How to mask a service in systemd

Masking a systemd service is the hard stop for units that should not be started accidentally during maintenance, troubleshooting, or policy-driven lockout. It blocks the normal service entry point instead of merely removing boot-time symlinks, which is useful when a service must stay unavailable until an explicit unmask.

The systemctl mask command works by creating a unit-name symlink to /dev/null in systemd's writable unit path. Because the unit file now resolves to /dev/null, systemd reports the unit as masked and rejects both manual starts and automatic activation from dependencies or enablement.

Examples below use cron.service because it is a common vendor-supplied service name on Debian and Ubuntu systems, while many Red Hat family systems use crond.service instead. Masking a unit does not stop an already running process unless --now is used or the service is stopped separately, and upstream systemd notes that masking is mainly intended for vendor units because locally created unit files already stored in /etc/systemd/system or /run/systemd/system can block the symlink operation.

Steps to mask a service with systemctl:

  1. Open a terminal session with an account that can use sudo.
  2. Confirm the exact unit name before changing it. 
    $ systemctl list-unit-files --type=service | grep -E 'cron|crond'
cron.service                            enabled  enabled

    Use the real service name when searching, and prefer the full unit name such as cron.service or crond.service so the target is unambiguous.

  3. Check the current enablement state before applying the mask. 
    $ systemctl is-enabled cron.service
enabled

    disabled still allows manual starts, while masked means a hard block is already in place.

  4. Create a persistent mask for the service. 
    $ sudo systemctl mask cron.service
Created symlink /etc/systemd/system/cron.service -> /dev/null.

    Upstream systemd documents masking as a symlink under /etc/systemd/system, or under /run/systemd/system when --runtime is used, so the operation is most reliable for vendor units shipped under /usr/lib/systemd/system rather than locally authored units that already live in the writable unit paths.

  5. Stop the service now if it is already running and should become unavailable immediately. 
    $ sudo systemctl stop cron.service

    Use sudo systemctl mask --now cron.service when the stop should happen in the same command as the mask.

    Masking or stopping a remote-access, network, storage, or boot-critical unit can cut off management access or leave the system unable to reach later targets without console recovery.

    Related: How to manage a service using systemctl

  6. Verify that systemd now sees the unit as masked. 
    $ systemctl is-enabled cron.service
masked

    When the mask was created with --runtime, the reported state becomes masked-runtime and disappears after reboot.

    Related: How to check whether a service is enabled using systemctl

  7. Confirm that the unit can no longer be started. 
    $ sudo systemctl start cron.service
Failed to start cron.service: Unit cron.service is masked.

    This failure is the expected success signal for a hard mask, and systemd may also mention any still-active triggering units when the service is socket- or path-activated.