From: Yu Watanabe Date: Tue, 19 Dec 2017 07:07:04 +0000 (+0900) Subject: man: note that `systemctl show` does not overridden value X-Git-Tag: v237~198^2 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=5af1644314ccab01854e9173f97865013c16b3dd;p=platform%2Fupstream%2Fsystemd.git man: note that `systemctl show` does not overridden value Fixes #7694. --- diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index b0135e4..2f62f1c 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -376,13 +376,14 @@ CapabilityBoundingSet=~CAP_B CAP_C Takes a boolean argument. If true, ensures that the service process and all its children can never gain new privileges through execve() (e.g. via setuid or setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that a process and its children can never - elevate privileges again. Defaults to false, but certain settings force NoNewPrivileges=yes, - ignoring the value of this setting. This is the case when SystemCallFilter=, + elevate privileges again. Defaults to false, but certain settings override this and ignore the value of this + setting. This is the case when SystemCallFilter=, SystemCallArchitectures=, RestrictAddressFamilies=, RestrictNamespaces=, PrivateDevices=, ProtectKernelTunables=, ProtectKernelModules=, MemoryDenyWriteExecute=, RestrictRealtime=, or - LockPersonality= are specified. Also see + LockPersonality= are specified. Note that even if this setting is overridden by them, + systemctl show shows the original value of this setting. Also see No New Privileges Flag.