1 files changed, 39 insertions, 52 deletions
diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
index fca9690092..a914ef2523 100644
--- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml
@@ -7,23 +7,6 @@
 
 <!--
   SPDX-License-Identifier: LGPL-2.1+
-
-  This file is part of systemd.
-
-  Copyright 2010 Lennart Poettering
-
-  systemd is free software; you can redistribute it and/or modify it
-  under the terms of the GNU Lesser General Public License as published by
-  the Free Software Foundation; either version 2.1 of the License, or
-  (at your option) any later version.
-
-  systemd is distributed in the hope that it will be useful, but
-  WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-  Lesser General Public License for more details.
-
-  You should have received a copy of the GNU Lesser General Public License
-  along with systemd; If not, see <http://www.gnu.org/licenses/>.
 -->
 
 <refentry id="systemd-system.conf"
@@ -31,15 +14,6 @@
   <refentryinfo>
     <title>systemd-system.conf</title>
     <productname>systemd</productname>
-
-    <authorgroup>
-      <author>
-        <contrib>Developer</contrib>
-        <firstname>Lennart</firstname>
-        <surname>Poettering</surname>
-        <email>lennart@poettering.net</email>
-      </author>
-    </authorgroup>
   </refentryinfo>
 
   <refmeta>
@@ -76,7 +50,9 @@
     <filename>user.conf</filename> and the files in
     <filename>user.conf.d</filename> directories. These configuration
     files contain a few settings controlling basic manager
-    operations.</para>
+    operations. See
+    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    for a general description of the syntax.</para>
   </refsect1>
 
   <xi:include href="standard-conf.xml" xpointer="main-conf" />
@@ -157,31 +133,27 @@
         <term><varname>RuntimeWatchdogSec=</varname></term>
         <term><varname>ShutdownWatchdogSec=</varname></term>
 
-        <listitem><para>Configure the hardware watchdog at runtime and
-        at reboot. Takes a timeout value in seconds (or in other time
-        units if suffixed with <literal>ms</literal>,
-        <literal>min</literal>, <literal>h</literal>,
-        <literal>d</literal>, <literal>w</literal>). If
-        <varname>RuntimeWatchdogSec=</varname> is set to a non-zero
-        value, the watchdog hardware
-        (<filename>/dev/watchdog</filename> or the path specified with
-        <varname>WatchdogDevice=</varname> or the kernel option
-        <varname>systemd.watchdog-device=</varname>) will be programmed
-        to automatically reboot the system if it is not contacted within
-        the specified timeout interval. The system manager will ensure
-        to contact it at least once in half the specified timeout
-        interval. This feature requires a hardware watchdog device to
-        be present, as it is commonly the case in embedded and server
-        systems. Not all hardware watchdogs allow configuration of the
-        reboot timeout, in which case the closest available timeout is
-        picked. <varname>ShutdownWatchdogSec=</varname> may be used to
-        configure the hardware watchdog when the system is asked to
-        reboot. It works as a safety net to ensure that the reboot
-        takes place even if a clean reboot attempt times out. By
-        default <varname>RuntimeWatchdogSec=</varname> defaults to 0
-        (off), and <varname>ShutdownWatchdogSec=</varname> to 10min.
-        These settings have no effect if a hardware watchdog is not
-        available.</para></listitem>
+        <listitem><para>Configure the hardware watchdog at runtime and at reboot. Takes a timeout value in seconds (or
+        in other time units if suffixed with <literal>ms</literal>, <literal>min</literal>, <literal>h</literal>,
+        <literal>d</literal>, <literal>w</literal>). If <varname>RuntimeWatchdogSec=</varname> is set to a non-zero
+        value, the watchdog hardware (<filename>/dev/watchdog</filename> or the path specified with
+        <varname>WatchdogDevice=</varname> or the kernel option <varname>systemd.watchdog-device=</varname>) will be
+        programmed to automatically reboot the system if it is not contacted within the specified timeout interval. The
+        system manager will ensure to contact it at least once in half the specified timeout interval. This feature
+        requires a hardware watchdog device to be present, as it is commonly the case in embedded and server
+        systems. Not all hardware watchdogs allow configuration of all possible reboot timeout values, in which case
+        the closest available timeout is picked. <varname>ShutdownWatchdogSec=</varname> may be used to configure the
+        hardware watchdog when the system is asked to reboot. It works as a safety net to ensure that the reboot takes
+        place even if a clean reboot attempt times out. Note that the <varname>ShutdownWatchdogSec=</varname> timeout
+        applies only to the second phase of the reboot, i.e. after all regular services are already terminated, and
+        after the system and service manager process (PID 1) got replaced by the <filename>systemd-shutdown</filename>
+        binary, see system <citerefentry><refentrytitle>bootup</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+        for details. During the first phase of the shutdown operation the system and service manager remains running
+        and hence <varname>RuntimeWatchdogSec=</varname> is still honoured. In order to define a timeout on this first
+        phase of system shutdown, configure <varname>JobTimeoutSec=</varname> and <varname>JobTimeoutAction=</varname>
+        in the <literal>[Unit]</literal> section of the <filename>shutdown.target</filename> unit. By default
+        <varname>RuntimeWatchdogSec=</varname> defaults to 0 (off), and <varname>ShutdownWatchdogSec=</varname> to
+        10min. These settings have no effect if a hardware watchdog is not available.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -216,6 +188,21 @@
       </varlistentry>
 
       <varlistentry>
+        <term><varname>NoNewPrivileges=</varname></term>
+
+        <listitem><para>Takes a boolean argument. If true, ensures that PID 1
+        and all its children can never gain new privileges through
+        <citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+        (e.g. via setuid or setgid bits, or filesystem capabilities).
+        Defaults to false. General purpose distributions commonly rely
+        on executables with setuid or setgid bits and will thus not
+        function properly with this option enabled. Individual units
+        cannot disable this option.
+        Also see <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New Privileges Flag</ulink>.
+        </para></listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term><varname>SystemCallArchitectures=</varname></term>
 
         <listitem><para>Takes a space-separated list of architecture