Question about Systemd - ReadWriteDirectories=-/path/to/folder

i!

I have a question about Systemd. ([Service] section)

[Service]
ProtectSystem=full
ReadOnlyDirectories=/

ReadWriteDirectories=-/path/to/folder

What does that mean?

ReadWriteDirectories=-/path/to/folder

Does that mean

at 'ReadWriteDirectories=-/path/to/folder'

has no read and write access? (because the -minus flag/attribute is set)

When I have set
ReadWriteDirectories=/path/to/folder (without the -minus flag/attribute)

Does that mean
I have full read+write access to 'ReadWriteDirectories=/path/to/folder' ?

https://www.commandlinux.com/man-page/man5/systemd.exec.5.html

Paths in ReadOnlyDirectories= and InaccessibleDirectories= may be prefixed with "-", in which case they will be ignored when they do not exist. Note that using this setting will disconnect propagation of mounts from the service to the host (propagation in the opposite direction continues to work). This means that this setting may not be used for services which shall be able to install mount points in the main mount namespace.

Read more at: systemd.exec linux command man page

Hi pavlos_kairis,

if I have now understood correctly

it
means

'ReadWriteDirectories=-/path/to/folder'

(with -minus flag/attribute)

that the set path to the folder is 'ignored'?

No read and write access, right?

The minus (-) means that if the folder at /path/to/folder does not exist when the service is run, then the service will be run as if that line ReadWriteDirectories=-/path/to/folder did not exist, so the service would not get read and write access to that folder (because the folder doesn't exist!). But the service will still be run. If you did not specify the minus sign, the service would fail entirely if the folder did not exist.

The difference is merely that one silently ignores any potential problems (useful if the service can cope without that directory), whereas the other fails if the directory doesn't exist (useful for instances where, for example, the service's job is to read files from one directory and move them to the read-write directory).

Note that interestingly, the man page @pavlos_kairis linked to implies that the minus sign can only be used in ReadOnlyDirectories= and InaccessibleDirectories= lines -- there is no explicit mention of ReadWriteDirectories= lines.

thanks for the infoformation @ gordon.

The prebuilt systemd program name.service which I have installed
comes with the following setting.

ProtectSystem=full
ReadOnlyDirectories=/ (root) read-only
ReadWriteDirectories=-/proc
ReadWriteDirectories=-/var/lib/program name
ReadWriteDirectories=-/var/log/program name
ReadWriteDirectories=-/run

I wonder about this scenario here because

program name can write log files to "/var/log/program name"
although at "ReadWriteDirectories=-/var/log/program name"
the -minus flag is set.

Also with path "/var/lib/program name"

read and write are working.

Do you mean that you wondered about that scenario? If not, and you really mean what you said in the present tense, then clearly I haven't explained the minus flag well enough.

I'm wondered about that my program name can write log files
when the -minus flag ist at 'ReadWriteDirectories=-/var/log/program name'

It does not exist you say:

gordon:
The minus (-) means that if the folder at /path/to/folder does not exist when the service is run, then the service will be run as if that line ReadWriteDirectories=-/path/to/folder did not exist

I'm sorry, but past this point it's too difficult for me to understand what you're trying to say. I therefore shall not reply to this topic anymore -- but if someone else wants to pick this up, then go right on ahead.

It seems you overlooked the 5th word in @gordon 's reply:

if the folder at /path/to/folder does not exist

instead of:

the folder at /path/to/folder does not exist

I guess I should stop italicizing text for emphasis and use bold instead, then.

1 Like

@ gordon,
it has settled, understood it because of Systemd "ReadWriteDirectories=-"

Tried a little bit with the setting/config.

If my "program name.service" is running with these
config @ "program name.service":

ProtectSystem=full
ReadOnlyDirectories=/ (root) read-only
ReadWriteDirectories=-/proc
ReadWriteDirectories=-/var/lib/program name
ReadWriteDirectories=-/var/log/program name
ReadWriteDirectories=-/run

All directories on ROOT / are in 'read-only' mode then.

Excluded 'read-only' directories are set with the "-/path/to/folder"
example:

ReadWriteDirectories=-/proc
ReadWriteDirectories=-/var/lib/program name
ReadWriteDirectories=-/var/log/program name
ReadWriteDirectories=-/run

These directories have 'read & write access" on my config.

So, I unterstood it :slight_smile:

"SOLVED"

1 Like

Good! I think you got it. I hope it works for you!

yes :slight_smile: thanks and best regards.