极客观点
项目管理
HarmonyOS
安装motion后:
cat /lib/systemd/system/motion.service | grep !
ExecStartPre=!/bin/mkdir -p /var/log/motion
ExecStartPre=!/bin/chown motion:adm /var/log/motion参看手册https://www.freedesktop.org/software/systemd/man/systemd.serv...
"+" If the executable path is prefixed with "+" then the process is executed with full privileges. In this mode privilege restrictions configured with User=, Group=, CapabilityBoundingSet= or the various file system namespacing options (such as PrivateDevices=, PrivateTmp=) are not applied to the invoked command line (but still affect any other ExecStart=, ExecStop=, … lines). However, note that this will not bypass options that apply to the whole control group, such as DevicePolicy=, see systemd.resource-control(5) for the full list.
Similar to the "+" character discussed above this permits invoking command lines with elevated privileges. However, unlike "+" the "!" character exclusively alters the effect of User=, Group= and SupplementaryGroups=, i.e. only the stanzas that affect user and group credentials. Note that this setting may be combined with DynamicUser=, in which case a dynamic user/group pair is allocated before the command is invoked, but credential changing is left to the executed process itself.
阅读了,还是有点不明白,有哪位再详细解释一下?
大概就是这样的,
+和!都表示用特权用户(root)执行后面的命令,但是+是-的强化版本,+会忽略PrivateDevices=, PrivateTmp=等等一些权限限制,而!不会忽略。这里推荐一下金步国翻译的systemd文档:https://www.jinbuguo.com/systemd/systemd.service.html#
做了一个实验:
写了一个service:
因为文档上说了
!号相比+号,少了PrivateTmp这个权限,所以就用PrivateTmp来做实验。开启了PrivateTmp后,启动的服务,会创建一个临时的/tmp目录,并且挂载在
/tmp/systemd-private-bb77789941f8428aa599931e5be5e923-httpb.service-L9w8fg/tmp目录下。分别写了三组
whoami和touch文件,然后使用ls -lah /tmp查看创建的文件。执行后的结果如下:
没有带参数的
ls -lah,只有 aa.txt 和 cc.txt ,没有发现bb.txt然后有带
+的ls -lah,显示了主机/tmp目录下的文件,也看到了bb.txt文件,说明使用+和文档上说明是一致的,会忽略PrivateTmp=这个设置。