RestrictSUIDSGID setting
The property RestrictSUIDSGID is a systemd unit setting used for sandboxing. It is available since systemd 242.
Purpose: limit the ability to use setuid/setgid bits on files
Why and when to use RestrictSUIDSGID
The setting RestrictSUIDSGID aims to restrict the usage of the set-user-ID and set-group-ID bit on binaries.
When using this option enabled, a service won’t be able to set the bits on a file.
Generic advice
This option can be applied to almost all services. It is rarely needed to allow a service setting these bits.
Values
Systemd unit setting RestrictSUIDSGID expects a boolean (yes/no or true/false).
Value | Intended action | Available since systemd version |
---|---|---|
no | no restriction to adjust the suid/sgid bits on a file - default | |
yes | do not allow setting the suid/sgid bits |
Example to show the current value of RestrictSUIDSGID for the ssh service:
systemctl show --property=RestrictSUIDSGID ssh.serviceRelated hardening profiles
The systemd unit setting RestrictSUIDSGID is used in the following hardening profiles.