« Back to Settings for systemd units

RemoveIPC setting

The property RemoveIPC is a systemd unit setting used for sandboxing. It is available since systemd 232.

Purpose: defines if System V and POSIX IPC objects by the user and group are removed upon stopping the service

New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.

Why and when to use RemoveIPC

Systemd provides the unit setting RemoveIPC to perform a cleanup of IPC objects after a service exits. If this option is set, then upon the exit of a service all relevant IPC objects (System V and POSIX) will be removed.

What is Inter-process communication (IPC)?

Inter-process communication (IPC) provides processes with the capability to communicate with each other. This communication can happen via a variety of ways, using process signals, pipes, message queues, semaphores, and shared memory usage.

See What is inter-process communication (IPC)? for more details.

Generic advice

For most common services this option can be set safely. If a process uses IPC, then most likely it will contain support for one of the common methods, such as message queues, semaphores or shared memory.

See filter set @ipc for syscalls that might be related.

Values

Systemd unit setting RemoveIPC expects a boolean (yes/no or true/false).

Values for systemd unit setting RemoveIPC
ValueIntended actionAvailable since
systemd version
nonormal behavior of System V and POSIX IPC objects - default232
yesSystem V and POSIX IPC objects are removed upon service termination232

Example to show the current value of RemoveIPC for the ssh service:

systemctl show --property=RemoveIPC ssh.service

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.