Hide systemd units from non-root users

ygoe asked:

I’ve set up a number of custom systemd service units that may contain sensitive data in their environment variables. While it’s not possible for non-root users to systemctl cat that service, anybody can see all the data through systemctl show. This is undesired as that data should not be read by other users. The *.service files in /etc/systemd/system are marked only readable by root (mode 600).

I couldn’t find any information about access restrictions for systemd. Is this even possible? Or is all systemd data considered public and world-readable? If there’s no security available, I guess I’ll have to stop using the systemd features and wrap everything in another layer of inaccessible script files.

My current environments are Ubuntu Server 16.04 and 20.04.

My answer:

Place your desired environment variables in an access-restricted file and load it in your unit with EnvironmentFile=.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.