CME-710

DynamicUser (systemd)

Isolate OS/Kernel High Confidence

Description

systemd dynamically allocates a unique UID/GID per service instance. No persistent user account exists; each service restart gets a fresh identity, preventing cross-service data access.

CVSS Vector Impacts

Metric Transition Rationale
Scope (S) C U Service runs with ephemeral identity that owns no persistent files

CWE Relationships

CWE-269

Verification

Check DynamicUser setting

$ systemctl show <service> -p DynamicUser
# Expected: DynamicUser=yes
Platform: linux
← CME-709: systemd Service Sandboxing (PrivateDevices, PrivateTmp, ProtectSystem) CME-801: Multi-Factor Authentication (MFA) →