ProtectHome setting

This article has last been updated at January 6, 2025.

The property ProtectHome is a systemd unit setting used for sandboxing. It is available since systemd 214.

Purpose: define what level of access is possible to home directories

New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.

Why and when to use ProtectHome

Systemd provides the unit setting ProtectHome to protect home directories. The three paths that are included by this option are:

• /home
• /root
• /run/user

Settings

The default no will not restrict access to the home directories. Using yes will active full protection, not allowing access.

The value read-only will make the paths read-only, so no data can be written to it.

With tmpfs a temporary file system is being used, also read-only, yet it hides the actual home directories. It will still allow access to the actual directories when using BindPaths or BindReadOnlyPaths. For rare situations this might be useful to protect the home directories, while still allowing some very specific access.

Generic advice

For longer running services that do not need to access home directories, use ProtectHome=yes.

Values

Systemd unit setting ProtectHome expects a boolean (yes/no or true/false) or string value.

Example to show the current value of ProtectHome for the ssh service:

Related hardening profiles

The systemd unit setting ProtectHome is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.

• Apache
• Nginx
• OpenSMTPD