« Back to Settings for systemd units

PrivatePIDs setting

The property PrivatePIDs is a systemd unit setting used for sandboxing. It is available since systemd 257.

Purpose: Define a new PID namespace for the process and its children

Why and when to use PrivatePIDs

Systemd can make use of namespaces, including the PID namespace. With the setting PrivatePIDs a service can be provided with such PID namespace. This way all processes within the namespace can’t see any processes running outside its own scope.

Generic advice

This setting is only suitable for processes that do not fork themselves. The reason for this is that the first process will be assigned PID 1, the init process. The kernel is programmed to kill any processes if the init process stops. So this functionality should be used with services that have a type of simple or one-shot.

If the kernel does not support PID namespaces yet, it will be ignored.

Values

Systemd unit setting PrivatePIDs expects a boolean (yes/no or true/false).

Values for systemd unit setting PrivatePIDs
ValueIntended actionAvailable since
systemd version
nono PID namespace is defined - default257
yesnew private PID namespace is used257

Example to show the current value of PrivatePIDs for the ssh service:

systemctl show --property=PrivatePIDs ssh.service

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon