PrivateTmp setting
This article has last been updated at .
The property PrivateTmp is a systemd unit setting used for sandboxing. It is available since systemd 1.
Purpose: define new namespace for /tmp and /var/tmp directory
New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.
Why and when to use PrivateTmp
By default, a process can see the content of /tmp and /var/tmp, if the owner or group has the right file permissions. By using the setting PrivateTmp, access may be reduced to these temporary directories. Systemd does this by defining a new namespace for the process.
Generic advice
For most services PrivateTmp=yes can be used. It is an easy way to reduce risks related to temporary files.
When multiple processes need to access the same files, then typically this should be avoided in the temporary directories, but create a specific application directory those processes to exchange data.
Testing
To see if a program works with this property, consider using the systemd-run command.
Make sure that there is a file in /tmp, then run the command with PrivateTmp set.
systemd-run --pty --property=PrivateTmp=yes ls -l /tmp
total 0
No files are available now, as the ls program only sees content from the new namespace.
Values
Systemd unit setting PrivateTmp expects a boolean (yes/no or true/false).
Value | Intended action | Available since systemd version |
---|---|---|
no | normal access to temporary directories - default | |
yes | new private namespace for temporary directories, preventing process from seeing files in the original /tmp and /var/tmp |
Example to show the current value of PrivateTmp for the ssh service:
systemctl show --property=PrivateTmp ssh.serviceRelated hardening profiles
The systemd unit setting PrivateTmp is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.