« Back to Settings for systemd units

RuntimeDirectoryMode setting

This article has last been updated at .

The property RuntimeDirectoryMode is a systemd unit setting used for sandboxing. It is available since systemd 234.

Purpose: set the default file permissions for runtime directory, which is defined as RuntimeDirectory

New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.

Why and when to use RuntimeDirectoryMode

The setting defines the octal mode for the directories that are created for ‘runtime’. The default value is 0755, making it possible for other processes to access the underlying directory. Depending on the type of unit, the directory below the primary path will get assigned the related permissions.

Applicable toPath
System units/run
Users units$XDG_RUNTIME_DIR

The related environment variable is named $RUNTIME_DIRECTORY and contains the related location.

Current configuration

Look in the service itself to see the RuntimeDirectory property, as this contains the runtime directory.

Use systemctl with the cat subcommand to retrieve the information more easily, including any existing unit overrides.

# systemctl cat systemd-timesyncd.service | grep RuntimeDirectory
RuntimeDirectory=systemd/timesync

Another option is to review the settings by querying the properties of a service using systemctl with show, followed the service. To limit the information to just the property RuntimeDirectory, only that line will be returned.

# systemctl show --property=RuntimeDirectory systemd-timesyncd.service
RuntimeDirectory=systemd/timesync

This will reveal not the full path, but as this is a system unit, it is prepended with the /run directory.

# stat /run/systemd/timesync
  File: /run/systemd/timesync
  Size: 60        	Blocks: 0          IO Block: 4096   directory
Device: 1ah/26d	Inode: 1734        Links: 2
Access: (0755/drwxr-xr-x)  Uid: (  102/systemd-timesync)   Gid: (  104/systemd-timesync)
Access: 2024-09-03 09:51:57.097000157 +0200
Modify: 2024-09-03 09:52:27.119040190 +0200
Change: 2024-09-03 09:52:27.119040190 +0200
 Birth: 2024-09-03 09:51:57.097000157 +0200

This service has the default file permissions (0755).

Changing RuntimeDirectoryMode property

To change the file permissions for the runtime directory, edit the service and define the new file permissions (e.g. 0700).

systemctl edit myservice.service

Then add the property to the override file, including the section Service if that is not present yet.

[Service]
RuntimeDirectoryMode=0700

Generic advice

This option can be applied to most services that use a runtime directory. To find all possible service units that can be tuned, query all services and select the relevant property. To make it easier to see to what service a directory belongs to, select both the Id as RuntimeDirectory property.

systemctl show --type=service --property=Id,RuntimeDirectory '*'

References

Learn more about systemctl

This article uses the systemctl command to achieve its tasks. For this popular tool there is a cheat sheet available!

» Mastering the tool: systemctl

systemctl

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.