PrivateUsers setting
The property PrivateUsers is a systemd unit setting used for sandboxing. It is available since systemd 232.
Purpose: Define a new user namespace for the process and its children
New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.
Why and when to use PrivateUsers
Systemd can make use of namespaces, including the user namespace. With the setting PrivateUsers, a service can be provided with a mapped set of user and group identities. This option, when enabled, will provide process capability isolation. This means the process capabilities within user name space does not have the same capabilities in the user namespace of the host itself. Within the namespace of the service it may have full capabilities, while on the namespace of the host it has none.
Configuration
Using ‘self’ or ‘yes’ will do the following:
- Map root user and group
- Map user and group of unit (User=)
- Map every other user to user ’nobody’, same for group
This will introduce a split between the users within the service unit and the outside environment. Any file created by a user inside the service that is not known outside of it, will have ’nobody’ as its user and group. This option creates a sandboxed environment.
When using ‘identity’, the first 65536 user and group IDs are mapped. Above that number, it will be mapped to the ’nobody’ user and group. While this is less strict than ‘self’ (or yes), it will still provide process capability isolation.
Generic advice
When possible, enable this setting to benefit from the process capability isolation.
Values
Systemd unit setting PrivateUsers expects a boolean (yes/no or true/false) or string value.
Value | Intended action | Available since systemd version |
---|---|---|
no | no user namespace is defined - default | 232 |
yes | same as 'self' | 232 |
identity | set up user namespacing with mapping for first 65536 user and group IDs, the rest is mapped to nobody user and group | 257 |
self | configures a minimal user and group mapping, including root user, root group, user and group of the unit, everything else is mapped to the nobody user and group | 232 |
Example to show the current value of PrivateUsers for the ssh service:
systemctl show --property=PrivateUsers ssh.service