Skip to content

Docker User Setup Security

Hey all, just a quick post, If you have read any of my guides you will see I always grant access to my Synology shares using the admin group ID and a my admin account user ID.

Thanks to a Reddit user /u/jasonsteelj that pointed out this is not very good practice if a container is compromised it has admin rights to all your shares.

In order to limit this you should setup a unique user for each container limiting its access to only the data it should.

So over the next few days I will be updating the guides to show how this is done, as well as updating my own personal containers.

Published inGeneral News

10 Comments

  1. Neil Neil

    A guide to better security is always good.

    Sometime I am just happy to get things running, that I brush under the carpet anything that may break something.

    • Dr_Frankenstein Dr_Frankenstein

      True, I never really thought of this element when I set out.

  2. Vince Vince

    Dear Dr. F,

    The link to your SABNZBD tutorial is gone 🙁

    Would you be so kind to restore it?

    Thank you very much,

    Bye from The Netherlands,

    Vince

    • Dr_Frankenstein Dr_Frankenstein

      Hey Vince, I need to edit it as the pictures are broken, i will re-enable with a note for you until I get chance to edit it

  3. Vince Vince

    Hi Doc 😀

    Thanks for your reply. I managed to get it working anyway. However: I think there is something not working: the PUID and PGID.

    Because: suppose you create a user docker-sabnzbd, PUID=1060, PGID=100.

    If you put these two in the environmental settings, restart the container, and then go to the CLI via SSH and issue ps -u | grep sab (to display the process running concerning sabnzbd), you will see that the process is still run as root, not as the user docker-sabnzbd.

    You may try that for yourself.

    Bye,

    Vince

    • Dr_Frankenstein Dr_Frankenstein

      Hey, do you mean the SAB user within the container itself? As the user within the container may be a root, but it will only have access as per the user rights you have given PUID 1060 on the host. That’s how I understood it.

  4. Vince Vince

    Hi Doc,

    I don’t know of any SAB user in the container itself?

    The ps -u | grep sab shows the container runs as root, not as PUID 1060.

  5. Vince Vince

    Your IP via a ping is: 213.186.33.50.

    • Dr_Frankenstein Dr_Frankenstein

      This site is hosted on an OVH shared server so it’s their IP

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: