ReadWritePaths setting

The property ReadWritePaths is a systemd unit setting used for sandboxing. It is available since systemd 231.

Purpose: define paths that can be opened to read from and write to new or existing files

Why and when to use ReadWritePaths

The setting ReadWritePaths grants read and write permissions to defined paths. It can be used in combination with other settings like ‘ProtectSystem=strict’ to make the full file system read-only, and then open up a few paths that are required for a service to run correctly.

Values

Define the paths that are granted write access.

[Service]
ProtectSystem=strict
ReadWritePaths=/run /var/log/nginx

When a path is prefixed with a minus (-), it is ignored if it does not exist
When a path is prefixed with a plus (+), the path is considered relative to root of directory (e.g. configured with RootDirectory)

Caveats

This setting will not have effect if a process is missing the normal file permissions or ownership. For additional sandboxing, consider using ‘CapabilityBoundingSet=~CAP_SYS_ADMIN’ or ‘SystemCallFilter=~@mount’.

Generic advice

When possible, restrict file system access as much as possible by implementing ProtectSystem.

Related hardening profiles

The systemd unit setting ReadWritePaths is used in the following hardening profiles.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!