I'm currently submitting this package for nixos ( see PR ) and one comment was raised that it would be better to run the service as DynamicUser and give it the permissions it needs through CapabilityBoundingSet which would make it more secure.
I believe that for this to work, it would need the main script to test write permission on the targeted files instead of checking if the user is root.
I'm currently submitting this package for nixos ( see PR ) and one comment was raised that it would be better to run the service as
DynamicUserand give it the permissions it needs throughCapabilityBoundingSetwhich would make it more secure.I believe that for this to work, it would need the main script to test write permission on the targeted files instead of checking if the user is root.