« Back to Settings for systemd units

MemoryDenyWriteExecute setting

This systemd unit setting was added since systemd 231.

Purpose: block creation or alteration of memory segments to become writable and executable as well

Why and when to use MemoryDenyWriteExecute

The setting MemoryDenyWriteExecute will block the creation or alteration of a memory segment to become writable and executable as well. By enabling this limitation, it will increase the bar software exploits to change running code dynamically.




To prevent circumvention of this setting, access to /dev/shm and the syscall memfd_create should be blocked as well.

Generic advice

For most common services this option can be implemented and will increase the security of a service. That is, if used together with InaccessiblePaths and SystemCallFilter.


  • no: normal functionality allowed - default
  • yes: creation and alteration of memory segments to become writable and executable is not allowed

Example to show the current value of MemoryDenyWriteExecute for the dmesg service:

systemctl show --property=MemoryDenyWriteExecute dmesg.service


Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon