Skip to content

Step 2: Setting up a restricted Docker user and obtaining IDs

UpdateDate
First version of the setup01/08/2021

In older versions of my guides and in practice I was using my main admin users details for all my Docker containers, this is not great for security so it is good practice to setup a unique user with more limited access for you containers.

Creating a User

Navigate into the DSM control panel and open up ‘User’ then click Create.

You can call the user whatever you want, I just kept mine simple and created one called ‘dockerlimited’

It’s also a good idea to generate a very strong random password for the user, while it will be a very limited account you don’t want to give it an easy to guess password. You will never need this password for what we are doing.

Next we are going to add this new user to the ‘users’ group as we don’t want it having any sort of admin access.

Next we are going to allow this user ‘Read/Write’ access to the data and docker folders, if you have any other folders it should default to ‘No Access’

Nothing to change on the User quota settings just click ‘Next’

Our user will not require any application permissions so check the ‘Deny’ button at the top of the screen.

Again we don’t need to set any speed limits for this user so click on ‘Next’

The final screen will just confirm your settings make sure the correct shares are in the ‘Writeable’ list, click on ‘Done’ and your user has been created.


Obtaining the new users PUID and PGID

Now we have created the new user for your containers we need to obtain the PUID (Personal User ID) and PGID (Personal Group ID) as this is passed through in our container setup and ensures all the correct permissions are inherited.

You will need to SSH into your Diskstation using ‘Putty’ or an equivalent program depending on if you are a Windows / Linux /Mac user.

So lets jump into the Control Panel again and enable SSH

Open up Putty, the only thing you need to enter is the IP address of your NAS and select the SSH radio button.

SSH into your Synology to find out your ID’s

Click on ‘Open’, you will get a prompt asking if you trust the key, if this is the first time you have used SSH, just press OK or accept.

Enter the login information for your main Synology user account, you will not be able to see the password as you type it.

Once logged in type ‘id nameofuser’ without the quotes and the ‘nameofuser’ will be the name of the user you created earlier. This will show the UID (aka PUID) and GID (aka PGID)

In the example screenshot you can see the details for the user I use in the guides

You have now setup the locked down user account, You may also want to disable SSH again.

4 Comments

  1. captainkanpai captainkanpai

    Hello! I created the new user like you explained, but don’t see anything happening with it in the setups of all the containers. What does this new user do exactly? Do I have to sign in with this user to install all the docker containers on that users home?

    Thanks, cheers.

    • Dr_Frankenstein Dr_Frankenstein

      Hey, this user is setup purely for the containers to use, you will never need to log in with it. From a security standpoint it is better for the containers to have restricted permissions to folders on the host, so by setting this user up and then using its id’s on the containers have limited access, also it gives us the benefit of having a common set of permissions across the required folders.

      • captainkanpai captainkanpai

        Ahh, I forgot about the PUID and PGID. Is it a problem that all my users have the same id’s?

        Kinda a noob here, and want to be sure it’s all safe and secure 🙂

        Also, thank you for these setup manuals!!

        • Dr_Frankenstein Dr_Frankenstein

          If you just use the ID from the user you setup in this guide you should be good

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.