|
|
c28716f |
From bc8212cae86fe5b2e1c764fc8ea0e5acbce9a65a Mon Sep 17 00:00:00 2001
|
|
|
c28716f |
From: Christian Hesse <mail@eworm.de>
|
|
|
c28716f |
Date: Tue, 30 Jun 2015 19:12:20 +0200
|
|
|
c28716f |
Subject: [PATCH] man: ProtectHome= protects /root as well
|
|
|
c28716f |
|
|
|
c28716f |
(cherry picked from commit 5833143708733a3fc9e6935922bf11d7d27cb768)
|
|
|
c28716f |
---
|
|
|
c28716f |
man/systemd.exec.xml | 5 +++--
|
|
|
c28716f |
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
c28716f |
|
|
|
c28716f |
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
|
|
|
c28716f |
index 56b53e6015..5b93aa71ef 100644
|
|
|
c28716f |
--- a/man/systemd.exec.xml
|
|
|
c28716f |
+++ b/man/systemd.exec.xml
|
|
|
c28716f |
@@ -858,9 +858,10 @@
|
|
|
c28716f |
|
|
|
c28716f |
<listitem><para>Takes a boolean argument or
|
|
|
c28716f |
<literal>read-only</literal>. If true, the directories
|
|
|
c28716f |
- <filename>/home</filename> and <filename>/run/user</filename>
|
|
|
c28716f |
+ <filename>/home</filename>, <filename>/root</filename> and
|
|
|
c28716f |
+ <filename>/run/user</filename>
|
|
|
c28716f |
are made inaccessible and empty for processes invoked by this
|
|
|
c28716f |
- unit. If set to <literal>read-only</literal>, the two
|
|
|
c28716f |
+ unit. If set to <literal>read-only</literal>, the three
|
|
|
c28716f |
directories are made read-only instead. It is recommended to
|
|
|
c28716f |
enable this setting for all long-running services (in
|
|
|
c28716f |
particular network-facing ones), to ensure they cannot get
|