ProtectHome setting
The property ProtectHome is a systemd unit setting used for sandboxing. It is available since systemd 214.
Purpose: define what level of access is possible to home directories
Why and when to use ProtectHome
The setting ProtectHome aims to protect home directories. These three paths are included:
- /home
- /root
- /run/user
Settings
The default no will not restrict access to the home directories. Using yes will active full protection, not allowing access.
The value read-only will make the paths read-only, so no data can be written to it.
With tmpfs a temporary file system is being used, also read-only, yet it hides the actual home directories. It will still allow access to the actual directories when using BindPaths or BindReadOnlyPaths. For rare situations this might be useful to protect the home directories, while still allowing some very specific access.
Generic advice
For longer running services that do not need to access home directories, use ProtectHome=yes.
Values
Systemd unit setting ProtectHome expects a boolean (yes/no or true/false) or string value.
Value | Intended action | Available since systemd version |
---|---|---|
no | normal access allowed to home directories - default | |
read-only | grant access to home directories, but only to read (no write) | |
tmpfs | similar to read-only, with the exception that a temporary file system is mounted. It hides the home directories. | |
yes | no access to home directories |
Example to show the current value of ProtectHome for the ssh service:
systemctl show --property=ProtectHome ssh.serviceRelated hardening profiles
The systemd unit setting ProtectHome is used in the following hardening profiles.