RuntimeDirectoryMode setting
The property RuntimeDirectoryMode is a systemd unit setting used for sandboxing. It is available since systemd 234.
Purpose: set the default file permissions for runtime directory, which is defined as RuntimeDirectory
Why and when to use RuntimeDirectoryMode
The setting defines the octal mode for the directories that are created for ‘runtime’. The default value is 0755, making it possible for other processes to access the underlying directory. Depending on the type of unit, the directory below the primary path will get assigned the related permissions.
Applicable to | Path |
---|---|
System units | /run |
Users units | $XDG_RUNTIME_DIR |
The related environment variable is named $RUNTIME_DIRECTORY and contains the related location.
Current configuration
Look in the service itself to see the RuntimeDirectory property, as this contains the runtime directory.
Use systemctl with the cat subcommand to retrieve the information more easily, including any existing unit overrides.
# systemctl cat systemd-timesyncd.service | grep RuntimeDirectory
RuntimeDirectory=systemd/timesync
Another option is to review the settings by querying the properties of a service using systemctl with show, followed the service. To limit the information to just the property RuntimeDirectory, only that line will be returned.
# systemctl show --property=RuntimeDirectory systemd-timesyncd.service
RuntimeDirectory=systemd/timesync
This will reveal not the full path, but as this is a system unit, it is prepended with the /run directory.
# stat /run/systemd/timesync
File: /run/systemd/timesync
Size: 60 Blocks: 0 IO Block: 4096 directory
Device: 1ah/26d Inode: 1734 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 102/systemd-timesync) Gid: ( 104/systemd-timesync)
Access: 2024-09-03 09:51:57.097000157 +0200
Modify: 2024-09-03 09:52:27.119040190 +0200
Change: 2024-09-03 09:52:27.119040190 +0200
Birth: 2024-09-03 09:51:57.097000157 +0200
This service has the default file permissions (0755).
Changing RuntimeDirectoryMode property
To change the file permissions for the runtime directory, edit the service and define the new file permissions (e.g. 0700).
systemctl edit myservice.service
Then add the property to the override file, including the section Service if that is not present yet.
[Service]
RuntimeDirectoryMode=0700
Generic advice
This option can be applied to most services that use a runtime directory. To find all possible service units that can be tuned, query all services and select the relevant property. To make it easier to see to what service a directory belongs to, select both the Id as RuntimeDirectory property.
systemctl show --type=service --property=Id,RuntimeDirectory '*'