ReadWritePaths setting
This article has last been updated at .
The property ReadWritePaths is a systemd unit setting used for sandboxing. It is available since systemd 231.
Purpose: define paths that can be opened to read from and write to new or existing files
New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.
Why and when to use ReadWritePaths
The setting ReadWritePaths grants read and write permissions to defined paths. It can be used in combination with other settings like ‘ProtectSystem=strict’ to make the full file system read-only, and then open up a few paths that are required for a service to run correctly.
Values
Define the paths that are granted write access.
[Service]
ProtectSystem=strict
ReadWritePaths=/run /var/log/nginx
- When a path is prefixed with a minus (-), it is ignored if it does not exist
- When a path is prefixed with a plus (+), the path is considered relative to root of directory (e.g. configured with RootDirectory)
Caveats
This setting will not have effect if a process is missing the normal file permissions or ownership. For additional sandboxing, consider using ‘CapabilityBoundingSet=~CAP_SYS_ADMIN’ or ‘SystemCallFilter=~@mount’.
Generic advice
When possible, restrict file system access as much as possible by implementing ProtectSystem.
Related hardening profiles
The systemd unit setting ReadWritePaths is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.
