« Back to Settings for systemd units

ProtectHome setting

The property ProtectHome is a systemd unit setting used for sandboxing. It is available since systemd 214.

Purpose: define what level of access is possible to home directories

Why and when to use ProtectHome

The setting ProtectHome aims to protect home directories. These three paths are included:

  • /home
  • /root
  • /run/user

Settings

The default no will not restrict access to the home directories. Using yes will active full protection, not allowing access.

The value read-only will make the paths read-only, so no data can be written to it.

With tmpfs a temporary file system is being used, also read-only, yet it hides the actual home directories. It will still allow access to the actual directories when using BindPaths or BindReadOnlyPaths. For rare situations this might be useful to protect the home directories, while still allowing some very specific access.

Generic advice

For longer running services that do not need to access home directories, use ProtectHome=yes.

Values

Systemd unit setting ProtectHome expects a boolean (yes/no or true/false) or string value.

Values for systemd unit setting ProtectHome
ValueIntended actionAvailable since
systemd version
nonormal access allowed to home directories - default
read-onlygrant access to home directories, but only to read (no write)
tmpfssimilar to read-only, with the exception that a temporary file system is mounted. It hides the home directories.
yesno access to home directories

Example to show the current value of ProtectHome for the ssh service:

systemctl show --property=ProtectHome ssh.service

Related hardening profiles

The systemd unit setting ProtectHome is used in the following hardening profiles.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon