man: document that PrivateTmp= is unaffected by ProtectSystem=strict

Fixes: #33130
author: Lennart Poettering <lennart@poettering.net> 2024-11-05 13:33:53 +0100
committer: Lennart Poettering <lennart@poettering.net> 2024-11-05 22:57:51 +0100
commit: b71173709651102081c9d8c6d6e3d2a6ef5cf17e (patch)
tree: d947d0f9af5400e0bba34f0c8608422cd74c04a7 /man
parent: man: highlight the privilege issues around the LogControl1 more (diff)
download: systemd-b71173709651102081c9d8c6d6e3d2a6ef5cf17e.tar.xz
systemd-b71173709651102081c9d8c6d6e3d2a6ef5cf17e.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index ac17ab65a4..a955f767e4 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1433,6 +1433,10 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
         set. This setting cannot ensure protection in all cases. In general it has the same limitations as
         <varname>ReadOnlyPaths=</varname>, see below. Defaults to off.</para>
 
+        <para>Note that if <varname>ProtectSystem=</varname> is set to <literal>strict</literal> and
+        <varname>PrivateTmp=</varname> is enabled, then <filename>/tmp/</filename> and
+        <filename>/var/tmp/</filename> will be writable.</para>
+
         <xi:include href="version-info.xml" xpointer="v214"/></listitem>
       </varlistentry>
author	Lennart Poettering <lennart@poettering.net>	2024-11-05 13:33:53 +0100
committer	Lennart Poettering <lennart@poettering.net>	2024-11-05 22:57:51 +0100
commit	b71173709651102081c9d8c6d6e3d2a6ef5cf17e (patch)
tree	d947d0f9af5400e0bba34f0c8608422cd74c04a7 /man
parent	man: highlight the privilege issues around the LogControl1 more (diff)
download	systemd-b71173709651102081c9d8c6d6e3d2a6ef5cf17e.tar.xz systemd-b71173709651102081c9d8c6d6e3d2a6ef5cf17e.zip