« Back to Settings for systemd units

InaccessiblePaths setting

This systemd unit setting was added since systemd 231.

Purpose: define paths that should not be accessible

Why and when to use InaccessiblePaths

The setting InaccessiblePaths defines paths that should never be accessible. Instead of using the principles of an allow list, it is an explicit deny list. It can be used to block access by a process to a location with sensitive data or a path commonly misused for exploits.

Values

Define the paths that are granted write access.

[Service]
InaccessiblePaths=/dev/shm
  • When a path is prefixed with a minus (-), it is ignored if it does not exist
  • When a path is prefixed with a plus (+), the path is considered relative to root of directory (e.g. configured with RootDirectory)

Generic advice

This setting is not as powerful as others that can make larger parts of the system inaccessible, while defining just a few paths that still should be. In may still be useful when there is a need to block a very sensitive path. A good example for this is when using the MemoryDenyWriteExecute setting.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon