ExecPaths setting
This article has last been updated at .
The property ExecPaths is a systemd unit setting used for sandboxing. It is available since systemd 231.
Purpose: define the paths from which programs can be executed
New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.
Why and when to use ExecPaths
The systemd setting ExecPaths defines the paths that are allowed for program execution. It is the opposite of NoExecPaths and they are typically used together. A common option is first to disable execution from ‘/’ with NoExecPaths, then define the paths in ExecPaths where the related binaries of the service are located.
Configuration options of ExecPaths
Define the paths that are allowed for program execution. This is typically done after a more generic ‘block’ has been defined using NoExecPaths, such as the root path.
Example
Execution is only allowed if the binary is /usr/sbin/myprogram and libraries from /usr/lib.
NoExecPaths=/
ExecPaths=/usr/lib /usr/sbin/myprogram
Testing
To see if a program works with this property, consider using the systemd-run command.
systemd-run --pty --property=NoExecPaths=/tmp --property=ExecPaths=/tmp/testing /tmp/testing/mytestfile
For this example to work correctly, make sure that the path /tmp/testing does exist. The mytestfile could be something like a copy of the /bin/ps file.
Related hardening profiles
The systemd unit setting ExecPaths is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.
