{{Header}}
{{Title|title=
systemd
}}
{{#seo:
|description=systemd versus non-systemd / Miscellaneous / Find systemd dependency cycles.
}}
* [[systemd|systemd]]
* [[seccomp|seccomp]]
{{intro|
systemd versus non-systemd / Miscellaneous / Find systemd dependency cycles.
}}
= systemd security features =
{{IntroLike|
Systemd has a long list of security hardening features for systemd unit files.
Non-exhaustive list. Written April 2026.
The goal of the list isn't replacing systemd upstream documentation, completeness, or perfection. The purpose is to provide a rationale for using systemd.
}}
This table intentionally uses short upstream verbatim excerpts that give a reader an initial clue why a directive can improve service isolation. For some settings, especially DynamicUser= together with the directory helpers, the security benefit is clearest when multiple directives are combined.
{| class="wikitable"
|+ systemd service hardening directives with upstream verbatim excerpts
|-
! Directive
! Upstream excerpt
|-
! NoNewPrivileges=yes
| {{quotation
|quote=can never gain new privileges through execve()
}} [[https://www.freedesktop.org/software/systemd/man/systemd.exec.html systemd.exec(5)]]
|-
! PrivateTmp=yes
| {{quotation
|quote=private /tmp/ and /var/tmp/ directories
}} [
|-
! ]PrivateDevices=yes
| {{quotation
|quote=turn off physical device access by the executed process
}} [
|-
! ]ProtectSystem=strict
| {{quotation
|quote=the entire file system hierarchy is mounted read-only
}} [
|-
! ]ProtectHome=read-only
| {{quotation
|quote=the three directories are made read-only instead
}} [
|-
! ]ProtectControlGroups=yes
| {{quotation
|quote=will be made read-only to all processes of the unit
}} [
|-
! ]ProtectKernelTunables=yes
| {{quotation
|quote=kernel variables accessible through /proc/sys/, /sys/, /proc/sysrq-trigger, /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only
}} [
|-
! ]ProtectKernelModules=yes
| {{quotation
|quote=explicit module loading will be denied
}} [
|-
! ]ProtectKernelLogs=yes
| {{quotation
|quote=access to the kernel log ring buffer will be denied
}} [
|-
! ]ProtectClock=yes
| {{quotation
|quote=writes to the hardware clock or system clock will be denied
}} [
|-
! ]ProtectHostname=yes
| {{quotation
|quote=changing hostname or domainname via sethostname() and setdomainname() system calls is prevented
}} [
|-
! ]LockPersonality=yes
| {{quotation
|quote=locks down the personality(2) system call
}} [
|-
! ]MemoryDenyWriteExecute=yes
| {{quotation
|quote=writable and executable at the same time
}} [
|-
! ]RestrictSUIDSGID=yes
| {{quotation
|quote=set the set-user-ID (SUID) or set-group-ID (SGID) bits
}} [
|-
! ]RestrictRealtime=yes
| {{quotation
|quote=any attempts to enable realtime scheduling in a process of the unit are refused
}} [
|-
! ]RestrictNamespaces=yes
| {{quotation
|quote=Restricts access to Linux namespace functionality
}} [
|-
! ]SystemCallArchitectures=native
| {{quotation
|quote=disabling non-native ABIs
}} [
|-
! ]SystemCallFilter=@system-service
| {{quotation
|quote=relatively safe basic choice for the majority of system services
}} [
|-
! ]SystemCallErrorNumber=EPERM
| {{quotation
|quote=to return when the system call filter configured with SystemCallFilter= is triggered, instead of terminating the process immediately
}} [
|-
! ]CapabilityBoundingSet=
| {{quotation
|quote=Controls which capabilities to include in the capability bounding set
}} [
|-
! ]AmbientCapabilities=
| {{quotation
|quote=Controls which capabilities to include in the ambient capability set
}} [
|-
! ]PrivateUsers=yes
| {{quotation
|quote=new user namespace
}} [
|-
! ]PrivateMounts=yes
| {{quotation
|quote=private file system (mount) namespace
}} [
|-
! ]PrivateIPC=yes
| {{quotation
|quote=sets up a new IPC namespace
}} [
|-
! ]PrivatePIDs=yes
| {{quotation
|quote=new PID namespace
}} [
|-
! ]ProtectProc=invisible
| {{quotation
|quote=When set to "invisible" processes owned by other users are hidden from /proc/.
}} [
|-
! ]ProcSubset=pid
| {{quotation
|quote=If "pid", all files and directories not directly associated with process management and introspection are made invisible in the /proc/ file system
}} [
|-
! ]RemoveIPC=yes
| {{quotation
|quote=System V and POSIX IPC objects
}} [
|-
! ]UMask=0077
| {{quotation
|quote=file mode creation mask
}} [
|-
! ]IPAddressDeny=any
| {{quotation
|quote=implement an allow-listing IP firewall
}} [[https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html systemd.resource-control(5)]]
|-
! IPAddressAllow=...
| {{quotation
|quote=Access is granted
}} [
|-
! ]RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
| {{quotation
|quote=address family names to allow-list, such as AF_UNIX, AF_INET or AF_INET6
}} [
|-
! ]SocketBindDeny=any
| {{quotation
|quote=binding is denied when the socket address matches an entry in the SocketBindDeny= list
}} [
|-
! ]SocketBindAllow=...
| {{quotation
|quote=Binding to a socket is allowed when a socket address matches an entry in the SocketBindAllow= list
}} [
|-
! ]ReadWritePaths=...
| {{quotation
|quote=Use ReadWritePaths= in order to allow-list specific paths for write access if ProtectSystem=strict is used.
}} [
|-
! ]ReadOnlyPaths=...
| {{quotation
|quote=Paths listed in ReadOnlyPaths= are accessible for reading only, writing will be refused even if the usual file access controls would permit this.
}} [
|-
! ]InaccessiblePaths=...
| {{quotation
|quote=Paths listed in InaccessiblePaths= will be made inaccessible for processes inside the namespace along with everything below them in the file system hierarchy.
}} [
|-
! ]TemporaryFileSystem=/var:ro
| {{quotation
|quote=This is useful to hide files or directories not relevant to the processes invoked by the unit, while necessary files or directories can be still accessed by combining with BindPaths= or BindReadOnlyPaths=:
}} [
|-
! ]DevicePolicy=closed
| {{quotation
|quote=closed in addition, allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom.
}} [
|-
! ]DeviceAllow=...
| {{quotation
|quote=Control access to specific device nodes by the executed processes. This functionality is implemented using eBPF filtering.
}} [
|-
! ]DynamicUser=yes
| {{quotation
|quote=Setting DynamicUser=yes implies ProtectSystem=strict and ProtectHome=read-only.
}} [[https://0pointer.net/blog/dynamic-users-with-systemd.html Dynamic Users with systemd]]
|-
! StateDirectory=...
| {{quotation
|quote=If DynamicUser= is used, the logic for CacheDirectory=, LogsDirectory= and StateDirectory= is slightly altered: the directories are created below /var/cache/private, /var/log/private and /var/lib/private, respectively, which are host directories made inaccessible to unprivileged users, which ensures that access to these directories cannot be gained through dynamic user ID recycling.
}} [
|-
! ]CacheDirectory=...
| {{quotation
|quote=If DynamicUser= is used, the logic for CacheDirectory=, LogsDirectory= and StateDirectory= is slightly altered: the directories are created below /var/cache/private, /var/log/private and /var/lib/private, respectively, which are host directories made inaccessible to unprivileged users, which ensures that access to these directories cannot be gained through dynamic user ID recycling.
}} [
|-
! ]LogsDirectory=...
| {{quotation
|quote=If DynamicUser= is used, the logic for CacheDirectory=, LogsDirectory= and StateDirectory= is slightly altered: the directories are created below /var/cache/private, /var/log/private and /var/lib/private, respectively, which are host directories made inaccessible to unprivileged users, which ensures that access to these directories cannot be gained through dynamic user ID recycling.
}} [
|-
! ]RuntimeDirectory=...
| {{quotation
|quote=If you set it to a directory name of your choice, it will be created below /run when the service is started, and removed in its entirety when it is terminated.
}} [
|-
! ]PrivateNetwork=yes
| {{quotation
|quote=turn off network access by the executed process
}} [
|-
! ]NetworkNamespacePath=...
| {{quotation
|quote=Sets a file system path to a Linux network namespace pseudo-file
}} [
|-
! ]RestrictFileSystems=...
| {{quotation
|quote=Restricts the set of filesystems processes of this unit can open files on
}} [
|-
! ]KeyringMode=private
| {{quotation
|quote=a new session keyring is allocated when a service process is invoked, and it is not linked up with any user keyring
}} [
|-
|}
= systemd versus non-systemd =
{{project_name_short}} is a systemd-based distribution. {{project_name_short}} is not anti-systemd.
[https://forums.kicksecure.com/t/non-systemd-systemd-development-discussion/766/11 The {{project_name_short}} lead developer isn't convinced by anti-systemd arguments justifying a move to a non-systemd distribution. (Elaborated in forums.)]
Non-systemd is [[unsupported]] because no contributors support this use case.
See also:
* https://without-systemd.org/wiki/index_php/Arguments_against_systemd/
* https://nosystemd.org/
= systemd interface opinion =
{{quotation
|quote=
TODO: expand
The interfaces (the way packages and distributions can place configuration files there) of
* ]/usr/lib/systemd/system/unit-name.service(.d);
** ability to easily use capabilities and syscall filters for security hardening
* [https://www.freedesktop.org/software/systemd/man/latest/systemd-tmpfiles-setup.service.html systemd tmpfiles.d] / /usr/lib/tmpfiles.d/;
are excellent.
The [https://systemd.io/BOOT_LOADER_INTERFACE/ The Boot Loader Interface] LoaderSystemToken feature sounds excellent.
Bad things:
* journal log being binary
* adding systemd into the names of tools such as systemd-resolved, systemd-networkd and making these systemd-dependent
* systemd-boot only supporting Intel/AMD64 architecture
|context={{project_name_short}} lead developer opinion.
}}
= Systemd User Environment Variables Configuration =
{{IconSet|h1|1}}
{{CodeSelect|code=
mkdir -p ~/.config/environment.d/
}}
{{IconSet|h1|2}} {{Open File|
filename=~/.config/environment.d/electrumx.conf
}}
{{IconSet|h1|3}} Paste the following contents.
{{CodeSelect|code=
COIN=Bitcoin
DB_DIRECTORY=~/.electrumx
DAEMON_URL=username:password@127.0.0.1
SERVICES=rpC://localhost
PEER_DISCOVERY=self
}}
{{IconSet|h1|4}} Save.
{{IconSet|h1|5}}
{{CodeSelect|code=
systemctl --user daemon-reload
}}
{{IconSet|h1|6}} Done.
The systemd user environment variables configuration has been created and reloaded.
= systemd age API =
* https://forum.qubes-os.org/t/how-much-do-we-gotta-worry-about-this-linux-age-verification-bs/39788/179
* https://forum.qubes-os.org/t/how-much-do-we-gotta-worry-about-this-linux-age-verification-bs/39788/240
= Interesting =
* [https://github.com/jantman/misc-scripts/blob/master/dot_find_cycles.py dot_find_cycles.py - uses Pydot and NetworkX to find cycles in a dot file directed graph.]
= See Also =
* https://forums.kicksecure.com/t/non-systemd-systemd-discussion/766
* https://forums.whonix.org/t/whonix-without-systemd/18426
* [https://forums.whonix.org/t/whonix-without-systemd/18426 Whonix without systemD]
= Footnotes =
{{Footer}}
[[Category:Documentation]]
.