Re: SystemD ProtectSystem=full still can write File in /etc outside of WorkingDir or WritePath

To: debian-user@lists.debian.org
Subject: Re: SystemD ProtectSystem=full still can write File in /etc outside of WorkingDir or WritePath
From: Greg Wooledge <greg@wooledge.org>
Date: Wed, 25 Jun 2025 07:15:22 -0400
Message-id: <[🔎] 20250625111522.GC32559@wooledge.org>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] eddf97a5-f4c9-42a5-ad6e-c6c4c9d1aa77@digionline.de>
References: <[🔎] eddf97a5-f4c9-42a5-ad6e-c6c4c9d1aa77@digionline.de>

On Wed, Jun 25, 2025 at 11:33:02 +0200, Philipp Ewald wrote:
> is it normal that a Service started with systemd still can write files ouitside it working dir?

Depends on the settings in the unit file.  Write restrictions are not
the default, but there are settings you can use which will cause write
restrictions to take effect.

In systemd.exec(5):

    RootDirectory= (does a chroot)

    ProtectHome= (makes /home, /root and /run/user inaccessible)

    ProtectSystem=strict (makes most directories read-only)

    RuntimeDirectory= and friends (adds transient exceptions to
        ProtectSystem=strict)

    ReadWritePaths= (adds nontransient exceptions to ProtectSystem=strict)

    etc.

Reply to:

References:
- SystemD ProtectSystem=full still can write File in /etc outside of WorkingDir or WritePath
  - From: Philipp Ewald <philipp.ewald@digionline.de>

Prev by Date: Re: SystemD ProtectSystem=full still can write File in /etc outside of WorkingDir or WritePath
Next by Date: Resolved: SystemD ProtectSystem=full still can write File in /etc outside of WorkingDir or WritePath
Previous by thread: Re: Resolved: SystemD ProtectSystem=full still can write File in /etc outside of WorkingDir or WritePath
Next by thread: General question about package building
Index(es):
- Date
- Thread