Settings for systemd units
Systemd allows fine-grained customization of units by defining so-called properties. These properties or settings influence what a unit, such as a service, can or can not do. As their is a wide range of settings, this page has the goal to present them, including a quick reference to each of them.
| Setting | Description | Available since |
|---|---|---|
| CapabilityBoundingSet | Define what capabilities are allowed within the service unit | 21 |
| DeviceAllow | Allow access to a device | 208 |
| DevicePolicy | Define level of access to devices in /dev | 208 |
| ExecPaths | Define the paths from which programs can be executed | 248 |
| InaccessiblePaths | Define paths that should not be accessible | 231 |
| IPAccounting | Define if accounting on network packets and bytes should be used | 235 |
| KeyringMode | Controls kernel session keyring and define what is available to the service | 235 |
| LockPersonality | Prevent processes switching their personality, a kernel execution domain | 235 |
| MemoryDenyWriteExecute | Block creation or alteration of memory segments to become writable and executable as well | 231 |
| NoExecPaths | Exclude paths from which programs can be executed | 248 |
| NoNewPrivileges | Prevent processes from gaining new privileges | 187 |
| PrivateDevices | Only allow access to a subset of devices in /dev | 209 |
| PrivateMounts | Provides a separated mount namespace to the service | 239 |
| PrivateNetwork | Defines if access to the network interfaces of the host is possible | 33 |
| PrivatePIDs | Define a new PID namespace for the process and its children | 257 |
| PrivateTmp | Define new namespace for /tmp and /var/tmp directory | 1 |
| PrivateUsers | Define a new user namespace for the process and its children | 232 |
| ProcSubset | Define the subset of access by unit to /proc | 247 |
| ProtectClock | Limit access to clock information | 245 |
| ProtectControlGroups | Limit write access to control groups directory structure under /sys/fs/cgroup | 232 |
| ProtectHome | Define what level of access is possible to home directories | 214 |
| ProtectHostname | Defines if hostname or NIS domain name can be changed | 242 |
| ProtectKernelLogs | Define if service may read or write to the kernel log ring buffer | 244 |
| ProtectKernelModules | Define if kernel modules may be loaded | 232 |
| ProtectKernelTunables | Limit access to Linux kernel tunables and make others read-only | 232 |
| ProtectProc | Control the 'hidepid' mount option to define what information from /proc is available | 247 |
| ProtectSystem | Mark some file system paths as read-only | 214 |
| ReadOnlyPaths | Define paths that can be accessed with read-only permissions | 231 |
| ReadWritePaths | Define paths that can be opened to read from and write to new or existing files | 231 |
| RemoveIPC | Defines if System V and POSIX IPC objects by the user and group are removed upon stopping the service | 232 |
| RestrictAddressFamilies | Control what socket address families can be used by a unit | 211 |
| RestrictNamespaces | Control if namespaces usage is allowed | 233 |
| RestrictRealtime | Limit the ability to use realtime scheduling | 231 |
| RestrictSUIDSGID | Limit the ability to use setuid/setgid bits on files | 242 |
| RuntimeDirectoryMode | Set the default file permissions for runtime directory, which is defined as RuntimeDirectory | 234 |
| SecureBits | Change the behavior of Linux capabilities by setting the securebits flag of the prctl(2) syscall | 1 |
| SocketBindAllow | Define which address families, transport protocols, and/or ports are allowed to bind() to a socket | 249 |
| SocketBindDeny | Restricts address families, transport protocols, and/or ports to bind() to a socket | 249 |
| SystemCallArchitectures | Restrict the subset of CPU instructions | 209 |
| SystemCallFilter | Define what syscalls are allowed or forbidden to be used by a process | 187 |
| UMask | Set default umask for new files | 1 |