When running daemons on a Linux system, it's essential to ensure that they do not consume excessive resources or access parts of the filesystem unnecessarily. systemd provides several options in unit files that allow you to control and limit the resources a daemon can use. The most common resource-limiting directives include CPUQuota, which restricts the percentage of CPU time available to the process, and MemoryLimit, which sets a hard limit on the amount of memory that can be consumed. Additional options such as TasksMax can cap the number of tasks or threads a service may create, while LimitNOFILE restricts the number of open file descriptors.

Applying these limits helps maintain system stability, prevents rogue processes from overwhelming the host, and enforces fair resource sharing between services. By defining these boundaries in your unit files, you can ensure that your daemons behave predictably and do not interfere with other critical system processes.

Beyond resource limits, systemd offers several directives that help sandbox and secure daemons by controlling their access to the filesystem and user data. The ProtectSystem directive, for instance, can be set to full, strict, or yes to progressively restrict write access to system directories, making them read-only or even inaccessible. ProtectHome can be used to deny or limit access to users' home directories, which is crucial for daemons that do not require user data access.

Other related directives include ReadOnlyPaths, ReadWritePaths, and InaccessiblePaths, which fine-tune access to specific directories. These sandboxing features significantly reduce the attack surface of your daemon by isolating it from sensitive parts of the filesystem, helping to contain potential security breaches and minimize damage in case of compromise.