« Back to Settings for systemd units

ReadOnlyPaths setting

The property ReadOnlyPaths is a systemd unit setting used for sandboxing. It is available since systemd 231.

Purpose: define paths that can be accessed with read-only permissions

Why and when to use ReadOnlyPaths

Systemd has the setting ReadOnlyPaths to grant read-only access. This might be needed when the service is hardened using the ProtectSystem that greatly reduces the access a service unit has to the file system. Another option is to use ReadOnlyPaths to mark the file system read-only, then use ReadWritePaths to open a few paths for writing.

Example

We can mark the file system as read-only to the service, except a few paths that we need to store our log or PID file.

[Service]
ReadOnlyPaths=/
ReadWritePaths=/run /var/log/application

Another option is to protect the file system a bit further by not even allowing read access to most paths, except a few that we need.

[Service]
ProtectSystem=strict
ReadOnlyPaths=/data/csv
  • When a path is prefixed with a minus (-), it is ignored if it does not exist
  • When a path is prefixed with a plus (+), the path is considered relative to root of directory (e.g. configured with RootDirectory)

Caveats

This setting will not have effect if a process is missing the normal file permissions or ownership. For additional sandboxing, consider using ‘CapabilityBoundingSet=~CAP_SYS_ADMIN’ or ‘SystemCallFilter=~@mount’.

Generic advice

When possible, restrict file system access as much as possible by implementing ProtectSystem.

Related hardening profiles

The systemd unit setting ReadOnlyPaths is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.