Frequently Asked Question

How do I sandbox a service with ProtectSystem, PrivateTmp, and friends?

systemd ships a long list of sandboxing directives that you can add to [Service] to restrict what a service can see and do. The most useful are PrivateTmp=yes (give the service a fresh, private /tmp and /var/tmp invisible to other services), ProtectSystem=strict (mount /usr, /boot, and /etc read-only, leaving only explicit writable paths), ProtectHome=yes (hide users' home directories), NoNewPrivileges=yes (the service and its children can never gain privileges via setuid binaries), and PrivateDevices=yes (only minimal device nodes are visible).

Stricter options narrow further: RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 cuts off exotic socket families, SystemCallFilter=@system-service allows only a curated syscall set, CapabilityBoundingSet= drops Linux capabilities, and ReadWritePaths= whitelists exactly which directories the service may write to. systemd-analyze security <unit> scores a unit on these settings and points out what is missing, which is by far the easiest way to harden third-party services in practice.