« Back to Settings for systemd units

DeviceAllow setting

This systemd unit setting was added since systemd 208.

Purpose: define level of access to devices in /dev

Why and when to use DeviceAllow

The setting DeviceAllow aims to reduce access or its level to devices in /dev. By default, there is no limitation to access devices.

Settings

Define DeviceAllow with the path and access level.

DeviceAllow=/dev/sda3 r

General advice

For most services it might be easier to use ProtectDevices=yes to reduce the devices that can be access.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon