ReadOnlyPaths setting
The property ReadOnlyPaths is a systemd unit setting used for sandboxing. It is available since systemd 231.
Purpose: define paths that can be accessed with read-only permissions
Why and when to use ReadOnlyPaths
Systemd has the setting ReadOnlyPaths to grant read-only access. This might be needed when the service is hardened using the ProtectSystem that greatly reduces the access a service unit has to the file system. Another option is to use ReadOnlyPaths to mark the file system read-only, then use ReadWritePaths to open a few paths for writing.
Example
We can mark the file system as read-only to the service, except a few paths that we need to store our log or PID file.
[Service]
ReadOnlyPaths=/
ReadWritePaths=/run /var/log/application
Another option is to protect the file system a bit further by not even allowing read access to most paths, except a few that we need.
[Service]
ProtectSystem=strict
ReadOnlyPaths=/data/csv
- When a path is prefixed with a minus (-), it is ignored if it does not exist
- When a path is prefixed with a plus (+), the path is considered relative to root of directory (e.g. configured with RootDirectory)
Caveats
This setting will not have effect if a process is missing the normal file permissions or ownership. For additional sandboxing, consider using ‘CapabilityBoundingSet=~CAP_SYS_ADMIN’ or ‘SystemCallFilter=~@mount’.
Generic advice
When possible, restrict file system access as much as possible by implementing ProtectSystem.
Related hardening profiles
The systemd unit setting ReadOnlyPaths is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.