« Back to Settings for systemd units

NoExecPaths setting

The property NoExecPaths is a systemd unit setting used for sandboxing. It is available since systemd 231.

Purpose: exclude paths from which programs can be executed

Why and when to use NoExecPaths

The setting NoExecPaths reduces program execution from paths that are specified. By combining it with ExecPaths, the execution can be greatly restricted.

Configuration options of NoExecPaths

Define one or more paths that should be restricted. Use ‘/’ to completely disallow all paths.

Add a ‘-’ (minus) to the beginning of the path to ignore the path if it does not exist. Use a ‘+’ (plus) to make it relative to the root directory of the unit.

Generic advice

For most services NoExecPaths can be used if correctly combined with ExecPaths.

NoExecPaths example

Execution is only allowed if the binary is /usr/sbin/myprogram and libraries from /usr/lib.

NoExecPaths=/
ExecPaths=/usr/lib /usr/sbin/myprogram 

Testing

To see if a program works with this property, consider using the systemd-run command.

systemd-run --pty --property=NoExecPaths=/tmp /tmp/testfile

Related hardening profiles

The systemd unit setting NoExecPaths is used in the following hardening profiles.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon