« Back to Settings for systemd units

PrivateUsers setting

The property PrivateUsers is a systemd unit setting used for sandboxing. It is available since systemd 232.

Purpose: Define a new user namespace for the process and its children

New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.

Why and when to use PrivateUsers

Systemd can make use of namespaces, including the user namespace. With the setting PrivateUsers, a service can be provided with a mapped set of user and group identities. This option, when enabled, will provide process capability isolation. This means the process capabilities within user name space does not have the same capabilities in the user namespace of the host itself. Within the namespace of the service it may have full capabilities, while on the namespace of the host it has none.

Configuration

Using ‘self’ or ‘yes’ will do the following:

  • Map root user and group
  • Map user and group of unit (User=)
  • Map every other user to user ’nobody’, same for group

This will introduce a split between the users within the service unit and the outside environment. Any file created by a user inside the service that is not known outside of it, will have ’nobody’ as its user and group. This option creates a sandboxed environment.

When using ‘identity’, the first 65536 user and group IDs are mapped. Above that number, it will be mapped to the ’nobody’ user and group. While this is less strict than ‘self’ (or yes), it will still provide process capability isolation.

Generic advice

When possible, enable this setting to benefit from the process capability isolation.

Values

Systemd unit setting PrivateUsers expects a boolean (yes/no or true/false) or string value.

Values for systemd unit setting PrivateUsers
ValueIntended actionAvailable since
systemd version
nono user namespace is defined - default232
yessame as 'self'232
identityset up user namespacing with mapping for first 65536 user and group IDs, the rest is mapped to nobody user and group257
selfconfigures a minimal user and group mapping, including root user, root group, user and group of the unit, everything else is mapped to the nobody user and group232

Example to show the current value of PrivateUsers for the ssh service:

systemctl show --property=PrivateUsers ssh.service

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.