RestrictSUIDSGID setting
This article has last been updated at .
The property RestrictSUIDSGID is a systemd unit setting used for sandboxing. It is available since systemd 242.
Purpose: limit the ability to use setuid/setgid bits on files
New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.
Why and when to use RestrictSUIDSGID
The setting RestrictSUIDSGID aims to restrict the usage of the set-user-ID and set-group-ID bit on binaries.
When using this option enabled, a service won’t be able to set the bits on a file.
Generic advice
This option can be applied to almost all services. It is rarely needed to allow a service setting these bits.
Values
Systemd unit setting RestrictSUIDSGID expects a boolean (yes/no or true/false).
| Value | Intended action | Available since systemd version |
|---|---|---|
| no | no restriction to adjust the suid/sgid bits on a file - default | |
| yes | do not allow setting the suid/sgid bits |
Example to show the current value of RestrictSUIDSGID for the ssh service:
systemctl show --property=RestrictSUIDSGID ssh.serviceRelated hardening profiles
The systemd unit setting RestrictSUIDSGID is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.
