From 5af1644314ccab01854e9173f97865013c16b3dd Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Tue, 19 Dec 2017 16:07:04 +0900 Subject: [PATCH] man: note that `systemctl show` does not overridden value Fixes #7694. --- man/systemd.exec.xml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index b0135e4..2f62f1c 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -376,13 +376,14 @@ CapabilityBoundingSet=~CAP_B CAP_C Takes a boolean argument. If true, ensures that the service process and all its children can never gain new privileges through execve() (e.g. via setuid or setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that a process and its children can never - elevate privileges again. Defaults to false, but certain settings force NoNewPrivileges=yes, - ignoring the value of this setting. This is the case when SystemCallFilter=, + elevate privileges again. Defaults to false, but certain settings override this and ignore the value of this + setting. This is the case when SystemCallFilter=, SystemCallArchitectures=, RestrictAddressFamilies=, RestrictNamespaces=, PrivateDevices=, ProtectKernelTunables=, ProtectKernelModules=, MemoryDenyWriteExecute=, RestrictRealtime=, or - LockPersonality= are specified. Also see + LockPersonality= are specified. Note that even if this setting is overridden by them, + systemctl show shows the original value of this setting. Also see No New Privileges Flag. -- 2.7.4