Root folder permissions - systemd 261

The recent announcement of systemd 261 includes:

A new tmpfiles.d/root.conf for ensuring that root directory permissions get set to 0555.

This has sparked some discussion online as to why 555 (r-xr-xr-x) is being used and not the historical 755 (rwxr-xr-x)? Is this something that is in place on Fedora installations currently (sorry I can’t check, my Fedora machine is out of action ATM) and if so what is the reason for preferring 555?

The main contention with 555 is that it is pointless due to root user being subject to the CAP_DAC_OVERRIDE which bypasses read, write and execute permission checks.

I messaged Lennart Poettering about this but didn’t receive a reply.

$ cat /etc/fedora-release
Fedora release 44 (Forty Four)

$ rpm -q systemd
systemd-259.6-1.fc44.x86_64
$ ll -d /
dr-xr-xr-x. 1 root root 184 2026-05-01 16:37:58 //

Yes that is currently what Fedora is doing.
I checked on Fedora kde plasma and Fedora server.

Thanks, any idea of the rationale behind it?

Security?

The permission for “/” is set by the package filesystem. It changed from 755 to 555 with this change

  • adjust directory rights for usage of capabilities(#517575)

Thanks @vekruse

For future reference this is the link: 517575 – Changes for lowering capabilities project

and this explains the overarching project: Features/LowerProcessCapabilities - Fedora Project Wiki