« Back to Settings for systemd units

InaccessiblePaths setting

The property InaccessiblePaths is a systemd unit setting used for sandboxing. It is available since systemd 231.

Purpose: define paths that should not be accessible

Why and when to use InaccessiblePaths

The setting InaccessiblePaths defines paths that should never be accessible. Instead of using the principles of an allow list, it is an explicit deny list. It can be used to block access by a process to a location with sensitive data or a path commonly misused for exploits.

Values

Define the paths that are granted write access.

[Service]
InaccessiblePaths=/dev/shm
  • When a path is prefixed with a minus (-), it is ignored if it does not exist
  • When a path is prefixed with a plus (+), the path is considered relative to root of directory (e.g. configured with RootDirectory)

Generic advice

This setting is not as powerful as others that can make larger parts of the system inaccessible, while defining just a few paths that still should be. In may still be useful when there is a need to block a very sensitive path. A good example for this is when using the MemoryDenyWriteExecute setting.

Related hardening profiles

The systemd unit setting InaccessiblePaths is used in the following hardening profiles.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon