Thanks for the help. I tested it out (using sed to escape backslashes and quotes) and it seems to work perfectly. On Thursday, March 13th, 2025 at 10:26 AM, Andrei Borzenkov <arvidjaar@xxxxxxxxx> wrote: > > > On Thu, Mar 13, 2025 at 4:54 PM Daniel Hast hast.daniel@xxxxxxxxxxxxxx wrote: > > > Hello, > > > > I'm working on a shell script that makes use of run0, and I'm having trouble figuring out how to escape a file path in the --property option. I want to use --property="ProtectSystem=strict" and --property="ReadWritePaths=[...]" to limit the transient service unit's write access to only the files it needs access to (as a sandboxing measure), but one of the paths comes from user input and could have any characters that are valid in a file path (including spaces and, in principle, any Unicode characters except NUL), so it needs to be escaped. > > > > I'm aware of systemd-escape but I'm unsure of how to use it with arguments to run0; if I simply do something like --property="ReadWritePaths=$(systemd-escape --path "$filename")", I get an error: "Failed to start transient service unit: Invalid ReadWritePaths". But if I pass in an unescaped filename with spaces, I also get this error. What's the right way to do this? > > > Yes, the rules are not apparently documented. > > Looking in sources, the values are quoted using '...' or "...". My > understanding is that '\' can be used to escape quote character > itself.