Settings for systemd units

Systemd allows fine-grained customization of units by defining so-called properties. These properties or settings influence what a unit, such as a service, can or can not do. As their is a wide range of settings, this page has the goal to present them, including a quick reference to each of them.

SettingDescriptionAvailable since
CapabilityBoundingSetDefine what capabilities are allowed within the service unit
DeviceAllowDefine level of access to devices in /dev208
DevicePolicyDefine level of access to devices in /dev208
ExecPathsDefine the paths from which programs can be executed231
InaccessiblePathsDefine paths that should not be accessible231
LockPersonalityPrevent processes switching their personality, a kernel execution domain235
MemoryDenyWriteExecuteBlock creation or alteration of memory segments to become writable and executable as well231
NoExecPathsExclude paths from which programs can be executed231
NoNewPrivilegesPrevent processes from gaining new privileges187
PrivateDevicesOnly allow access to a subset of devices in /dev209
PrivateTmpDefine new namespace for /tmp and /var/tmp directory
ProcSubsetDefine the subset of access by unit to /proc247
ProtectClockLimit access to clock information245
ProtectControlGroupsLimit write access to control groups directory structure under /sys/fs/cgroup232
ProtectHomeDefine what level of access is possible to home directories214
ProtectKernelLogsDefine if service may read or write to the kernel log ring buffer244
ProtectKernelModulesDefine if kernel modules may be loaded232
ProtectKernelTunablesLimit access to Linux kernel tunables and make others read-only232
ProtectProcControl the 'hidepid' mount option to define what information from /proc is available247
ProtectSystemMark some file system paths as read-only214
ReadWritePathsDefine paths that can be opened to read from and write to new or existing files231
RestrictAddressFamiliesControl what socket address families can be used by a unit211
RestrictNamespacesControl allow namespaces233
RestrictRealtimeLimit the ability to use realtime scheduling231
RestrictSUIDSGIDLimit the ability to use setuid/setgid bits on files242
RuntimeDirectoryModeSet the default file permissions for runtime directory, which is defined as RuntimeDirectory234
SocketBindAllowDefine which address families, transport protocols, and/or ports are allowed to bind() to a socket249
SocketBindDenyRestricts address families, transport protocols, and/or ports to bind() to a socket249
SystemCallArchitecturesRestrict the subset of CPU instructions209
SystemCallFilterDefine what syscalls are allowed or forbidden to be used by a process187
UMaskSet default umask for new files