[systemd-devel] Odd behavior with ProtectSystem, ProtectHome, and ReadWritePaths=/root in combination

[Daniel Hast]

Hello,

I've stumbled on some odd, seemingly inconsistent behavior when the systemd properties ProtectSystem=strict, ProtectHome=read-only, and ReadWritePaths are used in combination.

Consider the following command:

run0 --property=ProtectSystem=strict --property=ProtectHome=read-only --property=ReadWritePaths="$DIRECTORY" bash -c "findmnt -nru -o OPTIONS --target=$DIRECTORY"

If $DIRECTORY is a non-root user's home directory, the above command shows that the directory is mounted read-write in the transient service unit ("rw" is among the options printed by findmnt). However, if $DIRECTORY is /root (the root user's home directory), /root gets mounted read-only, as if the ReadWritePaths directive was ignored.

I've confirmed this behavior in up-to-date Arch and Kubuntu 25.04 VMs. Strangely, on a Fedora atomic desktop, this behavior does not occur with /var/roothome, the root user's home directory. All three systems are running systemd 257.

Does anyone know what's going on here? Is this a bug or just some complex interaction of these properties that I'm not understanding properly?

Thanks,
Daniel Hast
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20250621/9ac08368/attachment.htm>