Re: SystemD ProtectSystem=full still can write File in /etc outside of WorkingDir or WritePath

[Andy Smith <andy@strugglers.net>]

Hi,

On Wed, Jun 25, 2025 at 11:33:02AM +0200, Philipp Ewald wrote:
> ProtectSystem=full should be read-only /etc
> what is the point of this settig if the process still can write there?

The "full" setting is indeed meant to keep the whole filesystem
read-only for that service, except /dev, /proc, and /sys, so if yours
isn't then there is something else going on.

It doesn't work for user services (i.e. services started with --user
option).

It doesn't work if your kernel doesn't support filesystem namespaces,
which can happen if you have systemd running inside some other
container.

ReadWritePaths= can be used to add paths that can be written to, so
check there isn't one of those.

Otherwise there is some other issue, or a bug.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting