« Back to Settings for systemd units

PrivateTmp setting

The property PrivateTmp is a systemd unit setting used for sandboxing.

Purpose: define new namespace for /tmp and /var/tmp directory

Why and when to use PrivateTmp

By default, a process can see the content of /tmp and /var/tmp, if the owner or group has the right file permissions. By using the setting PrivateTmp, access may be reduced to these temporary directories. Systemd does this by defining a new namespace for the process.

Generic advice

For most services PrivateTmp=yes can be used. It is an easy way to reduce risks related to temporary files.

When multiple processes need to access the same files, then typically this should be avoided in the temporary directories, but create a specific application directory those processes to exchange data.

Testing

To see if a program works with this property, consider using the systemd-run command.

Make sure that there is a file in /tmp, then run the command with PrivateTmp set.

systemd-run --pty --property=PrivateTmp=yes ls -l /tmp
total 0

No files are available now, as the ls program only sees content from the new namespace.

Values

Systemd unit setting PrivateTmp expects a boolean (yes/no or true/false).

Values for systemd unit setting PrivateTmp
ValueIntended actionAvailable since
systemd version
nonormal access to temporary directories - default
yesnew private namespace for temporary directories, preventing process from seeing files in the original /tmp and /var/tmp

Example to show the current value of PrivateTmp for the ssh service:

systemctl show --property=PrivateTmp ssh.service

Related hardening profiles

The systemd unit setting PrivateTmp is used in the following hardening profiles.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon