Description
You recommend using a dedicated user on the system for the python service to avoid using root and thus prevent avoidable security risks.
I find this to be a very good practice, and to build up on this I think some hints could help adopt it. A full explanation of the subject would probably be outside the scope, but letting the user know in which direction to search can help.
An example would be adding the user to the right system group which has execution privileges. On the RaspberryPi, a user needs to be added to the gpio group in order to use the pins on the board through Python. Say the python_demo_service user needs to use the pins in a Python script:
#adduser python_demo_service gpio
Another example could show sudo. I believe most modern operating systems use, or provide an easy way to install, sudo. With that in mind, the following simple set of commands could help a non root user to execute a system command:
Say the python_demo_service user needs to be able to shutdown the system:
#echo 'python_demo_service ALL=(ALL) NOPASSWD: /sbin/shutdown' > /etc/sudoers.d/010_python_demo_service-shutdown
#chmod 0440 /etc/sudoers.d/010_python_demo_service-shutdown
This is a subject on its own that deserves full understanding from the user, but a few examples, as long as they don't introduce security risks or bad practices, can help a lot to get started.