mirror of
https://github.com/systemd/systemd
synced 2025-10-06 00:13:24 +02:00
e803ec1e25
The current arrangement of service and socket units is sort of all over the place. Let's clean it up a little, roughly following the principles below: - socket units have implicit ordering deps (not to be confused with default ones which are subject to DefaultDependencies=) before associated service, so drop any explicit After= - If socket can be enabled, remember to link to it in service via Also= and Sockets= (the latter replaces Wants=). If the service Requires= socket however, Sockets= is omitted. - If socket is statically enabled, no need for service to pull it in - machined
46 lines
1.2 KiB
SYSTEMD
46 lines
1.2 KiB
SYSTEMD
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
#
|
|
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=User Database Manager
|
|
Documentation=man:systemd-userdbd.service(8)
|
|
Requires=systemd-userdbd.socket
|
|
Before=sysinit.target
|
|
Wants=systemd-userdb-load-credentials.service
|
|
DefaultDependencies=no
|
|
|
|
[Service]
|
|
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE
|
|
ExecStart={{LIBEXECDIR}}/systemd-userdbd
|
|
IPAddressDeny=any
|
|
LimitNOFILE={{HIGH_RLIMIT_NOFILE}}
|
|
LockPersonality=yes
|
|
MemoryDenyWriteExecute=yes
|
|
NoNewPrivileges=yes
|
|
PrivateDevices=yes
|
|
ProtectProc=invisible
|
|
ProtectControlGroups=yes
|
|
ProtectHome=yes
|
|
ProtectHostname=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectKernelModules=yes
|
|
ProtectSystem=strict
|
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
|
RestrictNamespaces=yes
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
SystemCallArchitectures=native
|
|
SystemCallErrorNumber=EPERM
|
|
SystemCallFilter=@system-service
|
|
Type=notify
|
|
{{SERVICE_WATCHDOG}}
|
|
|
|
[Install]
|
|
Also=systemd-userdbd.socket
|