« Back to Settings for systemd units

RestrictSUIDSGID setting

The property RestrictSUIDSGID is a systemd unit setting used for sandboxing. It is available since systemd 242.

Purpose: limit the ability to use setuid/setgid bits on files

Why and when to use RestrictSUIDSGID

The setting RestrictSUIDSGID aims to restrict the usage of the set-user-ID and set-group-ID bit on binaries.

When using this option enabled, a service won’t be able to set the bits on a file.

Generic advice

This option can be applied to almost all services. It is rarely needed to allow a service setting these bits.

Values

Systemd unit setting RestrictSUIDSGID expects a boolean (yes/no or true/false).

Values for systemd unit setting RestrictSUIDSGID
ValueIntended actionAvailable since
systemd version
nono restriction to adjust the suid/sgid bits on a file - default
yesdo not allow setting the suid/sgid bits

Example to show the current value of RestrictSUIDSGID for the ssh service:

systemctl show --property=RestrictSUIDSGID ssh.service

Related hardening profiles

The systemd unit setting RestrictSUIDSGID is used in the following hardening profiles.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon