« Back to Settings for systemd units

PrivateDevices setting

This article has last been updated at .

The property PrivateDevices is a systemd unit setting used for sandboxing. It is available since systemd 209.

Purpose: only allow access to a subset of devices in /dev

New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.

Why and when to use PrivateDevices

By default, a process can see most of the devices in /dev and interact with these devices. The PrivateDevices unit setting in systemd restricts the list of devices. Only pseudo-devices such as /dev/null are made available to the process.

Generic advice

For most systemd units the setting PrivateDevices=yes can be safely used.

Testing

To see how this setting impacts a process, consider using the systemd-run command.

systemd-run --pty --property=PrivateDevices=yes ls -l /dev
total 0
drwxr-xr-x 2 root root  180 nov 15 10:03 char
lrwxrwxrwx 1 root root   11 nov 15 10:03 core -> /proc/kcore
lrwxrwxrwx 1 root root   13 nov 15 10:03 fd -> /proc/self/fd
crw-rw-rw- 1 root root 1, 7 nov 15 10:03 full
drwxr-xr-x 3 root root    0 sep  3 09:52 hugepages
lrwxrwxrwx 1 root root   28 nov 15 10:03 log -> /run/systemd/journal/dev-log
drwxrwxrwt 2 root root   40 sep  3 09:51 mqueue
crw-rw-rw- 1 root root 1, 3 nov 15 10:03 null
crw-rw-rw- 1 root root 5, 2 nov 15 10:03 ptmx
drwxr-xr-x 2 root root    0 sep  3 09:51 pts
crw-rw-rw- 1 root root 1, 8 nov 15 10:03 random
drwxrwxrwt 4 root root  280 nov 15 10:03 shm
lrwxrwxrwx 1 root root   15 nov 15 10:03 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root   15 nov 15 10:03 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root   15 nov 15 10:03 stdout -> /proc/self/fd/1
crw-rw-rw- 1 root root 5, 0 nov 15 10:03 tty
crw-rw-rw- 1 root root 1, 9 nov 15 10:03 urandom
crw-rw-rw- 1 root root 1, 5 nov 15 10:03 zero

In the output only the new pseudo-devices will be shown now.

Values

Systemd unit setting PrivateDevices expects a boolean (yes/no or true/false).

Values for systemd unit setting PrivateDevices
ValueIntended actionAvailable since
systemd version
nonormal access to devices in /dev - default
yesrestrict access to pseudo-devices such as /dev/null, /dev/random, /dev/urandom, and /dev/zero

Example to show the current value of PrivateDevices for the ssh service:

systemctl show --property=PrivateDevices ssh.service

Related hardening profiles

The systemd unit setting PrivateDevices is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.