Section: systemd.exec (5)
Unit configuration files for services, sockets, mount points, and swap devices share a subset of configuration options which define the execution environment of spawned processes.
This man page lists the configuration options shared by these four unit types. See (5) for the common options of all unit configuration files, and (5), (5), (5), and (5) for more information on the specific unit configuration files. The execution specific configuration options are configured in the [Service], [Socket], [Mount], or [Swap] sections, depending on the unit type.
:Sets environment variables for executed processes. Takes a space-separated list of variable assignments. This option may be specified more than once in which case all listed variables will be set. If the same variable is set twice, the later setting will override the earlier setting. If the empty string is assigned to this option, the list of environment variables is reset, all prior assignments have no effect. Variable expansion is not performed inside the strings, however, specifier expansion is possible. The $ character has no special meaning. If you need to assign a value containing spaces to a variable, use double quotes (") for the assignment.
Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"
gives three variables "VAR1", "VAR2", "VAR3" with the values "word1 word2", "word3", "$word 5 6".
:Similar to Environment= but reads the environment variables from a text file. The text file should contain new-line-separated variable assignments. Empty lines and lines starting with ; or # will be ignored, which may be used for commenting. A line ending with a backslash will be concatenated with the following one, allowing multiline variable definitions. The parser strips leading and trailing whitespace from the values of assignments, unless you use double quotes (").
The argument passed should be an absolute filename or wildcard expression, optionally prefixed with "-", which indicates that if the file does not exist, it will not be read and no error or warning message is logged. This option may be specified more than once in which case all specified files are read. If the empty string is assigned to this option, the list of file to read is reset, all prior assignments have no effect.
The files listed with this directive will be read shortly before the process is executed (more specifically, after all processes from a previous unit state terminated. This means you can generate these files in one unit state, and read it with this option in the next). Settings from these files override settings made with Environment=. If the same variable is set twice from these files, the files will be read in the order they are specified and the later setting will override the earlier setting.
LimitCPU=, LimitFSIZE=, LimitDATA=, LimitSTACK=, LimitCORE=, LimitRSS=, LimitNOFILE=, LimitAS=, LimitNPROC=, LimitMEMLOCK=, LimitLOCKS=, LimitSIGPENDING=, LimitMSGQUEUE=, LimitNICE=, LimitRTPRIO=, LimitRTTIME=
ReadWriteDirectories=, ReadOnlyDirectories=, InaccessibleDirectories=
:Sets up a new file system namespace for executed processes. These options may be used to limit access a process might have to the main file system hierarchy. Each setting takes a space-separated list of absolute directory paths. Directories listed in ReadWriteDirectories= are accessible from within the namespace with the same access rights as from outside. Directories listed in ReadOnlyDirectories= are accessible for reading only, writing will be refused even if the usual file access controls would permit this. Directories listed in InaccessibleDirectories= will be made inaccessible for processes inside the namespace. Note that restricting access with these options does not extend to submounts of a directory that are created later on. These options may be specified more than once in which case all directories listed will have limited access from within the namespace. If the empty string is assigned to this option, the specific list is reset, and all prior assignments have no effect.
Paths in ReadOnlyDirectories= and InaccessibleDirectories= may be prefixed with "-", in which case they will be ignored when they do not exist. Note that using this setting will disconnect propagation of mounts from the service to the host (propagation in the opposite direction continues to work). This means that this setting may not be used for services which shall be able to install mount points in the main mount namespace.
If you specify both types of this option (i.e. whitelisting and blacklisting), the first encountered will take precedence and will dictate the default action (termination or approval of a system call). Then the next occurrences of this option will add or delete the listed system calls from the set of the filtered system calls, depending of its type and the default action. (For example, if you have started with a whitelisting of read and write, and right after it add a blacklisting of write, then write will be removed from the set.)
:Restricts the set of socket address families accessible to the processes of this unit. Takes a space-separated list of address family names to whitelist, such as AF_UNIX, AF_INET or AF_INET6. When prefixed with ~ the listed address families will be applied as blacklist, otherwise as whitelist. Note that this restricts access to the socket?(2) system call only. Sockets passed into the process by other means (for example, by using socket activation with socket units, see (5)) are unaffected. Also, sockets created with socketpair() (which creates connected AF_UNIX sockets only) are unaffected. Note that this option has no effect on 32-bit x86 and is ignored (but works correctly on x86-64). If running in user mode and this option is used, NoNewPrivileges=yes is implied. By default, no restriction applies, all address families are accessible to processes. If assigned the empty string, any previous list changes are undone.
Use this option to limit exposure of processes to remote systems, in particular via exotic network protocols. Note that in most cases, the local AF_UNIX address family should be included in the configured whitelist as it is frequently used for local communication, including for syslog?(2) logging.
Processes started by the system are executed in a clean environment in which select variables listed below are set. System processes started by systemd do not inherit variables from PID 1, but processes started by user systemd instances inherit all environment variables from the user systemd instance.
$USER, $LOGNAME, $HOME, $SHELL
$XDG_SESSION_ID, $XDG_SEAT, $XDG_VTNR
Additional variables may be configured by the following means: for processes spawned in specific units, use the Environment= and EnvironmentFile= options above; to specify variables globally, use DefaultEnvironment= (see (5)) or the kernel option systemd.setenv= (see systemd?(1)). Additional variables may also be set through PAM, cf. pam_env?(8).
Tutoriais de Tecnologia Web