Suggestion: use DynamicUser=yes in nqptp.service

[nettings]

Hi @mikebrady,

I'm using nqptp/shairport-sync as part of a media distribution for the raspberry pi, and it's quite inconvenient for me to have to add and maintain a new nqptp user and group for the purpose of privilege separation. The lazy bastard that I am uses DynamicUser=yes in the service file instead of setting user and group to nqptp.
And I found out that you actually get additional security benefits from that, as the service is essentially sandboxed from the system, check out Lennart's little howto.
Now I don't know if this has actual benefits in the case of nqptp, but I'm definitely going to play with this some more for other exposed services, and maybe it provides inspiration for you as well.

All best, Jörn

[mikebrady]

Many thanks for the suggestion and the pointer. I'll look into it, but it may take a little time!

[mikebrady]

Thanks again for that Dynamic Users hint -- it looks interesting.

[mikebrady]

Hi there. I implemented that suggestion in the development branch. It seems to work well, so thanks for the suggestion.

[nettings]

Glad to hear you're finding it useful, too!