Hi, On Wed, Jun 25, 2025 at 11:33:02AM +0200, Philipp Ewald wrote: > ProtectSystem=full should be read-only /etc > what is the point of this settig if the process still can write there?
The "full" setting is indeed meant to keep the whole filesystem read-only for that service, except /dev, /proc, and /sys, so if yours isn't then there is something else going on. It doesn't work for user services (i.e. services started with --user option). It doesn't work if your kernel doesn't support filesystem namespaces, which can happen if you have systemd running inside some other container. ReadWritePaths= can be used to add paths that can be written to, so check there isn't one of those. Otherwise there is some other issue, or a bug. Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
