NoExecPaths setting
This article has last been updated at .
The property NoExecPaths is a systemd unit setting used for sandboxing. It is available since systemd 231.
Purpose: exclude paths from which programs can be executed
New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.
Why and when to use NoExecPaths
The setting NoExecPaths reduces program execution from paths that are specified. By combining it with ExecPaths, the execution can be greatly restricted.
Configuration options of NoExecPaths
Define one or more paths that should be restricted. Use ‘/’ to completely disallow all paths.
Add a ‘-’ (minus) to the beginning of the path to ignore the path if it does not exist. Use a ‘+’ (plus) to make it relative to the root directory of the unit.
Generic advice
For most services NoExecPaths can be used if correctly combined with ExecPaths.
NoExecPaths example
Execution is only allowed if the binary is /usr/sbin/myprogram and libraries from /usr/lib.
NoExecPaths=/
ExecPaths=/usr/lib /usr/sbin/myprogram
Testing
To see if a program works with this property, consider using the systemd-run command.
systemd-run --pty --property=NoExecPaths=/tmp /tmp/testfile
Related hardening profiles
The systemd unit setting NoExecPaths is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.
