ProtectHostname setting

This article has last been updated at January 28, 2025.

The property ProtectHostname is a systemd unit setting used for sandboxing. It is available since systemd 242.

Purpose: defines if hostname or NIS domain name can be changed

New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.

Why and when to use ProtectHostname

Systemd provides the unit setting ProtectHostname to restrict changing the hostname of the system. This makes use of the UTS namespace, which defines the hostname and NIS domain name. The hostname can normally be changed using the syscall sethostname(2), while the NIS domain name has the related setdomainname(2) syscall.

Systemd leverages namespaces for isolation. It is done by creating a new UTS namespace that prevents making any changes to the host system. The creation of a new UTS namespace happens when calling clone(2) or unshare(2) syscall with the CLONE_NEWUTS flag. This functionality requires a Linux kernel that is compiled with the CONFIG_UTS_NS option.

Syscalls of interest are:

• sethostname(2)
• setdomainname(2)

If a program contains these system calls, then additional research is needed if ProtectHostname can be used safely.

Generic advice

Setting the hostname is rarely needed, so most services can be configured with ProtectHostname=yes.

Values

Systemd unit setting ProtectHostname expects a boolean (yes/no or true/false) or string value.

Example to show the current value of ProtectHostname for the ssh service:

Related hardening profiles

The systemd unit setting ProtectHostname is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.

• Apache
• Dovecot
• Nginx
• OpenSMTPD