soon as it is stopped. The user and group will not be added to
474 /etc/passwd or /etc/group, but are managed transiently during
475 runtime. The nss-systemd(8) glibc NSS module provides integration
476 of these dynamic users/groups into the system's user and group
477 databases. The user and group name to use may be configured via
478 User= and Group= (see above). If these options are not used and
479 dynamic user/group allocation is enabled for a unit, the name of
480 the dynamic user/group is implicitly derived from the unit name. If
481 the unit name without the type suffix qualifies as valid user name
482 it is used directly, otherwise a name incorporating a hash of it is
483 used. If a statically allocated user or group of the configured
484 name already exists, it is used and no dynamic user/group is
485 allocated. Note that if User= is specified and the static group
486 with the name exists, then it is required that the static user with
487 the name already exists. Similarly, if Group= is specified and the
488 static user with the name exists, then it is required that the
489 static group with the name already exists. Dynamic users/groups are
490 allocated from the UID/GID range 61184...65519. It is recommended
491 to avoid this range for regular system or login users. At any point
492 in time each UID/GID from this range is only assigned to zero or
493 one dynamically allocated users/groups in use. However, UID/GIDs
494 are recycled after a unit is terminated. Care should be taken that
495 any processes running as part of a unit for which dynamic
496 users/groups are enabled do not leave files or directories owned by
497 these users/groups around, as a different unit might get the same
498 UID/GID assigned later on, and thus gain access to these files or
499 directories. If DynamicUser= is enabled, RemoveIPC= and PrivateTmp=
500 are implied (and cannot be turned off). This ensures that the
501 lifetime of IPC objects and temporary files created by the executed
502 processes is bound to the runtime of the service, and hence the
503 lifetime of the dynamic user/group. Since /tmp/ and /var/tmp/ are
504 usually the only world-writable directories on a system this
505 ensures that a unit making use of dynamic user/group allocation
506 cannot leave files around after unit termination. Furthermore
507 NoNewPrivileges= and RestrictSUIDSGID= are implicitly enabled (and
508 cannot be disabled), to ensure that processes invoked cannot take
509 benefit or create SUID/SGID files or directories. Moreover
510 ProtectSystem=strict and ProtectHome=read-only are implied, thus
511 prohibiting the service to write to arbitrary file system
512 locations. In order to allow the service to write to certain
513 directories, they have to be allow-listed using ReadWritePaths=,
514 but care must be taken so that UID/GID recycling doesn't create
515 security issues involving files created by the service. Use
516 RuntimeDirectory= (see below) in order to assign a writable runtime
517 directory to a service, owned by the dynamic user/group and removed
518 automatically when the unit is terminated. Use StateDirectory=,
519 CacheDirectory= and LogsDirectory= in order to assign a set of
520 writable directories for specific purposes to the service in a way
521 that they are protected from vulnerabilities due to UID reuse (see
522 below). If this option is enabled, care should be taken that the
523 unit's processes do not get access to directories outside of these
524 explicitly configured and managed ones. Specifically, do not use
525 BindPaths= and be careful with AF_UNIX file descriptor passing for
526 directory file descriptors, as this would permit processes to
527 create files or directories owned by the dynamic user/group that
528 are not subject to the lifecycle and access guarantees of the
529 service. Defaults to off.
530
531 SupplementaryGroups=
532 Sets the supplementary Unix groups the processes are executed as.
533 This takes a space-separated list of group names or IDs. This
534 option may be specified more than once, in which case all listed
535 groups are set as supplementary groups. When the empty string is
536 assigned, the list of supplementary groups is reset, and all
537 assignments prior to this one will have no effect. In any way, this
538 option does not override, but extends the list of supplementary
539 groups configured in the system group database for the user. This
540 does not affect commands prefixed with "+".
541
542 PAMName=
543 Sets the PAM service name to set up a session as. If set, the
544 executed process will be registered as a PAM session under the
545 specified service name. This is only useful in conjunction with the
546 User= setting, and is otherwise ignored. If not set, no PAM session
547 will be opened for the executed processes. See pam(8) for details.
548
549 Note that for each unit making use of this option a PAM session
550 handler process will be maintained as part of the unit and stays
551 around as long as the unit is active, to ensure that appropriate
552 actions can be taken when the unit and hence the PAM session
553 terminates. This process is named "(sd-pam)" and is an immediate
554 child process of the unit's main process.
555
556 Note that when this option is used for a unit it is very likely
557 (depending on PAM configuration) that the main unit process will be
558 migrated to its own session scope unit when it is activated. This
559 process will hence be associated with two units: the unit it was
560 originally started from (and for which PAMName= was configured),
561 and the session scope unit. Any child processes of that process
562 will however be associated with the session scope unit only. This
563 has implications when used in combination with NotifyAccess=all, as
564 these child processes will not be able to affect changes in the
565 original unit through notification messages. These messages will be
566 considered belonging to the session scope unit and not the original
567 unit. It is hence not recommended to use PAMName= in combination
568 with NotifyAccess=all.
569
571 These options are only available for system services and are not
572 supported for services running in per-user instances of the service
573 manager.
574
575 CapabilityBoundingSet=
576 Controls which capabilities to include in the capability bounding
577 set for the executed process. See capabilities(7) for details.
578 Takes a whitespace-separated list of capability names, e.g.
579 CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SYS_PTRACE. Capabilities
580 listed will be included in the bounding set, all others are
581 removed. If the list of capabilities is prefixed with "~", all but
582 the listed capabilities will be included, the effect of the
583 assignment inverted. Note that this option also affects the
584 respective capabilities in the effective, permitted and inheritable
585 capability sets. If this option is not used, the capability
586 bounding set is not modified on process execution, hence no limits
587 on the capabilities of the process are enforced. This option may
588 appear more than once, in which case the bounding sets are merged
589 by OR, or by AND if the lines are prefixed with "~" (see below). If
590 the empty string is assigned to this option, the bounding set is
591 reset to the empty capability set, and all prior settings have no
592 effect. If set to "~" (without any further argument), the bounding
593 set is reset to the full set of available capabilities, also
594 undoing any previous settings. This does not affect commands
595 prefixed with "+".
596
597 Use systemd-analyze(1)'s capability command to retrieve a list of
598 capabilities defined on the local system.
599
600 Example: if a unit has the following,
601
602 CapabilityBoundingSet=CAP_A CAP_B
603 CapabilityBoundingSet=CAP_B CAP_C
604
605 then CAP_A, CAP_B, and CAP_C are set. If the second line is
606 prefixed with "~", e.g.,
607
608 CapabilityBoundingSet=CAP_A CAP_B
609 CapabilityBoundingSet=~CAP_B CAP_C
610
611 then, only CAP_A is set.
612
613 AmbientCapabilities=
614 Controls which capabilities to include in the ambient capability
615 set for the executed process. Takes a whitespace-separated list of
616 capability names, e.g. CAP_SYS_ADMIN, CAP_DAC_OVERRIDE,
617 CAP_SYS_PTRACE. This option may appear more than once in which case
618 the ambient capability sets are merged (see the above examples in
619 CapabilityBoundingSet=). If the list of capabilities is prefixed
620 with "~", all but the listed capabilities will be included, the
621 effect of the assignment inverted. If the empty string is assigned
622 to this option, the ambient capability set is reset to the empty
623 capability set, and all prior settings have no effect. If set to
624 "~" (without any further argument), the ambient capability set is
625 reset to the full set of available capabilities, also undoing any
626 previous settings. Note that adding capabilities to ambient
627 capability set adds them to the process's inherited capability set.
628
629 Ambient capability sets are useful if you want to execute a process
630 as a non-privileged user but still want to give it some
631 capabilities. Note that in this case option keep-caps is
632 automatically added to SecureBits= to retain the capabilities over
633 the user change. AmbientCapabilities= does not affect commands
634 prefixed with "+".
635
637 NoNewPrivileges=
638 Takes a boolean argument. If true, ensures that the service process
639 and all its children can never gain new privileges through execve()
640 (e.g. via setuid or setgid bits, or filesystem capabilities). This
641 is the simplest and most effective way to ensure that a process and
642 its children can never elevate privileges again. Defaults to false,
643 but certain settings override this and ignore the value of this
644 setting. This is the case when DynamicUser=, LockPersonality=,
645 MemoryDenyWriteExecute=, PrivateDevices=, ProtectClock=,
646 ProtectHostname=, ProtectKernelLogs=, ProtectKernelModules=,
647 ProtectKernelTunables=, RestrictAddressFamilies=,
648 RestrictNamespaces=, RestrictRealtime=, RestrictSUIDSGID=,
649 SystemCallArchitectures=, SystemCallFilter=, or SystemCallLog= are
650 specified. Note that even if this setting is overridden by them,
651 systemctl show shows the original value of this setting. In case
652 the service will be run in a new mount namespace anyway and SELinux
653 is disabled, all file systems are mounted with MS_NOSUID flag. Also
654 see No New Privileges Flag[4].
655
656 SecureBits=
657 Controls the secure bits set for the executed process. Takes a
658 space-separated combination of options from the following list:
659 keep-caps, keep-caps-locked, no-setuid-fixup,
660 no-setuid-fixup-locked, noroot, and noroot-locked. This option may
661 appear more than once, in which case the secure bits are ORed. If
662 the empty string is assigned to this option, the bits are reset to
663 0. This does not affect commands prefixed with "+". See
664 capabilities(7) for details.
665
667 These options are only available for system services and are not
668 supported for services running in per-user instances of the service
669 manager.
670
671 SELinuxContext=
672 Set the SELinux security context of the executed process. If set,
673 this will override the automated domain transition. However, the
674 policy still needs to authorize the transition. This directive is
675 ignored if SELinux is disabled. If prefixed by "-", all errors will
676 be ignored. This does not affect commands prefixed with "+". See
677 setexeccon(3) for details.
678
679 AppArmorProfile=
680 Takes a profile name as argument. The process executed by the unit
681 will switch to this profile when started. Profiles must already be
682 loaded in the kernel, or the unit will fail. If prefixed by "-",
683 all errors will be ignored. This setting has no effect if AppArmor
684 is not enabled. This setting does not affect commands prefixed with
685 "+".
686
687 SmackProcessLabel=
688 Takes a SMACK64 security label as argument. The process executed by
689 the unit will be started under this label and SMACK will decide
690 whether the process is allowed to run or not, based on it. The
691 process will continue to run under the label specified here unless
692 the executable has its own SMACK64EXEC label, in which case the
693 process will transition to run under that label. When not
694 specified, the label that systemd is running under is used. This
695 directive is ignored if SMACK is disabled.
696
697 The value may be prefixed by "-", in which case all errors will be
698 ignored. An empty value may be specified to unset previous
699 assignments. This does not affect commands prefixed with "+".
700
702 LimitCPU=, LimitFSIZE=, LimitDATA=, LimitSTACK=, LimitCORE=, LimitRSS=,
703 LimitNOFILE=, LimitAS=, LimitNPROC=, LimitMEMLOCK=, LimitLOCKS=,
704 LimitSIGPENDING=, LimitMSGQUEUE=, LimitNICE=, LimitRTPRIO=,
705 LimitRTTIME=
706 Set soft and hard limits on various resources for executed
707 processes. See setrlimit(2) for details on the resource limit
708 concept. Resource limits may be specified in two formats: either as
709 single value to set a specific soft and hard limit to the same
710 value, or as colon-separated pair soft:hard to set both limits
711 individually (e.g. "LimitAS=4G:16G"). Use the string infinity to
712 configure no limit on a specific resource. The multiplicative
713 suffixes K, M, G, T, P and E (to the base 1024) may be used for
714 resource limits measured in bytes (e.g. "LimitAS=16G"). For the
715 limits referring to time values, the usual time units ms, s, min, h
716 and so on may be used (see systemd.time(7) for details). Note that
717 if no time unit is specified for LimitCPU= the default unit of
718 seconds is implied, while for LimitRTTIME= the default unit of
719 microseconds is implied. Also, note that the effective granularity
720 of the limits might influence their enforcement. For example, time
721 limits specified for LimitCPU= will be rounded up implicitly to
722 multiples of 1s. For LimitNICE= the value may be specified in two
723 syntaxes: if prefixed with "+" or "-", the value is understood as
724 regular Linux nice value in the range -20...19. If not prefixed
725 like this the value is understood as raw resource limit parameter
726 in the range 0...40 (with 0 being equivalent to 1).
727
728 Note that most process resource limits configured with these
729 options are per-process, and processes may fork in order to acquire
730 a new set of resources that are accounted independently of the
731 original process, and may thus escape limits set. Also note that
732 LimitRSS= is not implemented on Linux, and setting it has no
733 effect. Often it is advisable to prefer the resource controls
734 listed in systemd.resource-control(5) over these per-process
735 limits, as they apply to services as a whole, may be altered
736 dynamically at runtime, and are generally more expressive. For
737 example, MemoryMax= is a more powerful (and working) replacement
738 for LimitRSS=.
739
740 Resource limits not configured explicitly for a unit default to the
741 value configured in the various DefaultLimitCPU=,
742 DefaultLimitFSIZE=, ... options available in systemd-
743 system.conf(5), and – if not configured there – the kernel or
744 per-user defaults, as defined by the OS (the latter only for user
745 services, see below).
746
747 For system units these resource limits may be chosen freely. When
748 these settings are configured in a user service (i.e. a service run
749 by the per-user instance of the service manager) they cannot be
750 used to raise the limits above those set for the user manager
751 itself when it was first invoked, as the user's service manager
752 generally lacks the privileges to do so. In user context these
753 configuration options are hence only useful to lower the limits
754 passed in or to raise the soft limit to the maximum of the hard
755 limit as configured for the user. To raise the user's limits
756 further, the available configuration mechanisms differ between
757 operating systems, but typically require privileges. In most cases
758 it is possible to configure higher per-user resource limits via PAM
759 or by setting limits on the system service encapsulating the user's
760 service manager, i.e. the user's instance of user@.service. After
761 making such changes, make sure to restart the user's service
762 manager.
763
764 Table 1. Resource limit directives, their equivalent ulimit shell
765 commands and the unit used
766 ┌─────────────────┬───────────────────┬─────────────────────┐
767 │Directive │ ulimit equivalent │ Unit │
768 ├─────────────────┼───────────────────┼─────────────────────┤
769 │LimitCPU= │ ulimit -t │ Seconds │
770 ├─────────────────┼───────────────────┼─────────────────────┤
771 │LimitFSIZE= │ ulimit -f │ Bytes │
772 ├─────────────────┼───────────────────┼─────────────────────┤
773 │LimitDATA= │ ulimit -d │ Bytes │
774 ├─────────────────┼───────────────────┼─────────────────────┤
775 │LimitSTACK= │ ulimit -s │ Bytes │
776 ├─────────────────┼───────────────────┼─────────────────────┤
777 │LimitCORE= │ ulimit -c │ Bytes │
778 ├─────────────────┼───────────────────┼─────────────────────┤
779 │LimitRSS= │ ulimit -m │ Bytes │
780 ├─────────────────┼───────────────────┼─────────────────────┤
781 │LimitNOFILE= │ ulimit -n │ Number of File │
782 │ │ │ Descriptors │
783 ├─────────────────┼───────────────────┼─────────────────────┤
784 │LimitAS= │ ulimit -v │ Bytes │
785 ├─────────────────┼───────────────────┼─────────────────────┤
786 │LimitNPROC= │ ulimit -u │ Number of Processes │
787 ├─────────────────┼───────────────────┼─────────────────────┤
788 │LimitMEMLOCK= │ ulimit -l │ Bytes │
789 ├─────────────────┼───────────────────┼─────────────────────┤
790 │LimitLOCKS= │ ulimit -x │ Number of Locks │
791 ├─────────────────┼───────────────────┼─────────────────────┤
792 │LimitSIGPENDING= │ ulimit -i │ Number of Queued │
793 │ │ │ Signals │
794 ├─────────────────┼───────────────────┼─────────────────────┤
795 │LimitMSGQUEUE= │ ulimit -q │ Bytes │
796 ├─────────────────┼───────────────────┼─────────────────────┤
797 │LimitNICE= │ ulimit -e │ Nice Level │
798 ├─────────────────┼───────────────────┼─────────────────────┤
799 │LimitRTPRIO= │ ulimit -r │ Realtime Priority │
800 ├─────────────────┼───────────────────┼─────────────────────┤
801 │LimitRTTIME= │ No equivalent │ Microseconds │
802 └─────────────────┴───────────────────┴─────────────────────┘
803
804 UMask=
805 Controls the file mode creation mask. Takes an access mode in octal
806 notation. See umask(2) for details. Defaults to 0022 for system
807 units. For user units the default value is inherited from the
808 per-user service manager (whose default is in turn inherited from
809 the system service manager, and thus typically also is 0022 —
810 unless overridden by a PAM module). In order to change the per-user
811 mask for all user services, consider setting the UMask= setting of
812 the user's user@.service system service instance. The per-user
813 umask may also be set via the umask field of a user's JSON User
814 Record[5] (for users managed by systemd-homed.service(8) this field
815 may be controlled via homectl --umask=). It may also be set via a
816 PAM module, such as pam_umask(8).
817
818 CoredumpFilter=
819 Controls which types of memory mappings will be saved if the
820 process dumps core (using the /proc/pid/coredump_filter file).
821 Takes a whitespace-separated combination of mapping type names or
822 numbers (with the default base 16). Mapping type names are
823 private-anonymous, shared-anonymous, private-file-backed,
824 shared-file-backed, elf-headers, private-huge, shared-huge,
825 private-dax, shared-dax, and the special values all (all types) and
826 default (the kernel default of "private-anonymous shared-anonymous
827 elf-headers private-huge"). See core(5) for the meaning of the
828 mapping types. When specified multiple times, all specified masks
829 are ORed. When not set, or if the empty value is assigned, the
830 inherited value is not changed.
831
832 Example 2. Add DAX pages to the dump filter
833
834 CoredumpFilter=default private-dax shared-dax
835
836 KeyringMode=
837 Controls how the kernel session keyring is set up for the service
838 (see session-keyring(7) for details on the session keyring). Takes
839 one of inherit, private, shared. If set to inherit no special
840 keyring setup is done, and the kernel's default behaviour is
841 applied. If private is used a new session keyring is allocated when
842 a service process is invoked, and it is not linked up with any user
843 keyring. This is the recommended setting for system services, as
844 this ensures that multiple services running under the same system
845 user ID (in particular the root user) do not share their key
846 material among each other. If shared is used a new session keyring
847 is allocated as for private, but the user keyring of the user
848 configured with User= is linked into it, so that keys assigned to
849 the user may be requested by the unit's processes. In this modes
850 multiple units running processes under the same user ID may share
851 key material. Unless inherit is selected the unique invocation ID
852 for the unit (see below) is added as a protected key by the name
853 "invocation_id" to the newly created session keyring. Defaults to
854 private for services of the system service manager and to inherit
855 for non-service units and for services of the user service manager.
856
857 OOMScoreAdjust=
858 Sets the adjustment value for the Linux kernel's Out-Of-Memory
859 (OOM) killer score for executed processes. Takes an integer between
860 -1000 (to disable OOM killing of processes of this unit) and 1000
861 (to make killing of processes of this unit under memory pressure
862 very likely). See proc.txt[6] for details. If not specified
863 defaults to the OOM score adjustment level of the service manager
864 itself, which is normally at 0.
865
866 Use the OOMPolicy= setting of service units to configure how the
867 service manager shall react to the kernel OOM killer terminating a
868 process of the service. See systemd.service(5) for details.
869
870 TimerSlackNSec=
871 Sets the timer slack in nanoseconds for the executed processes. The
872 timer slack controls the accuracy of wake-ups triggered by timers.
873 See prctl(2) for more information. Note that in contrast to most
874 other time span definitions this parameter takes an integer value
875 in nano-seconds if no unit is specified. The usual time units are
876 understood too.
877
878 Personality=
879 Controls which kernel architecture uname(2) shall report, when
880 invoked by unit processes. Takes one of the architecture
881 identifiers x86, x86-64, ppc, ppc-le, ppc64, ppc64-le, s390 or
882 s390x. Which personality architectures are supported depends on the
883 system architecture. Usually the 64bit versions of the various
884 system architectures support their immediate 32bit personality
885 architecture counterpart, but no others. For example, x86-64
886 systems support the x86-64 and x86 personalities but no others. The
887 personality feature is useful when running 32-bit services on a
888 64-bit host system. If not specified, the personality is left
889 unmodified and thus reflects the personality of the host system's
890 kernel.
891
892 IgnoreSIGPIPE=
893 Takes a boolean argument. If true, causes SIGPIPE to be ignored in
894 the executed process. Defaults to true because SIGPIPE generally is
895 useful only in shell pipelines.
896
898 Nice=
899 Sets the default nice level (scheduling priority) for executed
900 processes. Takes an integer between -20 (highest priority) and 19
901 (lowest priority). In case of resource contention, smaller values
902 mean more resources will be made available to the unit's processes,
903 larger values mean less resources will be made available. See
904 setpriority(2) for details.
905
906 CPUSchedulingPolicy=
907 Sets the CPU scheduling policy for executed processes. Takes one of
908 other, batch, idle, fifo or rr. See sched_setscheduler(2) for
909 details.
910
911 CPUSchedulingPriority=
912 Sets the CPU scheduling priority for executed processes. The
913 available priority range depends on the selected CPU scheduling
914 policy (see above). For real-time scheduling policies an integer
915 between 1 (lowest priority) and 99 (highest priority) can be used.
916 In case of CPU resource contention, smaller values mean less CPU
917 time is made available to the service, larger values mean more. See
918 sched_setscheduler(2) for details.
919
920 CPUSchedulingResetOnFork=
921 Takes a boolean argument. If true, elevated CPU scheduling
922 priorities and policies will be reset when the executed processes
923 call fork(2), and can hence not leak into child processes. See
924 sched_setscheduler(2) for details. Defaults to false.
925
926 CPUAffinity=
927 Controls the CPU affinity of the executed processes. Takes a list
928 of CPU indices or ranges separated by either whitespace or commas.
929 Alternatively, takes a special "numa" value in which case systemd
930 automatically derives allowed CPU range based on the value of
931 NUMAMask= option. CPU ranges are specified by the lower and upper
932 CPU indices separated by a dash. This option may be specified more
933 than once, in which case the specified CPU affinity masks are
934 merged. If the empty string is assigned, the mask is reset, all
935 assignments prior to this will have no effect. See
936 sched_setaffinity(2) for details.
937
938 NUMAPolicy=
939 Controls the NUMA memory policy of the executed processes. Takes a
940 policy type, one of: default, preferred, bind, interleave and
941 local. A list of NUMA nodes that should be associated with the
942 policy must be specified in NUMAMask=. For more details on each
943 policy please see, set_mempolicy(2). For overall overview of NUMA
944 support in Linux see, numa(7).
945
946 NUMAMask=
947 Controls the NUMA node list which will be applied alongside with
948 selected NUMA policy. Takes a list of NUMA nodes and has the same
949 syntax as a list of CPUs for CPUAffinity= option or special "all"
950 value which will include all available NUMA nodes in the mask. Note
951 that the list of NUMA nodes is not required for default and local
952 policies and for preferred policy we expect a single NUMA node.
953
954 IOSchedulingClass=
955 Sets the I/O scheduling class for executed processes. Takes an
956 integer between 0 and 3 or one of the strings none, realtime,
957 best-effort or idle. If the empty string is assigned to this
958 option, all prior assignments to both IOSchedulingClass= and
959 IOSchedulingPriority= have no effect. See ioprio_set(2) for
960 details.
961
962 IOSchedulingPriority=
963 Sets the I/O scheduling priority for executed processes. Takes an
964 integer between 0 (highest priority) and 7 (lowest priority). In
965 case of I/O contention, smaller values mean more I/O bandwidth is
966 made available to the unit's processes, larger values mean less
967 bandwidth. The available priorities depend on the selected I/O
968 scheduling class (see above). If the empty string is assigned to
969 this option, all prior assignments to both IOSchedulingClass= and
970 IOSchedulingPriority= have no effect. See ioprio_set(2) for
971 details.
972
974 The following sandboxing options are an effective way to limit the
975 exposure of the system towards the unit's processes. It is recommended
976 to turn on as many of these options for each unit as is possible
977 without negatively affecting the process' ability to operate. Note that
978 many of these sandboxing features are gracefully turned off on systems
979 where the underlying security mechanism is not available. For example,
980 ProtectSystem= has no effect if the kernel is built without file system
981 namespacing or if the service manager runs in a container manager that
982 makes file system namespacing unavailable to its payload. Similar,
983 RestrictRealtime= has no effect on systems that lack support for
984 SECCOMP system call filtering, or in containers where support for this
985 is turned off.
986
987 Also note that some sandboxing functionality is generally not available
988 in user services (i.e. services run by the per-user service manager).
989 Specifically, the various settings requiring file system namespacing
990 support (such as ProtectSystem=) are not available, as the underlying
991 kernel functionality is only accessible to privileged processes.
992 However, most namespacing settings, that will not work on their own in
993 user services, will work when used in conjunction with
994 PrivateUsers=true.
995
996 ProtectSystem=
997 Takes a boolean argument or the special values "full" or "strict".
998 If true, mounts the /usr/ and the boot loader directories (/boot
999 and /efi) read-only for processes invoked by this unit. If set to
1000 "full", the /etc/ directory is mounted read-only, too. If set to
1001 "strict" the entire file system hierarchy is mounted read-only,
1002 except for the API file system subtrees /dev/, /proc/ and /sys/
1003 (protect these directories using PrivateDevices=,
1004 ProtectKernelTunables=, ProtectControlGroups=). This setting
1005 ensures that any modification of the vendor-supplied operating
1006 system (and optionally its configuration, and local mounts) is
1007 prohibited for the service. It is recommended to enable this
1008 setting for all long-running services, unless they are involved
1009 with system updates or need to modify the operating system in other
1010 ways. If this option is used, ReadWritePaths= may be used to
1011 exclude specific directories from being made read-only. This
1012 setting is implied if DynamicUser= is set. This setting cannot
1013 ensure protection in all cases. In general it has the same
1014 limitations as ReadOnlyPaths=, see below. Defaults to off.
1015
1016 ProtectHome=
1017 Takes a boolean argument or the special values "read-only" or
1018 "tmpfs". If true, the directories /home/, /root, and /run/user are
1019 made inaccessible and empty for processes invoked by this unit. If
1020 set to "read-only", the three directories are made read-only
1021 instead. If set to "tmpfs", temporary file systems are mounted on
1022 the three directories in read-only mode. The value "tmpfs" is
1023 useful to hide home directories not relevant to the processes
1024 invoked by the unit, while still allowing necessary directories to
1025 be made visible when listed in BindPaths= or BindReadOnlyPaths=.
1026
1027 Setting this to "yes" is mostly equivalent to set the three
1028 directories in InaccessiblePaths=. Similarly, "read-only" is mostly
1029 equivalent to ReadOnlyPaths=, and "tmpfs" is mostly equivalent to
1030 TemporaryFileSystem= with ":ro".
1031
1032 It is recommended to enable this setting for all long-running
1033 services (in particular network-facing ones), to ensure they cannot
1034 get access to private user data, unless the services actually
1035 require access to the user's private data. This setting is implied
1036 if DynamicUser= is set. This setting cannot ensure protection in
1037 all cases. In general it has the same limitations as
1038 ReadOnlyPaths=, see below.
1039
1040 This option is only available for system services and is not
1041 supported for services running in per-user instances of the service
1042 manager.
1043
1044 RuntimeDirectory=, StateDirectory=, CacheDirectory=, LogsDirectory=,
1045 ConfigurationDirectory=
1046 These options take a whitespace-separated list of directory names.
1047 The specified directory names must be relative, and may not include
1048 "..". If set, when the unit is started, one or more directories by
1049 the specified names will be created (including their parents) below
1050 the locations defined in the following table. Also, the
1051 corresponding environment variable will be defined with the full
1052 paths of the directories. If multiple directories are set, then in
1053 the environment variable the paths are concatenated with colon
1054 (":").
1055
1056 Table 2. Automatic directory creation and environment variables
1057 ┌────────────────────────┬────────────────┬───────────────────────┬──────────────────────────┐
1058 │Directory │ Below path for │ Below path for │ Environment │
1059 │ │ system units │ user units │ variable set │
1060 ├────────────────────────┼────────────────┼───────────────────────┼──────────────────────────┤
1061 │RuntimeDirectory= │ /run/ │ $XDG_RUNTIME_DIR │ $RUNTIME_DIRECTORY │
1062 ├────────────────────────┼────────────────┼───────────────────────┼──────────────────────────┤
1063 │StateDirectory= │ /var/lib/ │ $XDG_CONFIG_HOME │ $STATE_DIRECTORY │
1064 ├────────────────────────┼────────────────┼───────────────────────┼──────────────────────────┤
1065 │CacheDirectory= │ /var/cache/ │ $XDG_CACHE_HOME │ $CACHE_DIRECTORY │
1066 ├────────────────────────┼────────────────┼───────────────────────┼──────────────────────────┤
1067 │LogsDirectory= │ /var/log/ │ $XDG_CONFIG_HOME/log/ │ $LOGS_DIRECTORY │
1068 ├────────────────────────┼────────────────┼───────────────────────┼──────────────────────────┤
1069 │ConfigurationDirectory= │ /etc/ │ $XDG_CONFIG_HOME │ $CONFIGURATION_DIRECTORY │
1070 └────────────────────────┴────────────────┴───────────────────────┴──────────────────────────┘
1071 In case of RuntimeDirectory= the innermost subdirectories are
1072 removed when the unit is stopped. It is possible to preserve the
1073 specified directories in this case if RuntimeDirectoryPreserve= is
1074 configured to restart or yes (see below). The directories specified
1075 with StateDirectory=, CacheDirectory=, LogsDirectory=,
1076 ConfigurationDirectory= are not removed when the unit is stopped.
1077
1078 Except in case of ConfigurationDirectory=, the innermost specified
1079 directories will be owned by the user and group specified in User=
1080 and Group=. If the specified directories already exist and their
1081 owning user or group do not match the configured ones, all files
1082 and directories below the specified directories as well as the
1083 directories themselves will have their file ownership recursively
1084 changed to match what is configured. As an optimization, if the
1085 specified directories are already owned by the right user and
1086 group, files and directories below of them are left as-is, even if
1087 they do not match what is requested. The innermost specified
1088 directories will have their access mode adjusted to the what is
1089 specified in RuntimeDirectoryMode=, StateDirectoryMode=,
1090 CacheDirectoryMode=, LogsDirectoryMode= and
1091 ConfigurationDirectoryMode=.
1092
1093 These options imply BindPaths= for the specified paths. When
1094 combined with RootDirectory= or RootImage= these paths always
1095 reside on the host and are mounted from there into the unit's file
1096 system namespace.
1097
1098 If DynamicUser= is used, the logic for CacheDirectory=,
1099 LogsDirectory= and StateDirectory= is slightly altered: the
1100 directories are created below /var/cache/private, /var/log/private
1101 and /var/lib/private, respectively, which are host directories made
1102 inaccessible to unprivileged users, which ensures that access to
1103 these directories cannot be gained through dynamic user ID
1104 recycling. Symbolic links are created to hide this difference in
1105 behaviour. Both from perspective of the host and from inside the
1106 unit, the relevant directories hence always appear directly below
1107 /var/cache, /var/log and /var/lib.
1108
1109 Use RuntimeDirectory= to manage one or more runtime directories for
1110 the unit and bind their lifetime to the daemon runtime. This is
1111 particularly useful for unprivileged daemons that cannot create
1112 runtime directories in /run/ due to lack of privileges, and to make
1113 sure the runtime directory is cleaned up automatically after use.
1114 For runtime directories that require more complex or different
1115 configuration or lifetime guarantees, please consider using
1116 tmpfiles.d(5).
1117
1118 The directories defined by these options are always created under
1119 the standard paths used by systemd (/var/, /run/, /etc/, ...). If
1120 the service needs directories in a different location, a different
1121 mechanism has to be used to create them.
1122
1123 tmpfiles.d(5) provides functionality that overlaps with these
1124 options. Using these options is recommended, because the lifetime
1125 of the directories is tied directly to the lifetime of the unit,
1126 and it is not necessary to ensure that the tmpfiles.d configuration
1127 is executed before the unit is started.
1128
1129 To remove any of the directories created by these settings, use the
1130 systemctl clean ... command on the relevant units, see
1131 systemctl(1) for details.
1132
1133 Example: if a system service unit has the following,
1134
1135 RuntimeDirectory=foo/bar baz
1136
1137 the service manager creates /run/foo (if it does not exist),
1138 /run/foo/bar, and /run/baz. The directories /run/foo/bar and
1139 /run/baz except /run/foo are owned by the user and group specified
1140 in User= and Group=, and removed when the service is stopped.
1141
1142 Example: if a system service unit has the following,
1143
1144 RuntimeDirectory=foo/bar
1145 StateDirectory=aaa/bbb ccc
1146
1147 then the environment variable "RUNTIME_DIRECTORY" is set with
1148 "/run/foo/bar", and "STATE_DIRECTORY" is set with
1149 "/var/lib/aaa/bbb:/var/lib/ccc".
1150
1151 RuntimeDirectoryMode=, StateDirectoryMode=, CacheDirectoryMode=,
1152 LogsDirectoryMode=, ConfigurationDirectoryMode=
1153 Specifies the access mode of the directories specified in
1154 RuntimeDirectory=, StateDirectory=, CacheDirectory=,
1155 LogsDirectory=, or ConfigurationDirectory=, respectively, as an
1156 octal number. Defaults to 0755. See "Permissions" in
1157 path_resolution(7) for a discussion of the meaning of permission
1158 bits.
1159
1160 RuntimeDirectoryPreserve=
1161 Takes a boolean argument or restart. If set to no (the default),
1162 the directories specified in RuntimeDirectory= are always removed
1163 when the service stops. If set to restart the directories are
1164 preserved when the service is both automatically and manually
1165 restarted. Here, the automatic restart means the operation
1166 specified in Restart=, and manual restart means the one triggered
1167 by systemctl restart foo.service. If set to yes, then the
1168 directories are not removed when the service is stopped. Note that
1169 since the runtime directory /run/ is a mount point of "tmpfs", then
1170 for system services the directories specified in RuntimeDirectory=
1171 are removed when the system is rebooted.
1172
1173 TimeoutCleanSec=
1174 Configures a timeout on the clean-up operation requested through
1175 systemctl clean ..., see systemctl(1) for details. Takes the usual
1176 time values and defaults to infinity, i.e. by default no timeout is
1177 applied. If a timeout is configured the clean operation will be
1178 aborted forcibly when the timeout is reached, potentially leaving
1179 resources on disk.
1180
1181 ReadWritePaths=, ReadOnlyPaths=, InaccessiblePaths=, ExecPaths=,
1182 NoExecPaths=
1183 Sets up a new file system namespace for executed processes. These
1184 options may be used to limit access a process has to the file
1185 system. Each setting takes a space-separated list of paths relative
1186 to the host's root directory (i.e. the system running the service
1187 manager). Note that if paths contain symlinks, they are resolved
1188 relative to the root directory set with RootDirectory=/RootImage=.
1189
1190 Paths listed in ReadWritePaths= are accessible from within the
1191 namespace with the same access modes as from outside of it. Paths
1192 listed in ReadOnlyPaths= are accessible for reading only, writing
1193 will be refused even if the usual file access controls would permit
1194 this. Nest ReadWritePaths= inside of ReadOnlyPaths= in order to
1195 provide writable subdirectories within read-only directories. Use
1196 ReadWritePaths= in order to allow-list specific paths for write
1197 access if ProtectSystem=strict is used.
1198
1199 Paths listed in InaccessiblePaths= will be made inaccessible for
1200 processes inside the namespace along with everything below them in
1201 the file system hierarchy. This may be more restrictive than
1202 desired, because it is not possible to nest ReadWritePaths=,
1203 ReadOnlyPaths=, BindPaths=, or BindReadOnlyPaths= inside it. For a
1204 more flexible option, see TemporaryFileSystem=.
1205
1206 Content in paths listed in NoExecPaths= are not executable even if
1207 the usual file access controls would permit this. Nest ExecPaths=
1208 inside of NoExecPaths= in order to provide executable content
1209 within non-executable directories.
1210
1211 Non-directory paths may be specified as well. These options may be
1212 specified more than once, in which case all paths listed will have
1213 limited access from within the namespace. If the empty string is
1214 assigned to this option, the specific list is reset, and all prior
1215 assignments have no effect.
1216
1217 Paths in ReadWritePaths=, ReadOnlyPaths=, InaccessiblePaths=,
1218 ExecPaths= and NoExecPaths= may be prefixed with "-", in which case
1219 they will be ignored when they do not exist. If prefixed with "+"
1220 the paths are taken relative to the root directory of the unit, as
1221 configured with RootDirectory=/RootImage=, instead of relative to
1222 the root directory of the host (see above). When combining "-" and
1223 "+" on the same path make sure to specify "-" first, and "+"
1224 second.
1225
1226 Note that these settings will disconnect propagation of mounts from
1227 the unit's processes to the host. This means that this setting may
1228 not be used for services which shall be able to install mount
1229 points in the main mount namespace. For ReadWritePaths= and
1230 ReadOnlyPaths= propagation in the other direction is not affected,
1231 i.e. mounts created on the host generally appear in the unit
1232 processes' namespace, and mounts removed on the host also disappear
1233 there too. In particular, note that mount propagation from host to
1234 unit will result in unmodified mounts to be created in the unit's
1235 namespace, i.e. writable mounts appearing on the host will be
1236 writable in the unit's namespace too, even when propagated below a
1237 path marked with ReadOnlyPaths=! Restricting access with these
1238 options hence does not extend to submounts of a directory that are
1239 created later on. This means the lock-down offered by that setting
1240 is not complete, and does not offer full protection.
1241
1242 Note that the effect of these settings may be undone by privileged
1243 processes. In order to set up an effective sandboxed environment
1244 for a unit it is thus recommended to combine these settings with
1245 either CapabilityBoundingSet=~CAP_SYS_ADMIN or
1246 SystemCallFilter=~@mount.
1247
1248 Simple allow-list example using these directives:
1249
1250 [Service]
1251 ReadOnlyPaths=/
1252 ReadWritePaths=/var /run
1253 InaccessiblePaths=-/lost+found
1254 NoExecPaths=/
1255 ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64
1256
1257 These options are only available for system services and are not
1258 supported for services running in per-user instances of the service
1259 manager.
1260
1261 TemporaryFileSystem=
1262 Takes a space-separated list of mount points for temporary file
1263 systems (tmpfs). If set, a new file system namespace is set up for
1264 executed processes, and a temporary file system is mounted on each
1265 mount point. This option may be specified more than once, in which
1266 case temporary file systems are mounted on all listed mount points.
1267 If the empty string is assigned to this option, the list is reset,
1268 and all prior assignments have no effect. Each mount point may
1269 optionally be suffixed with a colon (":") and mount options such as
1270 "size=10%" or "ro". By default, each temporary file system is
1271 mounted with "nodev,strictatime,mode=0755". These can be disabled
1272 by explicitly specifying the corresponding mount options, e.g.,
1273 "dev" or "nostrictatime".
1274
1275 This is useful to hide files or directories not relevant to the
1276 processes invoked by the unit, while necessary files or directories
1277 can be still accessed by combining with BindPaths= or
1278 BindReadOnlyPaths=:
1279
1280 Example: if a unit has the following,
1281
1282 TemporaryFileSystem=/var:ro
1283 BindReadOnlyPaths=/var/lib/systemd
1284
1285 then the invoked processes by the unit cannot see any files or
1286 directories under /var/ except for /var/lib/systemd or its
1287 contents.
1288
1289 This option is only available for system services and is not
1290 supported for services running in per-user instances of the service
1291 manager.
1292
1293 PrivateTmp=
1294 Takes a boolean argument. If true, sets up a new file system
1295 namespace for the executed processes and mounts private /tmp/ and
1296 /var/tmp/ directories inside it that are not shared by processes
1297 outside of the namespace. This is useful to secure access to
1298 temporary files of the process, but makes sharing between processes
1299 via /tmp/ or /var/tmp/ impossible. If true, all temporary files
1300 created by a service in these directories will be removed after the
1301 service is stopped. Defaults to false. It is possible to run two or
1302 more units within the same private /tmp/ and /var/tmp/ namespace by
1303 using the JoinsNamespaceOf= directive, see systemd.unit(5) for
1304 details. This setting is implied if DynamicUser= is set. For this
1305 setting the same restrictions regarding mount propagation and
1306 privileges apply as for ReadOnlyPaths= and related calls, see
1307 above. Enabling this setting has the side effect of adding
1308 Requires= and After= dependencies on all mount units necessary to
1309 access /tmp/ and /var/tmp/. Moreover an implicitly After= ordering
1310 on systemd-tmpfiles-setup.service(8) is added.
1311
1312 Note that the implementation of this setting might be impossible
1313 (for example if mount namespaces are not available), and the unit
1314 should be written in a way that does not solely rely on this
1315 setting for security.
1316
1317 This option is only available for system services and is not
1318 supported for services running in per-user instances of the service
1319 manager.
1320
1321 PrivateDevices=
1322 Takes a boolean argument. If true, sets up a new /dev/ mount for
1323 the executed processes and only adds API pseudo devices such as
1324 /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY
1325 subsystem) to it, but no physical devices such as /dev/sda, system
1326 memory /dev/mem, system ports /dev/port and others. This is useful
1327 to securely turn off physical device access by the executed
1328 process. Defaults to false. Enabling this option will install a
1329 system call filter to block low-level I/O system calls that are
1330 grouped in the @raw-io set, will also remove CAP_MKNOD and
1331 CAP_SYS_RAWIO from the capability bounding set for the unit (see
1332 above), and set DevicePolicy=closed (see systemd.resource-
1333 control(5) for details). Note that using this setting will
1334 disconnect propagation of mounts from the service to the host
1335 (propagation in the opposite direction continues to work). This
1336 means that this setting may not be used for services which shall be
1337 able to install mount points in the main mount namespace. The new
1338 /dev/ will be mounted read-only and 'noexec'. The latter may break
1339 old programs which try to set up executable memory by using mmap(2)
1340 of /dev/zero instead of using MAP_ANON. For this setting the same
1341 restrictions regarding mount propagation and privileges apply as
1342 for ReadOnlyPaths= and related calls, see above. If turned on and
1343 if running in user mode, or in system mode, but without the
1344 CAP_SYS_ADMIN capability (e.g. setting User=), NoNewPrivileges=yes
1345 is implied.
1346
1347 Note that the implementation of this setting might be impossible
1348 (for example if mount namespaces are not available), and the unit
1349 should be written in a way that does not solely rely on this
1350 setting for security.
1351
1352 This option is only available for system services and is not
1353 supported for services running in per-user instances of the service
1354 manager.
1355
1356 PrivateNetwork=
1357 Takes a boolean argument. If true, sets up a new network namespace
1358 for the executed processes and configures only the loopback network
1359 device "lo" inside it. No other network devices will be available
1360 to the executed process. This is useful to turn off network access
1361 by the executed process. Defaults to false. It is possible to run
1362 two or more units within the same private network namespace by
1363 using the JoinsNamespaceOf= directive, see systemd.unit(5) for
1364 details. Note that this option will disconnect all socket families
1365 from the host, including AF_NETLINK and AF_UNIX. Effectively, for
1366 AF_NETLINK this means that device configuration events received
1367 from systemd-udevd.service(8) are not delivered to the unit's
1368 processes. And for AF_UNIX this has the effect that AF_UNIX sockets
1369 in the abstract socket namespace of the host will become
1370 unavailable to the unit's processes (however, those located in the
1371 file system will continue to be accessible).
1372
1373 Note that the implementation of this setting might be impossible
1374 (for example if network namespaces are not available), and the unit
1375 should be written in a way that does not solely rely on this
1376 setting for security.
1377
1378 When this option is used on a socket unit any sockets bound on
1379 behalf of this unit will be bound within a private network
1380 namespace. This may be combined with JoinsNamespaceOf= to listen on
1381 sockets inside of network namespaces of other services.
1382
1383 This option is only available for system services and is not
1384 supported for services running in per-user instances of the service
1385 manager.
1386
1387 NetworkNamespacePath=
1388 Takes an absolute file system path refererring to a Linux network
1389 namespace pseudo-file (i.e. a file like /proc/$PID/ns/net or a bind
1390 mount or symlink to one). When set the invoked processes are added
1391 to the network namespace referenced by that path. The path has to
1392 point to a valid namespace file at the moment the processes are
1393 forked off. If this option is used PrivateNetwork= has no effect.
1394 If this option is used together with JoinsNamespaceOf= then it only
1395 has an effect if this unit is started before any of the listed
1396 units that have PrivateNetwork= or NetworkNamespacePath=
1397 configured, as otherwise the network namespace of those units is
1398 reused.
1399
1400 When this option is used on a socket unit any sockets bound on
1401 behalf of this unit will be bound within the specified network
1402 namespace.
1403
1404 This option is only available for system services and is not
1405 supported for services running in per-user instances of the service
1406 manager.
1407
1408 PrivateIPC=
1409 Takes a boolean argument. If true, sets up a new IPC namespace for
1410 the executed processes. Each IPC namespace has its own set of
1411 System V IPC identifiers and its own POSIX message queue file
1412 system. This is useful to avoid name clash of IPC identifiers.
1413 Defaults to false. It is possible to run two or more units within
1414 the same private IPC namespace by using the JoinsNamespaceOf=
1415 directive, see systemd.unit(5) for details.
1416
1417 Note that IPC namespacing does not have an effect on AF_UNIX
1418 sockets, which are the most common form of IPC used on Linux.
1419 Instead, AF_UNIX sockets in the file system are subject to mount
1420 namespacing, and those in the abstract namespace are subject to
1421 network namespacing. IPC namespacing only has an effect on SysV IPC
1422 (which is mostly legacy) as well as POSIX message queues (for which
1423 AF_UNIX/SOCK_SEQPACKET sockets are typically a better replacement).
1424 IPC namespacing also has no effect on POSIX shared memory (which is
1425 subject to mount namespacing) either. See ipc_namespaces(7) for the
1426 details.
1427
1428 Note that the implementation of this setting might be impossible
1429 (for example if IPC namespaces are not available), and the unit
1430 should be written in a way that does not solely rely on this
1431 setting for security.
1432
1433 This option is only available for system services and is not
1434 supported for services running in per-user instances of the service
1435 manager.
1436
1437 IPCNamespacePath=
1438 Takes an absolute file system path refererring to a Linux IPC
1439 namespace pseudo-file (i.e. a file like /proc/$PID/ns/ipc or a bind
1440 mount or symlink to one). When set the invoked processes are added
1441 to the network namespace referenced by that path. The path has to
1442 point to a valid namespace file at the moment the processes are
1443 forked off. If this option is used PrivateIPC= has no effect. If
1444 this option is used together with JoinsNamespaceOf= then it only
1445 has an effect if this unit is started before any of the listed
1446 units that have PrivateIPC= or IPCNamespacePath= configured, as
1447 otherwise the network namespace of those units is reused.
1448
1449 This option is only available for system services and is not
1450 supported for services running in per-user instances of the service
1451 manager.
1452
1453 PrivateUsers=
1454 Takes a boolean argument. If true, sets up a new user namespace for
1455 the executed processes and configures a minimal user and group
1456 mapping, that maps the "root" user and group as well as the unit's
1457 own user and group to themselves and everything else to the
1458 "nobody" user and group. This is useful to securely detach the user
1459 and group databases used by the unit from the rest of the system,
1460 and thus to create an effective sandbox environment. All files,
1461 directories, processes, IPC objects and other resources owned by
1462 users/groups not equaling "root" or the unit's own will stay
1463 visible from within the unit but appear owned by the "nobody" user
1464 and group. If this mode is enabled, all unit processes are run
1465 without privileges in the host user namespace (regardless if the
1466 unit's own user/group is "root" or not). Specifically this means
1467 that the process will have zero process capabilities on the host's
1468 user namespace, but full capabilities within the service's user
1469 namespace. Settings such as CapabilityBoundingSet= will affect only
1470 the latter, and there's no way to acquire additional capabilities
1471 in the host's user namespace. Defaults to off.
1472
1473 When this setting is set up by a per-user instance of the service
1474 manager, the mapping of the "root" user and group to itself is
1475 omitted (unless the user manager is root). Additionally, in the
1476 per-user instance manager case, the user namespace will be set up
1477 before most other namespaces. This means that combining
1478 PrivateUsers=true with other namespaces will enable use of features
1479 not normally supported by the per-user instances of the service
1480 manager.
1481
1482 This setting is particularly useful in conjunction with
1483 RootDirectory=/RootImage=, as the need to synchronize the user and
1484 group databases in the root directory and on the host is reduced,
1485 as the only users and groups who need to be matched are "root",
1486 "nobody" and the unit's own user and group.
1487
1488 Note that the implementation of this setting might be impossible
1489 (for example if user namespaces are not available), and the unit
1490 should be written in a way that does not solely rely on this
1491 setting for security.
1492
1493 ProtectHostname=
1494 Takes a boolean argument. When set, sets up a new UTS namespace for
1495 the executed processes. In addition, changing hostname or
1496 domainname is prevented. Defaults to off.
1497
1498 Note that the implementation of this setting might be impossible
1499 (for example if UTS namespaces are not available), and the unit
1500 should be written in a way that does not solely rely on this
1501 setting for security.
1502
1503 Note that when this option is enabled for a service hostname
1504 changes no longer propagate from the system into the service, it is
1505 hence not suitable for services that need to take notice of system
1506 hostname changes dynamically.
1507
1508 If this setting is on, but the unit doesn't have the CAP_SYS_ADMIN
1509 capability (e.g. services for which User= is set),
1510 NoNewPrivileges=yes is implied.
1511
1512 This option is only available for system services and is not
1513 supported for services running in per-user instances of the service
1514 manager.
1515
1516 ProtectClock=
1517 Takes a boolean argument. If set, writes to the hardware clock or
1518 system clock will be denied. It is recommended to turn this on for
1519 most services that do not need modify the clock. Defaults to off.
1520 Enabling this option removes CAP_SYS_TIME and CAP_WAKE_ALARM from
1521 the capability bounding set for this unit, installs a system call
1522 filter to block calls that can set the clock, and
1523 DeviceAllow=char-rtc r is implied. This ensures /dev/rtc0,
1524 /dev/rtc1, etc. are made read-only to the service. See
1525 systemd.resource-control(5) for the details about DeviceAllow=. If
1526 this setting is on, but the unit doesn't have the CAP_SYS_ADMIN
1527 capability (e.g. services for which User= is set),
1528 NoNewPrivileges=yes is implied.
1529
1530 This option is only available for system services and is not
1531 supported for services running in per-user instances of the service
1532 manager.
1533
1534 ProtectKernelTunables=
1535 Takes a boolean argument. If true, kernel variables accessible
1536 through /proc/sys/, /sys/, /proc/sysrq-trigger,
1537 /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and
1538 /proc/irq will be made read-only to all processes of the unit.
1539 Usually, tunable kernel variables should be initialized only at
1540 boot-time, for example with the sysctl.d(5) mechanism. Few services
1541 need to write to these at runtime; it is hence recommended to turn
1542 this on for most services. For this setting the same restrictions
1543 regarding mount propagation and privileges apply as for
1544 ReadOnlyPaths= and related calls, see above. Defaults to off. If
1545 this setting is on, but the unit doesn't have the CAP_SYS_ADMIN
1546 capability (e.g. services for which User= is set),
1547 NoNewPrivileges=yes is implied. Note that this option does not
1548 prevent indirect changes to kernel tunables effected by IPC calls
1549 to other processes. However, InaccessiblePaths= may be used to make
1550 relevant IPC file system objects inaccessible. If
1551 ProtectKernelTunables= is set, MountAPIVFS=yes is implied.
1552
1553 This option is only available for system services and is not
1554 supported for services running in per-user instances of the service
1555 manager.
1556
1557 ProtectKernelModules=
1558 Takes a boolean argument. If true, explicit module loading will be
1559 denied. This allows module load and unload operations to be turned
1560 off on modular kernels. It is recommended to turn this on for most
1561 services that do not need special file systems or extra kernel
1562 modules to work. Defaults to off. Enabling this option removes
1563 CAP_SYS_MODULE from the capability bounding set for the unit, and
1564 installs a system call filter to block module system calls, also
1565 /usr/lib/modules is made inaccessible. For this setting the same
1566 restrictions regarding mount propagation and privileges apply as
1567 for ReadOnlyPaths= and related calls, see above. Note that limited
1568 automatic module loading due to user configuration or kernel
1569 mapping tables might still happen as side effect of requested user
1570 operations, both privileged and unprivileged. To disable module
1571 auto-load feature please see sysctl.d(5) kernel.modules_disabled
1572 mechanism and /proc/sys/kernel/modules_disabled documentation. If
1573 this setting is on, but the unit doesn't have the CAP_SYS_ADMIN
1574 capability (e.g. services for which User= is set),
1575 NoNewPrivileges=yes is implied.
1576
1577 This option is only available for system services and is not
1578 supported for services running in per-user instances of the service
1579 manager.
1580
1581 ProtectKernelLogs=
1582 Takes a boolean argument. If true, access to the kernel log ring
1583 buffer will be denied. It is recommended to turn this on for most
1584 services that do not need to read from or write to the kernel log
1585 ring buffer. Enabling this option removes CAP_SYSLOG from the
1586 capability bounding set for this unit, and installs a system call
1587 filter to block the syslog(2) system call (not to be confused with
1588 the libc API syslog(3) for userspace logging). The kernel exposes
1589 its log buffer to userspace via /dev/kmsg and /proc/kmsg. If
1590 enabled, these are made inaccessible to all the processes in the
1591 unit. If this setting is on, but the unit doesn't have the
1592 CAP_SYS_ADMIN capability (e.g. services for which User= is set),
1593 NoNewPrivileges=yes is implied.
1594
1595 This option is only available for system services and is not
1596 supported for services running in per-user instances of the service
1597 manager.
1598
1599 ProtectControlGroups=
1600 Takes a boolean argument. If true, the Linux Control Groups
1601 (cgroups(7)) hierarchies accessible through /sys/fs/cgroup/ will be
1602 made read-only to all processes of the unit. Except for container
1603 managers no services should require write access to the control
1604 groups hierarchies; it is hence recommended to turn this on for
1605 most services. For this setting the same restrictions regarding
1606 mount propagation and privileges apply as for ReadOnlyPaths= and
1607 related calls, see above. Defaults to off. If ProtectControlGroups=
1608 is set, MountAPIVFS=yes is implied.
1609
1610 This option is only available for system services and is not
1611 supported for services running in per-user instances of the service
1612 manager.
1613
1614 RestrictAddressFamilies=
1615 Restricts the set of socket address families accessible to the
1616 processes of this unit. Takes "none", or a space-separated list of
1617 address family names to allow-list, such as AF_UNIX, AF_INET or
1618 AF_INET6. When "none" is specified, then all address families will
1619 be denied. When prefixed with "~" the listed address families will
1620 be applied as deny list, otherwise as allow list. Note that this
1621 restricts access to the socket(2) system call only. Sockets passed
1622 into the process by other means (for example, by using socket
1623 activation with socket units, see systemd.socket(5)) are
1624 unaffected. Also, sockets created with socketpair() (which creates
1625 connected AF_UNIX sockets only) are unaffected. Note that this
1626 option has no effect on 32-bit x86, s390, s390x, mips, mips-le,
1627 ppc, ppc-le, ppc64, ppc64-le and is ignored (but works correctly on
1628 other ABIs, including x86-64). Note that on systems supporting
1629 multiple ABIs (such as x86/x86-64) it is recommended to turn off
1630 alternative ABIs for services, so that they cannot be used to
1631 circumvent the restrictions of this option. Specifically, it is
1632 recommended to combine this option with
1633 SystemCallArchitectures=native or similar. If running in user mode,
1634 or in system mode, but without the CAP_SYS_ADMIN capability (e.g.
1635 setting User=), NoNewPrivileges=yes is implied. By default, no
1636 restrictions apply, all address families are accessible to
1637 processes. If assigned the empty string, any previous address
1638 family restriction changes are undone. This setting does not affect
1639 commands prefixed with "+".
1640
1641 Use this option to limit exposure of processes to remote access, in
1642 particular via exotic and sensitive network protocols, such as
1643 AF_PACKET. Note that in most cases, the local AF_UNIX address
1644 family should be included in the configured allow list as it is
1645 frequently used for local communication, including for syslog(2)
1646 logging.
1647
1648 RestrictNamespaces=
1649 Restricts access to Linux namespace functionality for the processes
1650 of this unit. For details about Linux namespaces, see
1651 namespaces(7). Either takes a boolean argument, or a
1652 space-separated list of namespace type identifiers. If false (the
1653 default), no restrictions on namespace creation and switching are
1654 made. If true, access to any kind of namespacing is prohibited.
1655 Otherwise, a space-separated list of namespace type identifiers
1656 must be specified, consisting of any combination of: cgroup, ipc,
1657 net, mnt, pid, user and uts. Any namespace type listed is made
1658 accessible to the unit's processes, access to namespace types not
1659 listed is prohibited (allow-listing). By prepending the list with a
1660 single tilde character ("~") the effect may be inverted: only the
1661 listed namespace types will be made inaccessible, all unlisted ones
1662 are permitted (deny-listing). If the empty string is assigned, the
1663 default namespace restrictions are applied, which is equivalent to
1664 false. This option may appear more than once, in which case the
1665 namespace types are merged by OR, or by AND if the lines are
1666 prefixed with "~" (see examples below). Internally, this setting
1667 limits access to the unshare(2), clone(2) and setns(2) system
1668 calls, taking the specified flags parameters into account. Note
1669 that — if this option is used — in addition to restricting creation
1670 and switching of the specified types of namespaces (or all of them,
1671 if true) access to the setns() system call with a zero flags
1672 parameter is prohibited. This setting is only supported on x86,
1673 x86-64, mips, mips-le, mips64, mips64-le, mips64-n32,
1674 mips64-le-n32, ppc64, ppc64-le, s390 and s390x, and enforces no
1675 restrictions on other architectures. If running in user mode, or in
1676 system mode, but without the CAP_SYS_ADMIN capability (e.g. setting
1677 User=), NoNewPrivileges=yes is implied.
1678
1679 Example: if a unit has the following,
1680
1681 RestrictNamespaces=cgroup ipc
1682 RestrictNamespaces=cgroup net
1683
1684 then cgroup, ipc, and net are set. If the second line is prefixed
1685 with "~", e.g.,
1686
1687 RestrictNamespaces=cgroup ipc
1688 RestrictNamespaces=~cgroup net
1689
1690 then, only ipc is set.
1691
1692 LockPersonality=
1693 Takes a boolean argument. If set, locks down the personality(2)
1694 system call so that the kernel execution domain may not be changed
1695 from the default or the personality selected with Personality=
1696 directive. This may be useful to improve security, because odd
1697 personality emulations may be poorly tested and source of
1698 vulnerabilities. If running in user mode, or in system mode, but
1699 without the CAP_SYS_ADMIN capability (e.g. setting User=),
1700 NoNewPrivileges=yes is implied.
1701
1702 MemoryDenyWriteExecute=
1703 Takes a boolean argument. If set, attempts to create memory
1704 mappings that are writable and executable at the same time, or to
1705 change existing memory mappings to become executable, or mapping
1706 shared memory segments as executable are prohibited. Specifically,
1707 a system call filter is added that rejects mmap(2) system calls
1708 with both PROT_EXEC and PROT_WRITE set, mprotect(2) or
1709 pkey_mprotect(2) system calls with PROT_EXEC set and shmat(2)
1710 system calls with SHM_EXEC set. Note that this option is
1711 incompatible with programs and libraries that generate program code
1712 dynamically at runtime, including JIT execution engines, executable
1713 stacks, and code "trampoline" feature of various C compilers. This
1714 option improves service security, as it makes harder for software
1715 exploits to change running code dynamically. However, the
1716 protection can be circumvented, if the service can write to a
1717 filesystem, which is not mounted with noexec (such as /dev/shm), or
1718 it can use memfd_create(). This can be prevented by making such
1719 file systems inaccessible to the service (e.g.
1720 InaccessiblePaths=/dev/shm) and installing further system call
1721 filters (SystemCallFilter=~memfd_create). Note that this feature is
1722 fully available on x86-64, and partially on x86. Specifically, the
1723 shmat() protection is not available on x86. Note that on systems
1724 supporting multiple ABIs (such as x86/x86-64) it is recommended to
1725 turn off alternative ABIs for services, so that they cannot be used
1726 to circumvent the restrictions of this option. Specifically, it is
1727 recommended to combine this option with
1728 SystemCallArchitectures=native or similar. If running in user mode,
1729 or in system mode, but without the CAP_SYS_ADMIN capability (e.g.
1730 setting User=), NoNewPrivileges=yes is implied.
1731
1732 RestrictRealtime=
1733 Takes a boolean argument. If set, any attempts to enable realtime
1734 scheduling in a process of the unit are refused. This restricts
1735 access to realtime task scheduling policies such as SCHED_FIFO,
1736 SCHED_RR or SCHED_DEADLINE. See sched(7) for details about these
1737 scheduling policies. If running in user mode, or in system mode,
1738 but without the CAP_SYS_ADMIN capability (e.g. setting User=),
1739 NoNewPrivileges=yes is implied. Realtime scheduling policies may be
1740 used to monopolize CPU time for longer periods of time, and may
1741 hence be used to lock up or otherwise trigger Denial-of-Service
1742 situations on the system. It is hence recommended to restrict
1743 access to realtime scheduling to the few programs that actually
1744 require them. Defaults to off.
1745
1746 RestrictSUIDSGID=
1747 Takes a boolean argument. If set, any attempts to set the
1748 set-user-ID (SUID) or set-group-ID (SGID) bits on files or
1749 directories will be denied (for details on these bits see
1750 inode(7)). If running in user mode, or in system mode, but without
1751 the CAP_SYS_ADMIN capability (e.g. setting User=),
1752 NoNewPrivileges=yes is implied. As the SUID/SGID bits are
1753 mechanisms to elevate privileges, and allows users to acquire the
1754 identity of other users, it is recommended to restrict creation of
1755 SUID/SGID files to the few programs that actually require them.
1756 Note that this restricts marking of any type of file system object
1757 with these bits, including both regular files and directories
1758 (where the SGID is a different meaning than for files, see
1759 documentation). This option is implied if DynamicUser= is enabled.
1760 Defaults to off.
1761
1762 RemoveIPC=
1763 Takes a boolean parameter. If set, all System V and POSIX IPC
1764 objects owned by the user and group the processes of this unit are
1765 run as are removed when the unit is stopped. This setting only has
1766 an effect if at least one of User=, Group= and DynamicUser= are
1767 used. It has no effect on IPC objects owned by the root user.
1768 Specifically, this removes System V semaphores, as well as System V
1769 and POSIX shared memory segments and message queues. If multiple
1770 units use the same user or group the IPC objects are removed when
1771 the last of these units is stopped. This setting is implied if
1772 DynamicUser= is set.
1773
1774 This option is only available for system services and is not
1775 supported for services running in per-user instances of the service
1776 manager.
1777
1778 PrivateMounts=
1779 Takes a boolean parameter. If set, the processes of this unit will
1780 be run in their own private file system (mount) namespace with all
1781 mount propagation from the processes towards the host's main file
1782 system namespace turned off. This means any file system mount
1783 points established or removed by the unit's processes will be
1784 private to them and not be visible to the host. However, file
1785 system mount points established or removed on the host will be
1786 propagated to the unit's processes. See mount_namespaces(7) for
1787 details on file system namespaces. Defaults to off.
1788
1789 When turned on, this executes three operations for each invoked
1790 process: a new CLONE_NEWNS namespace is created, after which all
1791 existing mounts are remounted to MS_SLAVE to disable propagation
1792 from the unit's processes to the host (but leaving propagation in
1793 the opposite direction in effect). Finally, the mounts are
1794 remounted again to the propagation mode configured with
1795 MountFlags=, see below.
1796
1797 File system namespaces are set up individually for each process
1798 forked off by the service manager. Mounts established in the
1799 namespace of the process created by ExecStartPre= will hence be
1800 cleaned up automatically as soon as that process exits and will not
1801 be available to subsequent processes forked off for ExecStart= (and
1802 similar applies to the various other commands configured for
1803 units). Similarly, JoinsNamespaceOf= does not permit sharing kernel
1804 mount namespaces between units, it only enables sharing of the
1805 /tmp/ and /var/tmp/ directories.
1806
1807 Other file system namespace unit settings — PrivateMounts=,
1808 PrivateTmp=, PrivateDevices=, ProtectSystem=, ProtectHome=,
1809 ReadOnlyPaths=, InaccessiblePaths=, ReadWritePaths=, ... — also
1810 enable file system namespacing in a fashion equivalent to this
1811 option. Hence it is primarily useful to explicitly request this
1812 behaviour if none of the other settings are used.
1813
1814 This option is only available for system services and is not
1815 supported for services running in per-user instances of the service
1816 manager.
1817
1818 MountFlags=
1819 Takes a mount propagation setting: shared, slave or private, which
1820 controls whether file system mount points in the file system
1821 namespaces set up for this unit's processes will receive or
1822 propagate mounts and unmounts from other file system namespaces.
1823 See mount(2) for details on mount propagation, and the three
1824 propagation flags in particular.
1825
1826 This setting only controls the final propagation setting in effect
1827 on all mount points of the file system namespace created for each
1828 process of this unit. Other file system namespacing unit settings
1829 (see the discussion in PrivateMounts= above) will implicitly
1830 disable mount and unmount propagation from the unit's processes
1831 towards the host by changing the propagation setting of all mount
1832 points in the unit's file system namespace to slave first. Setting
1833 this option to shared does not reestablish propagation in that
1834 case.
1835
1836 If not set – but file system namespaces are enabled through another
1837 file system namespace unit setting – shared mount propagation is
1838 used, but — as mentioned — as slave is applied first, propagation
1839 from the unit's processes to the host is still turned off.
1840
1841 It is not recommended to use private mount propagation for units,
1842 as this means temporary mounts (such as removable media) of the
1843 host will stay mounted and thus indefinitely busy in forked off
1844 processes, as unmount propagation events won't be received by the
1845 file system namespace of the unit.
1846
1847 Usually, it is best to leave this setting unmodified, and use
1848 higher level file system namespacing options instead, in particular
1849 PrivateMounts=, see above.
1850
1851 This option is only available for system services and is not
1852 supported for services running in per-user instances of the service
1853 manager.
1854
1856 SystemCallFilter=
1857 Takes a space-separated list of system call names. If this setting
1858 is used, all system calls executed by the unit processes except for
1859 the listed ones will result in immediate process termination with
1860 the SIGSYS signal (allow-listing). (See SystemCallErrorNumber=
1861 below for changing the default action). If the first character of
1862 the list is "~", the effect is inverted: only the listed system
1863 calls will result in immediate process termination (deny-listing).
1864 Deny-listed system calls and system call groups may optionally be
1865 suffixed with a colon (":") and "errno" error number (between 0 and
1866 4095) or errno name such as EPERM, EACCES or EUCLEAN (see errno(3)
1867 for a full list). This value will be returned when a deny-listed
1868 system call is triggered, instead of terminating the processes
1869 immediately. Special setting "kill" can be used to explicitly
1870 specify killing. This value takes precedence over the one given in
1871 SystemCallErrorNumber=, see below. If running in user mode, or in
1872 system mode, but without the CAP_SYS_ADMIN capability (e.g. setting
1873 User=), NoNewPrivileges=yes is implied. This feature makes use of
1874 the Secure Computing Mode 2 interfaces of the kernel ('seccomp
1875 filtering') and is useful for enforcing a minimal sandboxing
1876 environment. Note that the execve(), exit(), exit_group(),
1877 getrlimit(), rt_sigreturn(), sigreturn() system calls and the
1878 system calls for querying time and sleeping are implicitly
1879 allow-listed and do not need to be listed explicitly. This option
1880 may be specified more than once, in which case the filter masks are
1881 merged. If the empty string is assigned, the filter is reset, all
1882 prior assignments will have no effect. This does not affect
1883 commands prefixed with "+".
1884
1885 Note that on systems supporting multiple ABIs (such as x86/x86-64)
1886 it is recommended to turn off alternative ABIs for services, so
1887 that they cannot be used to circumvent the restrictions of this
1888 option. Specifically, it is recommended to combine this option with
1889 SystemCallArchitectures=native or similar.
1890
1891 Note that strict system call filters may impact execution and error
1892 handling code paths of the service invocation. Specifically, access
1893 to the execve() system call is required for the execution of the
1894 service binary — if it is blocked service invocation will
1895 necessarily fail. Also, if execution of the service binary fails
1896 for some reason (for example: missing service executable), the
1897 error handling logic might require access to an additional set of
1898 system calls in order to process and log this failure correctly. It
1899 might be necessary to temporarily disable system call filters in
1900 order to simplify debugging of such failures.
1901
1902 If you specify both types of this option (i.e. allow-listing and
1903 deny-listing), the first encountered will take precedence and will
1904 dictate the default action (termination or approval of a system
1905 call). Then the next occurrences of this option will add or delete
1906 the listed system calls from the set of the filtered system calls,
1907 depending of its type and the default action. (For example, if you
1908 have started with an allow list rule for read() and write(), and
1909 right after it add a deny list rule for write(), then write() will
1910 be removed from the set.)
1911
1912 As the number of possible system calls is large, predefined sets of
1913 system calls are provided. A set starts with "@" character,
1914 followed by name of the set.
1915
1916 Table 3. Currently predefined system call sets
1917 ┌────────────────┬────────────────────────────┐
1918 │Set │ Description │
1919 ├────────────────┼────────────────────────────┤
1920 │@aio │ Asynchronous I/O │
1921 │ │ (io_setup(2), │
1922 │ │ io_submit(2), and related │
1923 │ │ calls) │
1924 ├────────────────┼────────────────────────────┤
1925 │@basic-io │ System calls for basic │
1926 │ │ I/O: reading, writing, │
1927 │ │ seeking, file descriptor │
1928 │ │ duplication and closing │
1929 │ │ (read(2), write(2), and │
1930 │ │ related calls) │
1931 ├────────────────┼────────────────────────────┤
1932 │@chown │ Changing file ownership │
1933 │ │ (chown(2), fchownat(2), │
1934 │ │ and related calls) │
1935 ├────────────────┼────────────────────────────┤
1936 │@clock │ System calls for changing │
1937 │ │ the system clock │
1938 │ │ (adjtimex(2), │
1939 │ │ settimeofday(2), and │
1940 │ │ related calls) │
1941 ├────────────────┼────────────────────────────┤
1942 │@cpu-emulation │ System calls for CPU │
1943 │ │ emulation functionality │
1944 │ │ (vm86(2) and related │
1945 │ │ calls) │
1946 ├────────────────┼────────────────────────────┤
1947 │@debug │ Debugging, performance │
1948 │ │ monitoring and tracing │
1949 │ │ functionality (ptrace(2), │
1950 │ │ perf_event_open(2) and │
1951 │ │ related calls) │
1952 ├────────────────┼────────────────────────────┤
1953 │@file-system │ File system operations: │
1954 │ │ opening, creating files │
1955 │ │ and directories for read │
1956 │ │ and write, renaming and │
1957 │ │ removing them, reading │
1958 │ │ file properties, or │
1959 │ │ creating hard and symbolic │
1960 │ │ links │
1961 ├────────────────┼────────────────────────────┤
1962 │@io-event │ Event loop system calls │
1963 │ │ (poll(2), select(2), │
1964 │ │ epoll(7), eventfd(2) and │
1965 │ │ related calls) │
1966 ├────────────────┼────────────────────────────┤
1967 │@ipc │ Pipes, SysV IPC, POSIX │
1968 │ │ Message Queues and other │
1969 │ │ IPC (mq_overview(7), │
1970 │ │ svipc(7)) │
1971 ├────────────────┼────────────────────────────┤
1972 │@keyring │ Kernel keyring access │
1973 │ │ (keyctl(2) and related │
1974 │ │ calls) │
1975 ├────────────────┼────────────────────────────┤
1976 │@memlock │ Locking of memory in RAM │
1977 │ │ (mlock(2), mlockall(2) and │
1978 │ │ related calls) │
1979 ├────────────────┼────────────────────────────┤
1980 │@module │ Loading and unloading of │
1981 │ │ kernel modules │
1982 │ │ (init_module(2), │
1983 │ │ delete_module(2) and │
1984 │ │ related calls) │
1985 ├────────────────┼────────────────────────────┤
1986 │@mount │ Mounting and unmounting of │
1987 │ │ file systems (mount(2), │
1988 │ │ chroot(2), and related │
1989 │ │ calls) │
1990 ├────────────────┼────────────────────────────┤
1991 │@network-io │ Socket I/O (including │
1992 │ │ local AF_UNIX): socket(7), │
1993 │ │ unix(7) │
1994 ├────────────────┼────────────────────────────┤
1995 │@obsolete │ Unusual, obsolete or │
1996 │ │ unimplemented │
1997 │ │ (create_module(2), │
1998 │ │ gtty(2), ...) │
1999 ├────────────────┼────────────────────────────┤
2000 │@privileged │ All system calls which │
2001 │ │ need super-user │
2002 │ │ capabilities │
2003 │ │ (capabilities(7)) │
2004 ├────────────────┼────────────────────────────┤
2005 │@process │ Process control, │
2006 │ │ execution, namespacing │
2007 │ │ operations (clone(2), │
2008 │ │ kill(2), namespaces(7), │
2009 │ │ ...) │
2010 ├────────────────┼────────────────────────────┤
2011 │@raw-io │ Raw I/O port access │
2012 │ │ (ioperm(2), iopl(2), │
2013 │ │ pciconfig_read(), ...) │
2014 ├────────────────┼────────────────────────────┤
2015 │@reboot │ System calls for rebooting │
2016 │ │ and reboot preparation │
2017 │ │ (reboot(2), kexec(), ...) │
2018 ├────────────────┼────────────────────────────┤
2019 │@resources │ System calls for changing │
2020 │ │ resource limits, memory │
2021 │ │ and scheduling parameters │
2022 │ │ (setrlimit(2), │
2023 │ │ setpriority(2), ...) │
2024 ├────────────────┼────────────────────────────┤
2025 │@setuid │ System calls for changing │
2026 │ │ user ID and group ID │
2027 │ │ credentials, (setuid(2), │
2028 │ │ setgid(2), setresuid(2), │
2029 │ │ ...) │
2030 ├────────────────┼────────────────────────────┤
2031 │@signal │ System calls for │
2032 │ │ manipulating and handling │
2033 │ │ process signals │
2034 │ │ (signal(2), │
2035 │ │ sigprocmask(2), ...) │
2036 ├────────────────┼────────────────────────────┤
2037 │@swap │ System calls for │
2038 │ │ enabling/disabling swap │
2039 │ │ devices (swapon(2), │
2040 │ │ swapoff(2)) │
2041 ├────────────────┼────────────────────────────┤
2042 │@sync │ Synchronizing files and │
2043 │ │ memory to disk (fsync(2), │
2044 │ │ msync(2), and related │
2045 │ │ calls) │
2046 ├────────────────┼────────────────────────────┤
2047 │@system-service │ A reasonable set of system │
2048 │ │ calls used by common │
2049 │ │ system services, excluding │
2050 │ │ any special purpose calls. │
2051 │ │ This is the recommended │
2052 │ │ starting point for │
2053 │ │ allow-listing system calls │
2054 │ │ for system services, as it │
2055 │ │ contains what is typically │
2056 │ │ needed by system services, │
2057 │ │ but excludes overly │
2058 │ │ specific interfaces. For │
2059 │ │ example, the following │
2060 │ │ APIs are excluded: │
2061 │ │ "@clock", "@mount", │
2062 │ │ "@swap", "@reboot". │
2063 ├────────────────┼────────────────────────────┤
2064 │@timer │ System calls for │
2065 │ │ scheduling operations by │
2066 │ │ time (alarm(2), │
2067 │ │ timer_create(2), ...) │
2068 ├────────────────┼────────────────────────────┤
2069 │@known │ All system calls defined │
2070 │ │ by the kernel. This list │
2071 │ │ is defined statically in │
2072 │ │ systemd based on a kernel │
2073 │ │ version that was available │
2074 │ │ when this systemd version │
2075 │ │ was released. It will │
2076 │ │ become progressively more │
2077 │ │ out-of-date as the kernel │
2078 │ │ is updated. │
2079 └────────────────┴────────────────────────────┘
2080 Note, that as new system calls are added to the kernel, additional
2081 system calls might be added to the groups above. Contents of the
2082 sets may also change between systemd versions. In addition, the
2083 list of system calls depends on the kernel version and architecture
2084 for which systemd was compiled. Use systemd-analyze syscall-filter
2085 to list the actual list of system calls in each filter.
2086
2087 Generally, allow-listing system calls (rather than deny-listing) is
2088 the safer mode of operation. It is recommended to enforce system
2089 call allow lists for all long-running system services.
2090 Specifically, the following lines are a relatively safe basic
2091 choice for the majority of system services:
2092
2093 [Service]
2094 SystemCallFilter=@system-service
2095 SystemCallErrorNumber=EPERM
2096
2097 Note that various kernel system calls are defined redundantly:
2098 there are multiple system calls for executing the same operation.
2099 For example, the pidfd_send_signal() system call may be used to
2100 execute operations similar to what can be done with the older
2101 kill() system call, hence blocking the latter without the former
2102 only provides weak protection. Since new system calls are added
2103 regularly to the kernel as development progresses, keeping system
2104 call deny lists comprehensive requires constant work. It is thus
2105 recommended to use allow-listing instead, which offers the benefit
2106 that new system calls are by default implicitly blocked until the
2107 allow list is updated.
2108
2109 Also note that a number of system calls are required to be
2110 accessible for the dynamic linker to work. The dynamic linker is
2111 required for running most regular programs (specifically: all
2112 dynamic ELF binaries, which is how most distributions build
2113 packaged programs). This means that blocking these system calls
2114 (which include open(), openat() or mmap()) will make most programs
2115 typically shipped with generic distributions unusable.
2116
2117 It is recommended to combine the file system namespacing related
2118 options with SystemCallFilter=~@mount, in order to prohibit the
2119 unit's processes to undo the mappings. Specifically these are the
2120 options PrivateTmp=, PrivateDevices=, ProtectSystem=, ProtectHome=,
2121 ProtectKernelTunables=, ProtectControlGroups=, ProtectKernelLogs=,
2122 ProtectClock=, ReadOnlyPaths=, InaccessiblePaths= and
2123 ReadWritePaths=.
2124
2125 SystemCallErrorNumber=
2126 Takes an "errno" error number (between 1 and 4095) or errno name
2127 such as EPERM, EACCES or EUCLEAN, to return when the system call
2128 filter configured with SystemCallFilter= is triggered, instead of
2129 terminating the process immediately. See errno(3) for a full list
2130 of error codes. When this setting is not used, or when the empty
2131 string or the special setting "kill" is assigned, the process will
2132 be terminated immediately when the filter is triggered.
2133
2134 SystemCallArchitectures=
2135 Takes a space-separated list of architecture identifiers to include
2136 in the system call filter. The known architecture identifiers are
2137 the same as for ConditionArchitecture= described in
2138 systemd.unit(5), as well as x32, mips64-n32, mips64-le-n32, and the
2139 special identifier native. The special identifier native implicitly
2140 maps to the native architecture of the system (or more precisely:
2141 to the architecture the system manager is compiled for). If running
2142 in user mode, or in system mode, but without the CAP_SYS_ADMIN
2143 capability (e.g. setting User=), NoNewPrivileges=yes is implied. By
2144 default, this option is set to the empty list, i.e. no filtering is
2145 applied.
2146
2147 If this setting is used, processes of this unit will only be
2148 permitted to call native system calls, and system calls of the
2149 specified architectures. For the purposes of this option, the x32
2150 architecture is treated as including x86-64 system calls. However,
2151 this setting still fulfills its purpose, as explained below, on
2152 x32.
2153
2154 System call filtering is not equally effective on all
2155 architectures. For example, on x86 filtering of network
2156 socket-related calls is not possible, due to ABI limitations — a
2157 limitation that x86-64 does not have, however. On systems
2158 supporting multiple ABIs at the same time — such as x86/x86-64 — it
2159 is hence recommended to limit the set of permitted system call
2160 architectures so that secondary ABIs may not be used to circumvent
2161 the restrictions applied to the native ABI of the system. In
2162 particular, setting SystemCallArchitectures=native is a good choice
2163 for disabling non-native ABIs.
2164
2165 System call architectures may also be restricted system-wide via
2166 the SystemCallArchitectures= option in the global configuration.
2167 See systemd-system.conf(5) for details.
2168
2169 SystemCallLog=
2170 Takes a space-separated list of system call names. If this setting
2171 is used, all system calls executed by the unit processes for the
2172 listed ones will be logged. If the first character of the list is
2173 "~", the effect is inverted: all system calls except the listed
2174 system calls will be logged. If running in user mode, or in system
2175 mode, but without the CAP_SYS_ADMIN capability (e.g. setting
2176 User=), NoNewPrivileges=yes is implied. This feature makes use of
2177 the Secure Computing Mode 2 interfaces of the kernel ('seccomp
2178 filtering') and is useful for auditing or setting up a minimal
2179 sandboxing environment. This option may be specified more than
2180 once, in which case the filter masks are merged. If the empty
2181 string is assigned, the filter is reset, all prior assignments will
2182 have no effect. This does not affect commands prefixed with "+".
2183
2185 Environment=
2186 Sets environment variables for executed processes. Each line is
2187 unquoted using the rules described in "Quoting" section in
2188 systemd.syntax(7) and becomes a list of variable assignments. If
2189 you need to assign a value containing spaces or the equals sign to
2190 a variable, put quotes around the whole assignment. Variable
2191 expansion is not performed inside the strings and the "$" character
2192 has no special meaning. Specifier expansion is performed, see the
2193 "Specifiers" section in systemd.unit(5).
2194
2195 This option may be specified more than once, in which case all
2196 listed variables will be set. If the same variable is listed twice,
2197 the later setting will override the earlier setting. If the empty
2198 string is assigned to this option, the list of environment
2199 variables is reset, all prior assignments have no effect.
2200
2201 The names of the variables can contain ASCII letters, digits, and
2202 the underscore character. Variable names cannot be empty or start
2203 with a digit. In variable values, most characters are allowed, but
2204 non-printable characters are currently rejected.
2205
2206 Example:
2207
2208 Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"
2209
2210 gives three variables "VAR1", "VAR2", "VAR3" with the values "word1
2211 word2", "word3", "$word 5 6".
2212
2213 See environ(7) for details about environment variables.
2214
2215 Note that environment variables are not suitable for passing
2216 secrets (such as passwords, key material, ...) to service
2217 processes. Environment variables set for a unit are exposed to
2218 unprivileged clients via D-Bus IPC, and generally not understood as
2219 being data that requires protection. Moreover, environment
2220 variables are propagated down the process tree, including across
2221 security boundaries (such as setuid/setgid executables), and hence
2222 might leak to processes that should not have access to the secret
2223 data. Use LoadCredential= (see below) to pass data to unit
2224 processes securely.
2225
2226 EnvironmentFile=
2227 Similar to Environment= but reads the environment variables from a
2228 text file. The text file should contain new-line-separated variable
2229 assignments. Empty lines, lines without an "=" separator, or lines
2230 starting with ; or # will be ignored, which may be used for
2231 commenting. A line ending with a backslash will be concatenated
2232 with the following one, allowing multiline variable definitions.
2233 The parser strips leading and trailing whitespace from the values
2234 of assignments, unless you use double quotes (").
2235
2236 C escapes[7] are supported, but not most control characters[8].
2237 "\t" and "\n" can be used to insert tabs and newlines within
2238 EnvironmentFile=.
2239
2240 The argument passed should be an absolute filename or wildcard
2241 expression, optionally prefixed with "-", which indicates that if
2242 the file does not exist, it will not be read and no error or
2243 warning message is logged. This option may be specified more than
2244 once in which case all specified files are read. If the empty
2245 string is assigned to this option, the list of file to read is
2246 reset, all prior assignments have no effect.
2247
2248 The files listed with this directive will be read shortly before
2249 the process is executed (more specifically, after all processes
2250 from a previous unit state terminated. This means you can generate
2251 these files in one unit state, and read it with this option in the
2252 next. The files are read from the file system of the service
2253 manager, before any file system changes like bind mounts take
2254 place).
2255
2256 Settings from these files override settings made with Environment=.
2257 If the same variable is set twice from these files, the files will
2258 be read in the order they are specified and the later setting will
2259 override the earlier setting.
2260
2261 PassEnvironment=
2262 Pass environment variables set for the system service manager to
2263 executed processes. Takes a space-separated list of variable names.
2264 This option may be specified more than once, in which case all
2265 listed variables will be passed. If the empty string is assigned to
2266 this option, the list of environment variables to pass is reset,
2267 all prior assignments have no effect. Variables specified that are
2268 not set for the system manager will not be passed and will be
2269 silently ignored. Note that this option is only relevant for the
2270 system service manager, as system services by default do not
2271 automatically inherit any environment variables set for the service
2272 manager itself. However, in case of the user service manager all
2273 environment variables are passed to the executed processes anyway,
2274 hence this option is without effect for the user service manager.
2275
2276 Variables set for invoked processes due to this setting are subject
2277 to being overridden by those configured with Environment= or
2278 EnvironmentFile=.
2279
2280 C escapes[7] are supported, but not most control characters[8].
2281 "\t" and "\n" can be used to insert tabs and newlines within
2282 EnvironmentFile=.
2283
2284 Example:
2285
2286 PassEnvironment=VAR1 VAR2 VAR3
2287
2288 passes three variables "VAR1", "VAR2", "VAR3" with the values set
2289 for those variables in PID1.
2290
2291 See environ(7) for details about environment variables.
2292
2293 UnsetEnvironment=
2294 Explicitly unset environment variable assignments that would
2295 normally be passed from the service manager to invoked processes of
2296 this unit. Takes a space-separated list of variable names or
2297 variable assignments. This option may be specified more than once,
2298 in which case all listed variables/assignments will be unset. If
2299 the empty string is assigned to this option, the list of
2300 environment variables/assignments to unset is reset. If a variable
2301 assignment is specified (that is: a variable name, followed by "=",
2302 followed by its value), then any environment variable matching this
2303 precise assignment is removed. If a variable name is specified
2304 (that is a variable name without any following "=" or value), then
2305 any assignment matching the variable name, regardless of its value
2306 is removed. Note that the effect of UnsetEnvironment= is applied as
2307 final step when the environment list passed to executed processes
2308 is compiled. That means it may undo assignments from any
2309 configuration source, including assignments made through
2310 Environment= or EnvironmentFile=, inherited from the system
2311 manager's global set of environment variables, inherited via
2312 PassEnvironment=, set by the service manager itself (such as
2313 $NOTIFY_SOCKET and such), or set by a PAM module (in case PAMName=
2314 is used).
2315
2316 See "Environment Variables in Spawned Processes" below for a
2317 description of how those settings combine to form the inherited
2318 environment. See environ(7) for general information about
2319 environment variables.
2320
2322 StandardInput=
2323 Controls where file descriptor 0 (STDIN) of the executed processes
2324 is connected to. Takes one of null, tty, tty-force, tty-fail, data,
2325 file:path, socket or fd:name.
2326
2327 If null is selected, standard input will be connected to /dev/null,
2328 i.e. all read attempts by the process will result in immediate EOF.
2329
2330 If tty is selected, standard input is connected to a TTY (as
2331 configured by TTYPath=, see below) and the executed process becomes
2332 the controlling process of the terminal. If the terminal is already
2333 being controlled by another process, the executed process waits
2334 until the current controlling process releases the terminal.
2335
2336 tty-force is similar to tty, but the executed process is forcefully
2337 and immediately made the controlling process of the terminal,
2338 potentially removing previous controlling processes from the
2339 terminal.
2340
2341 tty-fail is similar to tty, but if the terminal already has a
2342 controlling process start-up of the executed process fails.
2343
2344 The data option may be used to configure arbitrary textual or
2345 binary data to pass via standard input to the executed process. The
2346 data to pass is configured via
2347 StandardInputText=/StandardInputData= (see below). Note that the
2348 actual file descriptor type passed (memory file, regular file, UNIX
2349 pipe, ...) might depend on the kernel and available privileges. In
2350 any case, the file descriptor is read-only, and when read returns
2351 the specified data followed by EOF.
2352
2353 The file:path option may be used to connect a specific file system
2354 object to standard input. An absolute path following the ":"
2355 character is expected, which may refer to a regular file, a FIFO or
2356 special file. If an AF_UNIX socket in the file system is specified,
2357 a stream socket is connected to it. The latter is useful for
2358 connecting standard input of processes to arbitrary system
2359 services.
2360
2361 The socket option is valid in socket-activated services only, and
2362 requires the relevant socket unit file (see systemd.socket(5) for
2363 details) to have Accept=yes set, or to specify a single socket
2364 only. If this option is set, standard input will be connected to
2365 the socket the service was activated from, which is primarily
2366 useful for compatibility with daemons designed for use with the
2367 traditional inetd(8) socket activation daemon.
2368
2369 The fd:name option connects standard input to a specific, named
2370 file descriptor provided by a socket unit. The name may be
2371 specified as part of this option, following a ":" character (e.g.
2372 "fd:foobar"). If no name is specified, the name "stdin" is implied
2373 (i.e. "fd" is equivalent to "fd:stdin"). At least one socket unit
2374 defining the specified name must be provided via the Sockets=
2375 option, and the file descriptor name may differ from the name of
2376 its containing socket unit. If multiple matches are found, the
2377 first one will be used. See FileDescriptorName= in
2378 systemd.socket(5) for more details about named file descriptors and
2379 their ordering.
2380
2381 This setting defaults to null, unless
2382 StandardInputText=/StandardInputData= are set, in which case it
2383 defaults to data.
2384
2385 StandardOutput=
2386 Controls where file descriptor 1 (stdout) of the executed processes
2387 is connected to. Takes one of inherit, null, tty, journal, kmsg,
2388 journal+console, kmsg+console, file:path, append:path,
2389 truncate:path, socket or fd:name.
2390
2391 inherit duplicates the file descriptor of standard input for
2392 standard output.
2393
2394 null connects standard output to /dev/null, i.e. everything written
2395 to it will be lost.
2396
2397 tty connects standard output to a tty (as configured via TTYPath=,
2398 see below). If the TTY is used for output only, the executed
2399 process will not become the controlling process of the terminal,
2400 and will not fail or wait for other processes to release the
2401 terminal.
2402
2403 journal connects standard output with the journal, which is
2404 accessible via journalctl(1). Note that everything that is written
2405 to kmsg (see below) is implicitly stored in the journal as well,
2406 the specific option listed below is hence a superset of this one.
2407 (Also note that any external, additional syslog daemons receive
2408 their log data from the journal, too, hence this is the option to
2409 use when logging shall be processed with such a daemon.)
2410
2411 kmsg connects standard output with the kernel log buffer which is
2412 accessible via dmesg(1), in addition to the journal. The journal
2413 daemon might be configured to send all logs to kmsg anyway, in
2414 which case this option is no different from journal.
2415
2416 journal+console and kmsg+console work in a similar way as the two
2417 options above but copy the output to the system console as well.
2418
2419 The file:path option may be used to connect a specific file system
2420 object to standard output. The semantics are similar to the same
2421 option of StandardInput=, see above. If path refers to a regular
2422 file on the filesystem, it is opened (created if it doesn't exist
2423 yet) for writing at the beginning of the file, but without
2424 truncating it. If standard input and output are directed to the
2425 same file path, it is opened only once, for reading as well as
2426 writing and duplicated. This is particularly useful when the
2427 specified path refers to an AF_UNIX socket in the file system, as
2428 in that case only a single stream connection is created for both
2429 input and output.
2430
2431 append:path is similar to file:path above, but it opens the file in
2432 append mode.
2433
2434 truncate:path is similar to file:path above, but it truncates the
2435 file when opening it. For units with multiple command lines, e.g.
2436 Type=oneshot services with multiple ExecStart=, or services with
2437 ExecCondition=, ExecStartPre= or ExecStartPost=, the output file is
2438 reopened and therefore re-truncated for each command line. If the
2439 output file is truncated while another process still has the file
2440 open, e.g. by an ExecReload= running concurrently with an
2441 ExecStart=, and the other process continues writing to the file
2442 without adjusting its offset, then the space between the file
2443 pointers of the two processes may be filled with NUL bytes,
2444 producing a sparse file. Thus, truncate:path is typically only
2445 useful for units where only one process runs at a time, such as
2446 services with a single ExecStart= and no ExecStartPost=,
2447 ExecReload=, ExecStop= or similar.
2448
2449 socket connects standard output to a socket acquired via socket
2450 activation. The semantics are similar to the same option of
2451 StandardInput=, see above.
2452
2453 The fd:name option connects standard output to a specific, named
2454 file descriptor provided by a socket unit. A name may be specified
2455 as part of this option, following a ":" character (e.g.
2456 "fd:foobar"). If no name is specified, the name "stdout" is implied
2457 (i.e. "fd" is equivalent to "fd:stdout"). At least one socket unit
2458 defining the specified name must be provided via the Sockets=
2459 option, and the file descriptor name may differ from the name of
2460 its containing socket unit. If multiple matches are found, the
2461 first one will be used. See FileDescriptorName= in
2462 systemd.socket(5) for more details about named descriptors and
2463 their ordering.
2464
2465 If the standard output (or error output, see below) of a unit is
2466 connected to the journal or the kernel log buffer, the unit will
2467 implicitly gain a dependency of type After= on
2468 systemd-journald.socket (also see the "Implicit Dependencies"
2469 section above). Also note that in this case stdout (or stderr, see
2470 below) will be an AF_UNIX stream socket, and not a pipe or FIFO
2471 that can be re-opened. This means when executing shell scripts the
2472 construct echo "hello" > /dev/stderr for writing text to stderr
2473 will not work. To mitigate this use the construct echo "hello" >&2
2474 instead, which is mostly equivalent and avoids this pitfall.
2475
2476 This setting defaults to the value set with DefaultStandardOutput=
2477 in systemd-system.conf(5), which defaults to journal. Note that
2478 setting this parameter might result in additional dependencies to
2479 be added to the unit (see above).
2480
2481 StandardError=
2482 Controls where file descriptor 2 (stderr) of the executed processes
2483 is connected to. The available options are identical to those of
2484 StandardOutput=, with some exceptions: if set to inherit the file
2485 descriptor used for standard output is duplicated for standard
2486 error, while fd:name will use a default file descriptor name of
2487 "stderr".
2488
2489 This setting defaults to the value set with DefaultStandardError=
2490 in systemd-system.conf(5), which defaults to inherit. Note that
2491 setting this parameter might result in additional dependencies to
2492 be added to the unit (see above).
2493
2494 StandardInputText=, StandardInputData=
2495 Configures arbitrary textual or binary data to pass via file
2496 descriptor 0 (STDIN) to the executed processes. These settings have
2497 no effect unless StandardInput= is set to data (which is the
2498 default if StandardInput= is not set otherwise, but
2499 StandardInputText=/StandardInputData= is). Use this option to embed
2500 process input data directly in the unit file.
2501
2502 StandardInputText= accepts arbitrary textual data. C-style escapes
2503 for special characters as well as the usual "%"-specifiers are
2504 resolved. Each time this setting is used the specified text is
2505 appended to the per-unit data buffer, followed by a newline
2506 character (thus every use appends a new line to the end of the
2507 buffer). Note that leading and trailing whitespace of lines
2508 configured with this option is removed. If an empty line is
2509 specified the buffer is cleared (hence, in order to insert an empty
2510 line, add an additional "\n" to the end or beginning of a line).
2511
2512 StandardInputData= accepts arbitrary binary data, encoded in
2513 Base64[9]. No escape sequences or specifiers are resolved. Any
2514 whitespace in the encoded version is ignored during decoding.
2515
2516 Note that StandardInputText= and StandardInputData= operate on the
2517 same data buffer, and may be mixed in order to configure both
2518 binary and textual data for the same input stream. The textual or
2519 binary data is joined strictly in the order the settings appear in
2520 the unit file. Assigning an empty string to either will reset the
2521 data buffer.
2522
2523 Please keep in mind that in order to maintain readability long unit
2524 file settings may be split into multiple lines, by suffixing each
2525 line (except for the last) with a "\" character (see
2526 systemd.unit(5) for details). This is particularly useful for large
2527 data configured with these two options. Example:
2528
2529 ...
2530 StandardInput=data
2531 StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy4KSWNrIGtpZWtl \
2532 LCBzdGF1bmUsIHd1bmRyZSBtaXIsCnVmZiBlZW1hbCBqZWh0IHNlIHVmZiBkaWUgVMO8ci4KTmFu \
2533 dSwgZGVuayBpY2ssIGljayBkZW5rIG5hbnUhCkpldHogaXNzZSB1ZmYsIGVyc2NodCB3YXIgc2Ug \
2534 enUhCkljayBqZWhlIHJhdXMgdW5kIGJsaWNrZSDigJQKdW5kIHdlciBzdGVodCBkcmF1w59lbj8g \
2535 SWNrZSEK
2536 ...
2537
2538 LogLevelMax=
2539 Configures filtering by log level of log messages generated by this
2540 unit. Takes a syslog log level, one of emerg (lowest log level,
2541 only highest priority messages), alert, crit, err, warning, notice,
2542 info, debug (highest log level, also lowest priority messages). See
2543 syslog(3) for details. By default no filtering is applied (i.e. the
2544 default maximum log level is debug). Use this option to configure
2545 the logging system to drop log messages of a specific service above
2546 the specified level. For example, set LogLevelMax=info in order to
2547 turn off debug logging of a particularly chatty unit. Note that the
2548 configured level is applied to any log messages written by any of
2549 the processes belonging to this unit, as well as any log messages
2550 written by the system manager process (PID 1) in reference to this
2551 unit, sent via any supported logging protocol. The filtering is
2552 applied early in the logging pipeline, before any kind of further
2553 processing is done. Moreover, messages which pass through this
2554 filter successfully might still be dropped by filters applied at a
2555 later stage in the logging subsystem. For example, MaxLevelStore=
2556 configured in journald.conf(5) might prohibit messages of higher
2557 log levels to be stored on disk, even though the per-unit
2558 LogLevelMax= permitted it to be processed.
2559
2560 LogExtraFields=
2561 Configures additional log metadata fields to include in all log
2562 records generated by processes associated with this unit. This
2563 setting takes one or more journal field assignments in the format
2564 "FIELD=VALUE" separated by whitespace. See systemd.journal-
2565 fields(7) for details on the journal field concept. Even though the
2566 underlying journal implementation permits binary field values, this
2567 setting accepts only valid UTF-8 values. To include space
2568 characters in a journal field value, enclose the assignment in
2569 double quotes ("). The usual specifiers are expanded in all
2570 assignments (see below). Note that this setting is not only useful
2571 for attaching additional metadata to log records of a unit, but
2572 given that all fields and values are indexed may also be used to
2573 implement cross-unit log record matching. Assign an empty string to
2574 reset the list.
2575
2576 LogRateLimitIntervalSec=, LogRateLimitBurst=
2577 Configures the rate limiting that is applied to messages generated
2578 by this unit. If, in the time interval defined by
2579 LogRateLimitIntervalSec=, more messages than specified in
2580 LogRateLimitBurst= are logged by a service, all further messages
2581 within the interval are dropped until the interval is over. A
2582 message about the number of dropped messages is generated. The time
2583 specification for LogRateLimitIntervalSec= may be specified in the
2584 following units: "s", "min", "h", "ms", "us" (see systemd.time(7)
2585 for details). The default settings are set by RateLimitIntervalSec=
2586 and RateLimitBurst= configured in journald.conf(5).
2587
2588 LogNamespace=
2589 Run the unit's processes in the specified journal namespace.
2590 Expects a short user-defined string identifying the namespace. If
2591 not used the processes of the service are run in the default
2592 journal namespace, i.e. their log stream is collected and processed
2593 by systemd-journald.service. If this option is used any log data
2594 generated by processes of this unit (regardless if via the
2595 syslog(), journal native logging or stdout/stderr logging) is
2596 collected and processed by an instance of the
2597 systemd-journald@.service template unit, which manages the
2598 specified namespace. The log data is stored in a data store
2599 independent from the default log namespace's data store. See
2600 systemd-journald.service(8) for details about journal namespaces.
2601
2602 Internally, journal namespaces are implemented through Linux mount
2603 namespacing and over-mounting the directory that contains the
2604 relevant AF_UNIX sockets used for logging in the unit's mount
2605 namespace. Since mount namespaces are used this setting disconnects
2606 propagation of mounts from the unit's processes to the host,
2607 similar to how ReadOnlyPaths= and similar settings (see above)
2608 work. Journal namespaces may hence not be used for services that
2609 need to establish mount points on the host.
2610
2611 When this option is used the unit will automatically gain ordering
2612 and requirement dependencies on the two socket units associated
2613 with the systemd-journald@.service instance so that they are
2614 automatically established prior to the unit starting up. Note that
2615 when this option is used log output of this service does not appear
2616 in the regular journalctl(1) output, unless the --namespace= option
2617 is used.
2618
2619 This option is only available for system services and is not
2620 supported for services running in per-user instances of the service
2621 manager.
2622
2623 SyslogIdentifier=
2624 Sets the process name ("syslog tag") to prefix log lines sent to
2625 the logging system or the kernel log buffer with. If not set,
2626 defaults to the process name of the executed process. This option
2627 is only useful when StandardOutput= or StandardError= are set to
2628 journal or kmsg (or to the same settings in combination with
2629 +console) and only applies to log messages written to stdout or
2630 stderr.
2631
2632 SyslogFacility=
2633 Sets the syslog facility identifier to use when logging. One of
2634 kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron,
2635 authpriv, ftp, local0, local1, local2, local3, local4, local5,
2636 local6 or local7. See syslog(3) for details. This option is only
2637 useful when StandardOutput= or StandardError= are set to journal or
2638 kmsg (or to the same settings in combination with +console), and
2639 only applies to log messages written to stdout or stderr. Defaults
2640 to daemon.
2641
2642 SyslogLevel=
2643 The default syslog log level to use when logging to the logging
2644 system or the kernel log buffer. One of emerg, alert, crit, err,
2645 warning, notice, info, debug. See syslog(3) for details. This
2646 option is only useful when StandardOutput= or StandardError= are
2647 set to journal or kmsg (or to the same settings in combination with
2648 +console), and only applies to log messages written to stdout or
2649 stderr. Note that individual lines output by executed processes may
2650 be prefixed with a different log level which can be used to
2651 override the default log level specified here. The interpretation
2652 of these prefixes may be disabled with SyslogLevelPrefix=, see
2653 below. For details, see sd-daemon(3). Defaults to info.
2654
2655 SyslogLevelPrefix=
2656 Takes a boolean argument. If true and StandardOutput= or
2657 StandardError= are set to journal or kmsg (or to the same settings
2658 in combination with +console), log lines written by the executed
2659 process that are prefixed with a log level will be processed with
2660 this log level set but the prefix removed. If set to false, the
2661 interpretation of these prefixes is disabled and the logged lines
2662 are passed on as-is. This only applies to log messages written to
2663 stdout or stderr. For details about this prefixing see sd-
2664 daemon(3). Defaults to true.
2665
2666 TTYPath=
2667 Sets the terminal device node to use if standard input, output, or
2668 error are connected to a TTY (see above). Defaults to /dev/console.
2669
2670 TTYReset=
2671 Reset the terminal device specified with TTYPath= before and after
2672 execution. Defaults to "no".
2673
2674 TTYVHangup=
2675 Disconnect all clients which have opened the terminal device
2676 specified with TTYPath= before and after execution. Defaults to
2677 "no".
2678
2679 TTYVTDisallocate=
2680 If the terminal device specified with TTYPath= is a virtual console
2681 terminal, try to deallocate the TTY before and after execution.
2682 This ensures that the screen and scrollback buffer is cleared.
2683 Defaults to "no".
2684
2686 LoadCredential=ID[:PATH]
2687 Pass a credential to the unit. Credentials are limited-size binary
2688 or textual objects that may be passed to unit processes. They are
2689 primarily used for passing cryptographic keys (both public and
2690 private) or certificates, user account information or identity
2691 information from host to services. The data is accessible from the
2692 unit's processes via the file system, at a read-only location that
2693 (if possible and permitted) is backed by non-swappable memory. The
2694 data is only accessible to the user associated with the unit, via
2695 the User=/DynamicUser= settings (as well as the superuser). When
2696 available, the location of credentials is exported as the
2697 $CREDENTIALS_DIRECTORY environment variable to the unit's
2698 processes.
2699
2700 The LoadCredential= setting takes a textual ID to use as name for a
2701 credential plus a file system path, separated by a colon. The ID
2702 must be a short ASCII string suitable as filename in the
2703 filesystem, and may be chosen freely by the user. If the specified
2704 path is absolute it is opened as regular file and the credential
2705 data is read from it. If the absolute path refers to an AF_UNIX
2706 stream socket in the file system a connection is made to it (only
2707 once at unit start-up) and the credential data read from the
2708 connection, providing an easy IPC integration point for dynamically
2709 providing credentials from other services. If the specified path is
2710 not absolute and itself qualifies as valid credential identifier it
2711 is understood to refer to a credential that the service manager
2712 itself received via the $CREDENTIALS_DIRECTORY environment
2713 variable, which may be used to propagate credentials from an
2714 invoking environment (e.g. a container manager that invoked the
2715 service manager) into a service. The contents of the file/socket
2716 may be arbitrary binary or textual data, including newline
2717 characters and NUL bytes. If the file system path is omitted it is
2718 chosen identical to the credential name, i.e. this is a terse way
2719 do declare credentials to inherit from the service manager into a
2720 service. This option may be used multiple times, each time defining
2721 an additional credential to pass to the unit.
2722
2723 The credential files/IPC sockets must be accessible to the service
2724 manager, but don't have to be directly accessible to the unit's
2725 processes: the credential data is read and copied into separate,
2726 read-only copies for the unit that are accessible to appropriately
2727 privileged processes. This is particularly useful in combination
2728 with DynamicUser= as this way privileged data can be made available
2729 to processes running under a dynamic UID (i.e. not a previously
2730 known one) without having to open up access to all users.
2731
2732 In order to reference the path a credential may be read from within
2733 a ExecStart= command line use "${CREDENTIALS_DIRECTORY}/mycred",
2734 e.g. "ExecStart=cat ${CREDENTIALS_DIRECTORY}/mycred".
2735
2736 Currently, an accumulated credential size limit of 1 MB per unit is
2737 enforced.
2738
2739 If referencing an AF_UNIX stream socket to connect to, the
2740 connection will originate from an abstract namespace socket, that
2741 includes information about the unit and the credential ID in its
2742 socket name. Use getpeername(2) to query this information. The
2743 returned socket name is formatted as NUL RANDOM "/unit/" UNIT "/"
2744 ID, i.e. a NUL byte (as required for abstract namespace socket
2745 names), followed by a random string (consisting of alphadecimal
2746 characters), followed by the literal string "/unit/", followed by
2747 the requesting unit name, followed by the literal character "/",
2748 followed by the textual credential ID requested. Example:
2749 "\0adf9d86b6eda275e/unit/foobar.service/credx" in case the
2750 credential "credx" is requested for a unit "foobar.service". This
2751 functionality is useful for using a single listening socket to
2752 serve credentials to multiple consumers.
2753
2754 SetCredential=ID:VALUE
2755 The SetCredential= setting is similar to LoadCredential= but
2756 accepts a literal value to use as data for the credential, instead
2757 of a file system path to read the data from. Do not use this option
2758 for data that is supposed to be secret, as it is accessible to
2759 unprivileged processes via IPC. It's only safe to use this for user
2760 IDs, public key material and similar non-sensitive data. For
2761 everything else use LoadCredential=. In order to embed binary data
2762 into the credential data use C-style escaping (i.e. "\n" to embed
2763 a newline, or "\x00" to embed a NUL byte).
2764
2765 If a credential of the same ID is listed in both LoadCredential=
2766 and SetCredential=, the latter will act as default if the former
2767 cannot be retrieved. In this case not being able to retrieve the
2768 credential from the path specified in LoadCredential= is not
2769 considered fatal.
2770
2772 UtmpIdentifier=
2773 Takes a four character identifier string for an utmp(5) and wtmp
2774 entry for this service. This should only be set for services such
2775 as getty implementations (such as agetty(8)) where utmp/wtmp
2776 entries must be created and cleared before and after execution, or
2777 for services that shall be executed as if they were run by a getty
2778 process (see below). If the configured string is longer than four
2779 characters, it is truncated and the terminal four characters are
2780 used. This setting interprets %I style string replacements. This
2781 setting is unset by default, i.e. no utmp/wtmp entries are created
2782 or cleaned up for this service.
2783
2784 UtmpMode=
2785 Takes one of "init", "login" or "user". If UtmpIdentifier= is set,
2786 controls which type of utmp(5)/wtmp entries for this service are
2787 generated. This setting has no effect unless UtmpIdentifier= is set
2788 too. If "init" is set, only an INIT_PROCESS entry is generated and
2789 the invoked process must implement a getty-compatible utmp/wtmp
2790 logic. If "login" is set, first an INIT_PROCESS entry, followed by
2791 a LOGIN_PROCESS entry is generated. In this case, the invoked
2792 process must implement a login(1)-compatible utmp/wtmp logic. If
2793 "user" is set, first an INIT_PROCESS entry, then a LOGIN_PROCESS
2794 entry and finally a USER_PROCESS entry is generated. In this case,
2795 the invoked process may be any process that is suitable to be run
2796 as session leader. Defaults to "init".
2797
2799 Processes started by the service manager are executed with an
2800 environment variable block assembled from multiple sources. Processes
2801 started by the system service manager generally do not inherit
2802 environment variables set for the service manager itself (but this may
2803 be altered via PassEnvironment=), but processes started by the user
2804 service manager instances generally do inherit all environment
2805 variables set for the service manager itself.
2806
2807 For each invoked process the list of environment variables set is
2808 compiled from the following sources:
2809
2810 • Variables globally configured for the service manager, using the
2811 DefaultEnvironment= setting in systemd-system.conf(5), the kernel
2812 command line option systemd.setenv= understood by systemd(1), or
2813 via systemctl(1) set-environment verb.
2814
2815 • Variables defined by the service manager itself (see the list
2816 below).
2817
2818 • Variables set in the service manager's own environment variable
2819 block (subject to PassEnvironment= for the system service manager).
2820
2821 • Variables set via Environment= in the unit file.
2822
2823 • Variables read from files specified via EnvironmentFile= in the
2824 unit file.
2825
2826 • Variables set by any PAM modules in case PAMName= is in effect,
2827 cf. pam_env(8).
2828
2829 If the same environment variable is set by multiple of these sources,
2830 the later source — according to the order of the list above — wins.
2831 Note that as the final step all variables listed in UnsetEnvironment=
2832 are removed from the compiled environment variable list, immediately
2833 before it is passed to the executed process.
2834
2835 The general philosophy is to expose a small curated list of environment
2836 variables to processes. Services started by the system manager (PID 1)
2837 will be started, without additional service-specific configuration,
2838 with just a few environment variables. The user manager inherits
2839 environment variables as any other system service, but in addition may
2840 receive additional environment variables from PAM, and, typically,
2841 additional imported variables when the user starts a graphical session.
2842 It is recommended to keep the environment blocks in both the system and
2843 user managers managers lean. Importing all variables inherited by the
2844 graphical session or by one of the user shells is strongly discouraged.
2845
2846 Hint: systemd-run -P env and systemd-run --user -P env print the
2847 effective system and user service environment blocks.
2848
2849 Environment Variables Set or Propagated by the Service Manager
2850 The following environment variables are propagated by the service
2851 manager or generated internally for each invoked process:
2852
2853 $PATH
2854 Colon-separated list of directories to use when launching
2855 executables. systemd uses a fixed value of
2856 "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin" in the system
2857 manager. When compiled for systems with "unmerged /usr/" (/bin is
2858 not a symlink to /usr/bin), ":/sbin:/bin" is appended. In case of
2859 the user manager, a different path may be configured by the
2860 distribution. It is recommended to not rely on the order of
2861 entries, and have only one program with a given name in $PATH.
2862
2863 $LANG
2864 Locale. Can be set in locale.conf(5) or on the kernel command line
2865 (see systemd(1) and kernel-command-line(7)).
2866
2867 $USER, $LOGNAME, $HOME, $SHELL
2868 User name (twice), home directory, and the login shell. The
2869 variables are set for the units that have User= set, which includes
2870 user systemd instances. See passwd(5).
2871
2872 $INVOCATION_ID
2873 Contains a randomized, unique 128bit ID identifying each runtime
2874 cycle of the unit, formatted as 32 character hexadecimal string. A
2875 new ID is assigned each time the unit changes from an inactive
2876 state into an activating or active state, and may be used to
2877 identify this specific runtime cycle, in particular in data stored
2878 offline, such as the journal. The same ID is passed to all
2879 processes run as part of the unit.
2880
2881 $XDG_RUNTIME_DIR
2882 The directory to use for runtime objects (such as IPC objects) and
2883 volatile state. Set for all services run by the user systemd
2884 instance, as well as any system services that use PAMName= with a
2885 PAM stack that includes pam_systemd. See below and pam_systemd(8)
2886 for more information.
2887
2888 $RUNTIME_DIRECTORY, $STATE_DIRECTORY, $CACHE_DIRECTORY,
2889 $LOGS_DIRECTORY, $CONFIGURATION_DIRECTORY
2890 Absolute paths to the directories defined with RuntimeDirectory=,
2891 StateDirectory=, CacheDirectory=, LogsDirectory=, and
2892 ConfigurationDirectory= when those settings are used.
2893
2894 $CREDENTIALS_DIRECTORY
2895 An absolute path to the per-unit directory with credentials
2896 configured via LoadCredential=/SetCredential=. The directory is
2897 marked read-only and is placed in unswappable memory (if supported
2898 and permitted), and is only accessible to the UID associated with
2899 the unit via User= or DynamicUser= (and the superuser).
2900
2901 $MAINPID
2902 The PID of the unit's main process if it is known. This is only set
2903 for control processes as invoked by ExecReload= and similar.
2904
2905 $MANAGERPID
2906 The PID of the user systemd instance, set for processes spawned by
2907 it.
2908
2909 $LISTEN_FDS, $LISTEN_PID, $LISTEN_FDNAMES
2910 Information about file descriptors passed to a service for socket
2911 activation. See sd_listen_fds(3).
2912
2913 $NOTIFY_SOCKET
2914 The socket sd_notify() talks to. See sd_notify(3).
2915
2916 $WATCHDOG_PID, $WATCHDOG_USEC
2917 Information about watchdog keep-alive notifications. See
2918 sd_watchdog_enabled(3).
2919
2920 $SYSTEMD_EXEC_PID
2921 The PID of the unit process (e.g. process invoked by ExecStart=).
2922 The child process can use this information to determine whether the
2923 process is directly invoked by the service manager or indirectly as
2924 a child of another process by comparing this value with the current
2925 PID (as similar to the scheme used in sd_listen_fds(3) with
2926 $LISTEN_PID and $LISTEN_FDS).
2927
2928 $TERM
2929 Terminal type, set only for units connected to a terminal
2930 (StandardInput=tty, StandardOutput=tty, or StandardError=tty). See
2931 termcap(5).
2932
2933 $LOG_NAMESPACE
2934 Contains the name of the selected logging namespace when the
2935 LogNamespace= service setting is used.
2936
2937 $JOURNAL_STREAM
2938 If the standard output or standard error output of the executed
2939 processes are connected to the journal (for example, by setting
2940 StandardError=journal) $JOURNAL_STREAM contains the device and
2941 inode numbers of the connection file descriptor, formatted in
2942 decimal, separated by a colon (":"). This permits invoked processes
2943 to safely detect whether their standard output or standard error
2944 output are connected to the journal. The device and inode numbers
2945 of the file descriptors should be compared with the values set in
2946 the environment variable to determine whether the process output is
2947 still connected to the journal. Note that it is generally not
2948 sufficient to only check whether $JOURNAL_STREAM is set at all as
2949 services might invoke external processes replacing their standard
2950 output or standard error output, without unsetting the environment
2951 variable.
2952
2953 If both standard output and standard error of the executed
2954 processes are connected to the journal via a stream socket, this
2955 environment variable will contain information about the standard
2956 error stream, as that's usually the preferred destination for log
2957 data. (Note that typically the same stream is used for both
2958 standard output and standard error, hence very likely the
2959 environment variable contains device and inode information matching
2960 both stream file descriptors.)
2961
2962 This environment variable is primarily useful to allow services to
2963 optionally upgrade their used log protocol to the native journal
2964 protocol (using sd_journal_print(3) and other functions) if their
2965 standard output or standard error output is connected to the
2966 journal anyway, thus enabling delivery of structured metadata along
2967 with logged messages.
2968
2969 $SERVICE_RESULT
2970 Only defined for the service unit type, this environment variable
2971 is passed to all ExecStop= and ExecStopPost= processes, and encodes
2972 the service "result". Currently, the following values are defined:
2973
2974 Table 4. Defined $SERVICE_RESULT values
2975 ┌──────────────────┬────────────────────────────┐
2976 │Value │ Meaning │
2977 ├──────────────────┼────────────────────────────┤
2978 │"success" │ The service ran │
2979 │ │ successfully and exited │
2980 │ │ cleanly. │
2981 ├──────────────────┼────────────────────────────┤
2982 │"protocol" │ A protocol violation │
2983 │ │ occurred: the service did │
2984 │ │ not take the steps │
2985 │ │ required by its unit │
2986 │ │ configuration │
2987 │ │ (specifically what is │
2988 │ │ configured in its Type= │
2989 │ │ setting). │
2990 ├──────────────────┼────────────────────────────┤
2991 │"timeout" │ One of the steps timed │
2992 │ │ out. │
2993 ├──────────────────┼────────────────────────────┤
2994 │"exit-code" │ Service process exited │
2995 │ │ with a non-zero exit code; │
2996 │ │ see $EXIT_CODE below for │
2997 │ │ the actual exit code │
2998 │ │ returned. │
2999 ├──────────────────┼────────────────────────────┤
3000 │"signal" │ A service process was │
3001 │ │ terminated abnormally by a │
3002 │ │ signal, without dumping │
3003 │ │ core. See $EXIT_CODE below │
3004 │ │ for the actual signal │
3005 │ │ causing the termination. │
3006 ├──────────────────┼────────────────────────────┤
3007 │"core-dump" │ A service process │
3008 │ │ terminated abnormally with │
3009 │ │ a signal and dumped core. │
3010 │ │ See $EXIT_CODE below for │
3011 │ │ the signal causing the │
3012 │ │ termination. │
3013 ├──────────────────┼────────────────────────────┤
3014 │"watchdog" │ Watchdog keep-alive ping │
3015 │ │ was enabled for the │
3016 │ │ service, but the deadline │
3017 │ │ was missed. │
3018 ├──────────────────┼────────────────────────────┤
3019 │"start-limit-hit" │ A start limit was defined │
3020 │ │ for the unit and it was │
3021 │ │ hit, causing the unit to │
3022 │ │ fail to start. See │
3023 │ │ systemd.unit(5)'s │
3024 │ │ StartLimitIntervalSec= and │
3025 │ │ StartLimitBurst= for │
3026 │ │ details. │
3027 ├──────────────────┼────────────────────────────┤
3028 │"resources" │ A catch-all condition in │
3029 │ │ case a system operation │
3030 │ │ failed. │
3031 └──────────────────┴────────────────────────────┘
3032 This environment variable is useful to monitor failure or
3033 successful termination of a service. Even though this variable is
3034 available in both ExecStop= and ExecStopPost=, it is usually a
3035 better choice to place monitoring tools in the latter, as the
3036 former is only invoked for services that managed to start up
3037 correctly, and the latter covers both services that failed during
3038 their start-up and those which failed during their runtime.
3039
3040 $EXIT_CODE, $EXIT_STATUS
3041 Only defined for the service unit type, these environment variables
3042 are passed to all ExecStop=, ExecStopPost= processes and contain
3043 exit status/code information of the main process of the service.
3044 For the precise definition of the exit code and status, see
3045 wait(2). $EXIT_CODE is one of "exited", "killed", "dumped".
3046 $EXIT_STATUS contains the numeric exit code formatted as string if
3047 $EXIT_CODE is "exited", and the signal name in all other cases.
3048 Note that these environment variables are only set if the service
3049 manager succeeded to start and identify the main process of the
3050 service.
3051
3052 Table 5. Summary of possible service result variable values
3053 ┌──────────────────┬──────────────────┬─────────────────────┐
3054 │$SERVICE_RESULT │ $EXIT_CODE │ $EXIT_STATUS │
3055 ├──────────────────┼──────────────────┼─────────────────────┤
3056 │"success" │ "killed" │ "HUP", "INT", │
3057 │ │ │ "TERM", "PIPE" │
3058 │ ├──────────────────┼─────────────────────┤
3059 │ │ "exited" │ "0" │
3060 ├──────────────────┼──────────────────┼─────────────────────┤
3061 │"protocol" │ not set │ not set │
3062 │ ├──────────────────┼─────────────────────┤
3063 │ │ "exited" │ "0" │
3064 ├──────────────────┼──────────────────┼─────────────────────┤
3065 │"timeout" │ "killed" │ "TERM", "KILL" │
3066 │ ├──────────────────┼─────────────────────┤
3067 │ │ "exited" │ "0", "1", "2", "3", │
3068 │ │ │ ..., "255" │
3069 ├──────────────────┼──────────────────┼─────────────────────┤
3070 │"exit-code" │ "exited" │ "1", "2", "3", ..., │
3071 │ │ │ "255" │
3072 ├──────────────────┼──────────────────┼─────────────────────┤
3073 │"signal" │ "killed" │ "HUP", "INT", │
3074 │ │ │ "KILL", ... │
3075 ├──────────────────┼──────────────────┼─────────────────────┤
3076 │"core-dump" │ "dumped" │ "ABRT", "SEGV", │
3077 │ │ │ "QUIT", ... │
3078 ├──────────────────┼──────────────────┼─────────────────────┤
3079 │"watchdog" │ "dumped" │ "ABRT" │
3080 │ ├──────────────────┼─────────────────────┤
3081 │ │ "killed" │ "TERM", "KILL" │
3082 │ ├──────────────────┼─────────────────────┤
3083 │ │ "exited" │ "0", "1", "2", "3", │
3084 │ │ │ ..., "255" │
3085 ├──────────────────┼──────────────────┼─────────────────────┤
3086 │"exec-condition" │ "exited" │ "1", "2", "3", "4", │
3087 │ │ │ ..., "254" │
3088 ├──────────────────┼──────────────────┼─────────────────────┤
3089 │"oom-kill" │ "killed" │ "TERM", "KILL" │
3090 ├──────────────────┼──────────────────┼─────────────────────┤
3091 │"start-limit-hit" │ not set │ not set │
3092 ├──────────────────┼──────────────────┼─────────────────────┤
3093 │"resources" │ any of the above │ any of the above │
3094 ├──────────────────┴──────────────────┴─────────────────────┤
3095 │Note: the process may be also terminated by a signal not │
3096 │sent by systemd. In particular the process may send an │
3097 │arbitrary signal to itself in a handler for any of the │
3098 │non-maskable signals. Nevertheless, in the "timeout" and │
3099 │"watchdog" rows above only the signals that systemd sends │
3100 │have been included. Moreover, using SuccessExitStatus= │
3101 │additional exit statuses may be declared to indicate clean │
3102 │termination, which is not reflected by this table. │
3103 └───────────────────────────────────────────────────────────┘
3104
3105 $PIDFILE
3106 The path to the configured PID file, in case the process is forked
3107 off on behalf of a service that uses the PIDFile= setting, see
3108 systemd.service(5) for details. Service code may use this
3109 environment variable to automatically generate a PID file at the
3110 location configured in the unit file. This field is set to an
3111 absolute path in the file system.
3112
3113 For system services, when PAMName= is enabled and pam_systemd is part
3114 of the selected PAM stack, additional environment variables defined by
3115 systemd may be set for services. Specifically, these are $XDG_SEAT,
3116 $XDG_VTNR, see pam_systemd(8) for details.
3117
3119 When invoking a unit process the service manager possibly fails to
3120 apply the execution parameters configured with the settings above. In
3121 that case the already created service process will exit with a non-zero
3122 exit code before the configured command line is executed. (Or in other
3123 words, the child process possibly exits with these error codes, after
3124 having been created by the fork(2) system call, but before the matching
3125 execve(2) system call is called.) Specifically, exit codes defined by
3126 the C library, by the LSB specification and by the systemd service
3127 manager itself are used.
3128
3129 The following basic service exit codes are defined by the C library.
3130
3131 Table 6. Basic C library exit codes
3132 ┌──────────┬───────────────┬────────────────────┐
3133 │Exit Code │ Symbolic Name │ Description │
3134 ├──────────┼───────────────┼────────────────────┤
3135 │0 │ EXIT_SUCCESS │ Generic success │
3136 │ │ │ code. │
3137 ├──────────┼───────────────┼────────────────────┤
3138 │1 │ EXIT_FAILURE │ Generic failure or │
3139 │ │ │ unspecified error. │
3140 └──────────┴───────────────┴────────────────────┘
3141
3142 The following service exit codes are defined by the LSB
3143 specification[10].
3144
3145 Table 7. LSB service exit codes
3146 ┌──────────┬──────────────────────┬────────────────────┐
3147 │Exit Code │ Symbolic Name │ Description │
3148 ├──────────┼──────────────────────┼────────────────────┤
3149 │2 │ EXIT_INVALIDARGUMENT │ Invalid or excess │
3150 │ │ │ arguments. │
3151 ├──────────┼──────────────────────┼────────────────────┤
3152 │3 │ EXIT_NOTIMPLEMENTED │ Unimplemented │
3153 │ │ │ feature. │
3154 ├──────────┼──────────────────────┼────────────────────┤
3155 │4 │ EXIT_NOPERMISSION │ The user has │
3156 │ │ │ insufficient │
3157 │ │ │ privileges. │
3158 ├──────────┼──────────────────────┼────────────────────┤
3159 │5 │ EXIT_NOTINSTALLED │ The program is not │
3160 │ │ │ installed. │
3161 ├──────────┼──────────────────────┼────────────────────┤
3162 │6 │ EXIT_NOTCONFIGURED │ The program is not │
3163 │ │ │ configured. │
3164 ├──────────┼──────────────────────┼────────────────────┤
3165 │7 │ EXIT_NOTRUNNING │ The program is not │
3166 │ │ │ running. │
3167 └──────────┴──────────────────────┴────────────────────┘
3168
3169 The LSB specification suggests that error codes 200 and above are
3170 reserved for implementations. Some of them are used by the service
3171 manager to indicate problems during process invocation:
3172
3173 Table 8. systemd-specific exit codes
3174 ┌──────────┬──────────────────────────────┬─────────────────────────────────────────────┐
3175 │Exit Code │ Symbolic Name │ Description │
3176 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3177 │200 │ EXIT_CHDIR │ Changing to the │
3178 │ │ │ requested working │
3179 │ │ │ directory failed. │
3180 │ │ │ See │
3181 │ │ │ WorkingDirectory= │
3182 │ │ │ above. │
3183 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3184 │201 │ EXIT_NICE │ Failed to set up │
3185 │ │ │ process scheduling │
3186 │ │ │ priority (nice │
3187 │ │ │ level). See Nice= │
3188 │ │ │ above. │
3189 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3190 │202 │ EXIT_FDS │ Failed to close │
3191 │ │ │ unwanted file │
3192 │ │ │ descriptors, or to │
3193 │ │ │ adjust passed file │
3194 │ │ │ descriptors. │
3195 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3196 │203 │ EXIT_EXEC │ The actual process │
3197 │ │ │ execution failed │
3198 │ │ │ (specifically, the │
3199 │ │ │ execve(2) system │
3200 │ │ │ call). Most likely │
3201 │ │ │ this is caused by a │
3202 │ │ │ missing or │
3203 │ │ │ non-accessible │
3204 │ │ │ executable file. │
3205 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3206 │204 │ EXIT_MEMORY │ Failed to perform │
3207 │ │ │ an action due to │
3208 │ │ │ memory shortage. │
3209 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3210 │205 │ EXIT_LIMITS │ Failed to adjust │
3211 │ │ │ resource limits. │
3212 │ │ │ See LimitCPU= and │
3213 │ │ │ related settings │
3214 │ │ │ above. │
3215 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3216 │206 │ EXIT_OOM_ADJUST │ Failed to adjust │
3217 │ │ │ the OOM setting. │
3218 │ │ │ See OOMScoreAdjust= │
3219 │ │ │ above. │
3220 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3221 │207 │ EXIT_SIGNAL_MASK │ Failed to set │
3222 │ │ │ process signal │
3223 │ │ │ mask. │
3224 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3225 │208 │ EXIT_STDIN │ Failed to set up │
3226 │ │ │ standard input. See │
3227 │ │ │ StandardInput= │
3228 │ │ │ above. │
3229 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3230 │209 │ EXIT_STDOUT │ Failed to set up │
3231 │ │ │ standard output. │
3232 │ │ │ See StandardOutput= │
3233 │ │ │ above. │
3234 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3235 │210 │ EXIT_CHROOT │ Failed to change │
3236 │ │ │ root directory │
3237 │ │ │ (chroot(2)). See │
3238 │ │ │ RootDirectory=/RootImage= │
3239 │ │ │ above. │
3240 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3241 │211 │ EXIT_IOPRIO │ Failed to set up IO │
3242 │ │ │ scheduling priority. See │
3243 │ │ │ IOSchedulingClass=/IOSchedulingPriority= │
3244 │ │ │ above. │
3245 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3246 │212 │ EXIT_TIMERSLACK │ Failed to set up timer slack. See │
3247 │ │ │ TimerSlackNSec= above. │
3248 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3249 │213 │ EXIT_SECUREBITS │ Failed to set process secure bits. See │
3250 │ │ │ SecureBits= above. │
3251 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3252 │214 │ EXIT_SETSCHEDULER │ Failed to set up CPU scheduling. See │
3253 │ │ │ CPUSchedulingPolicy=/CPUSchedulingPriority= │
3254 │ │ │ above. │
3255 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3256 │215 │ EXIT_CPUAFFINITY │ Failed to set up CPU affinity. See │
3257 │ │ │ CPUAffinity= above. │
3258 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3259 │216 │ EXIT_GROUP │ Failed to determine or change group │
3260 │ │ │ credentials. See │
3261 │ │ │ Group=/SupplementaryGroups= above. │
3262 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3263 │217 │ EXIT_USER │ Failed to determine or change user │
3264 │ │ │ credentials, or to set up user namespacing. │
3265 │ │ │ See User=/PrivateUsers= above. │
3266 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3267 │218 │ EXIT_CAPABILITIES │ Failed to drop capabilities, or apply │
3268 │ │ │ ambient capabilities. See │
3269 │ │ │ CapabilityBoundingSet=/AmbientCapabilities= │
3270 │ │ │ above. │
3271 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3272 │219 │ EXIT_CGROUP │ Setting up the service control group │
3273 │ │ │ failed. │
3274 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3275 │220 │ EXIT_SETSID │ Failed to create new process session. │
3276 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3277 │221 │ EXIT_CONFIRM │ Execution has been cancelled by the user. │
3278 │ │ │ See the systemd.confirm_spawn= kernel │
3279 │ │ │ command line setting on kernel-command- │
3280 │ │ │ line(7) for details. │
3281 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3282 │222 │ EXIT_STDERR │ Failed to set up standard error output. See │
3283 │ │ │ StandardError= above. │
3284 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3285 │224 │ EXIT_PAM │ Failed to set up PAM session. See PAMName= │
3286 │ │ │ above. │
3287 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3288 │225 │ EXIT_NETWORK │ Failed to set up network namespacing. See │
3289 │ │ │ PrivateNetwork= above. │
3290 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3291 │226 │ EXIT_NAMESPACE │ Failed to set up mount, UTS, or IPC │
3292 │ │ │ namespacing. See ReadOnlyPaths=, │
3293 │ │ │ ProtectHostname=, PrivateIPC=, and related │
3294 │ │ │ settings above. │
3295 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3296 │227 │ EXIT_NO_NEW_PRIVILEGES │ Failed to disable new privileges. See │
3297 │ │ │ NoNewPrivileges=yes above. │
3298 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3299 │228 │ EXIT_SECCOMP │ Failed to apply system call filters. See │
3300 │ │ │ SystemCallFilter= and related settings │
3301 │ │ │ above. │
3302 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3303 │229 │ EXIT_SELINUX_CONTEXT │ Determining or changing SELinux context │
3304 │ │ │ failed. See SELinuxContext= above. │
3305 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3306 │230 │ EXIT_PERSONALITY │ Failed to set up an execution domain │
3307 │ │ │ (personality). See Personality= above. │
3308 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3309 │231 │ EXIT_APPARMOR_PROFILE │ Failed to prepare changing AppArmor │
3310 │ │ │ profile. See AppArmorProfile= above. │
3311 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3312 │232 │ EXIT_ADDRESS_FAMILIES │ Failed to restrict address families. See │
3313 │ │ │ RestrictAddressFamilies= above. │
3314 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3315 │233 │ EXIT_RUNTIME_DIRECTORY │ Setting up runtime directory failed. See │
3316 │ │ │ RuntimeDirectory= and related settings │
3317 │ │ │ above. │
3318 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3319 │235 │ EXIT_CHOWN │ Failed to adjust socket ownership. Used for │
3320 │ │ │ socket units only. │
3321 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3322 │236 │ EXIT_SMACK_PROCESS_LABEL │ Failed to set SMACK label. See │
3323 │ │ │ SmackProcessLabel= above. │
3324 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3325 │237 │ EXIT_KEYRING │ Failed to set up kernel keyring. │
3326 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3327 │238 │ EXIT_STATE_DIRECTORY │ Failed to set up unit's state directory. │
3328 │ │ │ See StateDirectory= above. │
3329 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3330 │239 │ EXIT_CACHE_DIRECTORY │ Failed to set up unit's cache directory. │
3331 │ │ │ See CacheDirectory= above. │
3332 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3333 │240 │ EXIT_LOGS_DIRECTORY │ Failed to set up unit's logging directory. │
3334 │ │ │ See LogsDirectory= above. │
3335 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3336 │241 │ EXIT_CONFIGURATION_DIRECTORY │ Failed to set up unit's configuration │
3337 │ │ │ directory. See ConfigurationDirectory= │
3338 │ │ │ above. │
3339 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3340 │242 │ EXIT_NUMA_POLICY │ Failed to set up unit's NUMA memory policy. │
3341 │ │ │ See NUMAPolicy= and NUMAMask= above. │
3342 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3343 │243 │ EXIT_CREDENTIALS │ Failed to set up unit's credentials. See │
3344 │ │ │ LoadCredential= and SetCredential= above. │
3345 └──────────┴──────────────────────────────┴─────────────────────────────────────────────┘
3346
3347 Finally, the BSD operating systems define a set of exit codes,
3348 typically defined on Linux systems too:
3349
3350 Table 9. BSD exit codes
3351 ┌──────────┬────────────────┬─────────────────────┐
3352 │Exit Code │ Symbolic Name │ Description │
3353 ├──────────┼────────────────┼─────────────────────┤
3354 │64 │ EX_USAGE │ Command line usage │
3355 │ │ │ error │
3356 ├──────────┼────────────────┼─────────────────────┤
3357 │65 │ EX_DATAERR │ Data format error │
3358 ├──────────┼────────────────┼─────────────────────┤
3359 │66 │ EX_NOINPUT │ Cannot open input │
3360 ├──────────┼────────────────┼─────────────────────┤
3361 │67 │ EX_NOUSER │ Addressee unknown │
3362 ├──────────┼────────────────┼─────────────────────┤
3363 │68 │ EX_NOHOST │ Host name unknown │
3364 ├──────────┼────────────────┼─────────────────────┤
3365 │69 │ EX_UNAVAILABLE │ Service unavailable │
3366 ├──────────┼────────────────┼─────────────────────┤
3367 │70 │ EX_SOFTWARE │ internal software │
3368 │ │ │ error │
3369 ├──────────┼────────────────┼─────────────────────┤
3370 │71 │ EX_OSERR │ System error (e.g., │
3371 │ │ │ can't fork) │
3372 ├──────────┼────────────────┼─────────────────────┤
3373 │72 │ EX_OSFILE │ Critical OS file │
3374 │ │ │ missing │
3375 ├──────────┼────────────────┼─────────────────────┤
3376 │73 │ EX_CANTCREAT │ Can't create (user) │
3377 │ │ │ output file │
3378 ├──────────┼────────────────┼─────────────────────┤
3379 │74 │ EX_IOERR │ Input/output error │
3380 ├──────────┼────────────────┼─────────────────────┤
3381 │75 │ EX_TEMPFAIL │ Temporary failure; │
3382 │ │ │ user is invited to │
3383 │ │ │ retry │
3384 ├──────────┼────────────────┼─────────────────────┤
3385 │76 │ EX_PROTOCOL │ Remote error in │
3386 │ │ │ protocol │
3387 ├──────────┼────────────────┼─────────────────────┤
3388 │77 │ EX_NOPERM │ Permission denied │
3389 ├──────────┼────────────────┼─────────────────────┤
3390 │78 │ EX_CONFIG │ Configuration error │
3391 └──────────┴────────────────┴─────────────────────┘
3392
3394 systemd(1), systemctl(1), systemd-analyze(1), journalctl(1), systemd-
3395 system.conf(5), systemd.unit(5), systemd.service(5), systemd.socket(5),
3396 systemd.swap(5), systemd.mount(5), systemd.kill(5), systemd.resource-
3397 control(5), systemd.time(7), systemd.directives(7), tmpfiles.d(5),
3398 exec(3), fork(2)
3399
3401 1. Discoverable Partitions Specification
3402 https://systemd.io/DISCOVERABLE_PARTITIONS
3403
3404 2. The /proc Filesystem
3405 https://www.kernel.org/doc/html/latest/filesystems/proc.html#mount-options
3406
3407 3. User/Group Name Syntax
3408 https://systemd.io/USER_NAMES
3409
3410 4. No New Privileges Flag
3411 https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html
3412
3413 5. JSON User Record
3414 https://systemd.io/USER_RECORD
3415
3416 6. proc.txt
3417 https://www.kernel.org/doc/Documentation/filesystems/proc.txt
3418
3419 7. C escapes
3420 https://en.wikipedia.org/wiki/Escape_sequences_in_C#Table_of_escape_sequences
3421
3422 8. most control characters
3423 https://en.wikipedia.org/wiki/Control_character#In_ASCII
3424
3425 9. Base64
3426 https://tools.ietf.org/html/rfc2045#section-6.8
3427
3428 10. LSB specification
3429 https://refspecs.linuxbase.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html
3430
3431
3432
3433systemd 249 SYSTEMD.EXEC(5)