« Back to Settings for systemd units

ReadWritePaths setting

This systemd unit setting was added since systemd 231.

Purpose: define paths that can be opened to read from and write to new or existing files

Why and when to use ReadWritePaths

The setting ReadWritePaths grants read and write permissions to defined paths. It can be used in combination with other settings like ‘ProtectSystem=strict’ to make the full file system read-only, and then open up a few paths that are required for a service to run correctly.

Values

Define the paths that are granted write access.

[Service]
ProtectSystem=strict
ReadWritePaths=/run /var/log/nginx
  • When a path is prefixed with a minus (-), it is ignored if it does not exist
  • When a path is prefixed with a plus (+), the path is considered relative to root of directory (e.g. configured with RootDirectory)

Caveats

This setting will not have effect if a process is missing the normal file permissions or ownership. For additional sandboxing, consider CapabilityBoundingSet=~CAP_SYS_ADMIN or SystemCallFilter=~@mount.

Generic advice

When possible, restrict file system access as much as possible.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon