« Back to Settings for systemd units

NoNewPrivileges setting

The property NoNewPrivileges is a systemd unit setting used for sandboxing. It is available since systemd 187.

Purpose: prevent processes from gaining new privileges

Why and when to use NoNewPrivileges

The systemd unit setting NoNewPrivileges prevents processes and its children of obtaining new privileges. Normally this is possible via execve(2), a syscall that executes a program and when filesystem capabilities provide new privileges. Another option is obtaining this via setgid and setuid bits on files.

Configuration options of NoNewPrivileges

When this unit setting is set to ‘yes’, the process and child processes will be denied the possibility to get additional privileges.

Generic advice

Most services can be configured with NoNewPrivileges=yes.

Values

Systemd unit setting NoNewPrivileges expects a boolean (yes/no or true/false).

Values for systemd unit setting NoNewPrivileges
ValueIntended actionAvailable since
systemd version
noprocesses may obtain new privileges - default
yesprocesses are restricted and can't gain new privileges

Example to show the current value of NoNewPrivileges for the ssh service:

systemctl show --property=NoNewPrivileges ssh.service

Related hardening profiles

The systemd unit setting NoNewPrivileges is used in the following hardening profiles.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon