man: document footgun on SocketUser=

`SocketUser=` might have inconsistent results if they're inside a path specified by `RuntimeDirectory=` (or any other directory option where directories are chown'ed on startup). Especially in the case of creating a socket-activated service that's reachable for another user (the most common usecase for this option), it feels prudent to document this caveat, considering how frequently these unix domain sockets happen to be created in /run. I just ran into this, and it seems #8635 is at least another documented case.
systemd · Apr 26, 2024 · cd01617 · cd01617
1 parent b6df6be
commit cd01617
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
@@ -377,7 +377,12 @@
         sockets and FIFO nodes in the file system are owned by the specified user and group. If unset (the
         default), the nodes are owned by the root user/group (if run in system context) or the invoking
         user/group (if run in user context).  If only a user is specified but no group, then the group is
-        derived from the user's default group.</para>
+        derived from the user's default group.
+        Note that this might not have the desired effect if a socket happens to be inside a directory also
+        referred in a <varname>RuntimeDirectory=</varname>, <varname>StateDirectory=</varname>,
+        <varname>CacheDirectory=</varname>, or <varname>LogsDirectory=</varname> of any service, due to the
+        change of ownership caused by these options.
+        </para>
 
         <xi:include href="version-info.xml" xpointer="v214"/></listitem>
       </varlistentry>