- Updated 28/02/2021
- In hindsight after writing the previous version of this guide where I suggested to use a unique user per container this was probably overkill and makes managing permissions a bit of a mare! So it’s simpler and in line with how I am actually doing this at home!
In older versions of my guides and in practice I was using my main admin users details for all my Docker containers, this is not great for security so it is good practice to setup a unique user with more limited access for you containers.
Once you have completed the steps here go back to the main guide you were following.
Creating a User
Navigate into the DSM control panel and open up ‘User’ then click Create.
You can call the user whatever you want, I just kept mine simple and created one called nzbautomate
It’s also a good idea to generate a very strong random password for the user, while it will be a very limited account you don’t want to give it an easy to guess password. You will never need this password for what we are doing.
Next we are going to add this new user to the ‘users’ group as we don’t want it having any sort of admin access.
Next up we need to grant the user access to the specific shares required for the containers The screenshot shows what I used for Radarr, just customise this based on the containers you are setting up, so for example if you were also setting up Lidarr and Sonarr you would grant access to your TV and Music shares (assuming you have them separate like me)
Nothing to change on the User quota settings just click ‘Next’
Our user will not require any application permissions so check the ‘Deny’ button at the top of the screen.
Again we don’t need to set any speed limits for this user so click on ‘Next’
The final screen will just confirm your settings make sure the correct shares are in the ‘Writeable’ list, click on ‘Apply’ and your user has been created.
Obtaining the new users PUID and PGID
Now we have created the new user for your containers we need to obtain the PUID (Personal User ID) and PGID (Personal Group ID) as this is passed through in our container setup.
You will need to SSH into your Diskstation using ‘Putty’ or an equivalent program depending on if you are a Windows or Linux user.
So lets jump into the Control Panel again and enable SSH
Open up Putty, the only thing you need to enter is the IP address of your NAS and select the SSH radio button.
Click on ‘Open’, you will get a prompt asking if you trust the key, if this is the first time you have used SSH, just press OK or accept.
Enter the login information for your admin Synology user account, you will not be able to see the password as you type it, I use a very long one so I just paste it in from my password manager. (right click acts as paste in Putty)
Once logged in type ‘id nameofuser’ without the quotes and the ‘nameofuser’ will be the name of the user you created earlier. This will show the UID (aka PUID) and GID (aka PGID)
In the example screenshot you can see my Radarr user is UID=1030 and GID=100. Take a note of the IDs for your user as you will need them later.
You have now setup the locked down user account for the specific Docker container you are setting up. You can now go back to the User Guide you were following.
You may also want to disable SSH again.