Skip to content

Step 2: Setting up a restricted Docker user and group then obtaining IDs

Important or Recent Updates
Historic UpdatesDate
First version of the setup01/08/2021
Added a note regarding the /data share
Cleaned up the guide with LanguageTool
General formatting updates
14/03/2022
Swapped out Putty for Terminal (Powershell)01/04/2023
Further improvement to user and now group creation (thanks kalmiya)23/09/2023
Historic Updates

It is good practice to set up a unique user and group with limited share and application access for your containers. We won’t ever be using this user to log into DSM it is purely for Docker.

Creating a Group

First up we will create a specific docker group that our docker user will belong, this allows us to segregate the permissions from the normal ‘users’ group from Docker. This is useful as you may have other users on your NAS that you don’t want to have access to certain folders by default.

Navigate into the DSM control panel and open up ‘User & Group’ then click on Group and Create

In the screen that appears we will name the group ‘dockergroup’ (imaginative right) and you can give it a description if you wish

Click Next, we won’t be adding any users to the group yet (that’s the next section)

On the next screen we will grant the Group Read/Write permissions to the ‘data’ and ‘docker’ shares we created in the previous guide. Click Next.

On the next screen you do not need to amend the groups Quotas so click Next

We will now Deny all access to inbuilt apps as this group and any users within it do not need access.

On the final settings screen we don’t need to set any speed limits

On the final screen click Done.

Creating a User

You can call the user whatever you want, I just kept mine simple and created one called ‘dockerlimited’

It’s also a good idea to generate a very strong random password for the user, while it will be a very limited account you don’t want to give it an easy to guess password. You will never need this password for what we are doing.

Next we are going to add this new user to the ‘dockergroup’ we just created as we don’t want it having any sort of admin access.

On the next screen you should see that the user already has Read/Write access to the two shares and no others.

*Please note if you are not following one of the media setup guides you will not have the /data share so don’t worry if it is missing.

Nothing to change on the User quota settings just click ‘Next’

You will see that our User already has restricted access to apps

Again we don’t need to set any speed limits for this user so click on ‘Next’

The final screen will just confirm your settings make sure the correct shares are in the ‘Writeable’ list, click on ‘Done’ and your user will be created.


Obtaining the new UID (User ID) & GID (Group ID)

Now we need to obtain the IDs for the new dockerlimited user and dockergroup These are used to pass file permissions through to our containers. They can also be known as PUID and PGID.

You will need to SSH into your Diskstation using ‘Terminal’ which is built in to modern versions of Windows, Linux, or Mac.

Go back into the Control Panel again and enable SSH within the Terminal & SNMP section.

Open up ‘Terminal’

Now type ssh then your main admin account username @ your NAS IP Address and hit Enter (Not the docker user)

Bash
ssh drfrankenstein@192.168.0.101

You will then be asked to enter the password for the user you used, you can either type this or right click in the window to paste (you won’t see it paste the info) then press enter.

Once logged in type the below replacing ‘dockerlimited’ with the name of the user you created if you changed it.

Bash
id dockerlimited

You will now see a similar output as the below…

Bash
uid=1027(dockerlimited) gid=100(users)groups=100(users),65537(dockergroup)

Let’s break this down!

uid=1027(dockerlimited) This is our UID write this down!

gid=100(users)groups=100(users) While this is a GID it is not the one we are interested in as it is for the standard users group so ignore this.

65537(dockergroup)This is our actual GID that we want to use for our containers so write this down as your GID.

You have now successfully set up your limited access user and obtained its IDs for use in Docker. Keep note of these somewhere as you will use them a lot with Docker.

You can now disable the SSH service as we won’t be using it.

You can now go back to the guide you were following.


Permission Fixes – only use if you have issues

If you followed one of the guides on this site you can’t see a folder or files inside a container it is likely a permissions issue.

The commands below need to be entered via SSH, so just like in the guide above log into the NAS with your main account user, you will not see an output after each command.

The fix does the following:

  • Make the named user and group, owners of all files and folders in the named paths
  • Change file and folder permissions to 775 (rwxrwxr-x)

Permission fix 1 – For anyone who followed this guide after the 23rd September 2023 and have both the dockerlimited and dockergroup in place (4 digit UID & 5 digit GID)

Bash
sudo chown -R dockerlimited:dockergroup /volume1/docker /volume1/data

Bash
sudo chmod -R a=,a+rX,u+w,g+w /volume1/docker /volume1/data

Permission fix 2 – For anyone who followed this guide before the 23rd September 2023 and just have the dockerlimited and normal user group in place (4 digit UID & 3 digit GID)

Bash
sudo chown -R dockerlimited:users /volume1/docker /volume1/data

Bash
sudo chmod -R a=,a+rX,u+w,g+w /volume1/docker /volume1/data

Buy Me a Coffee or a Beer

If you have found my site useful please consider pinging me a tip as it helps cover the cost of running things or just lets me get the odd beverage. Plus 10% goes to the devs of the apps I do guides for every year.

60 Comments

  1. Slevin Slevin

    Security can be hardened by limiting access to the /data/docker/projects folders.
    Dockers with the current rights of dockerlimited user could change their own compose.yml and have higher rights after a restart /autoupdate

    • Dr_Frankenstein Dr_Frankenstein

      Hey, we never mount the Docker share to a container just paths above it. So for example all the arrs get.

      /volume1/docker/radarr:/config so it can’t access files below this mount point and get across into the projects folder.

      Unless I am missing something as happy to change it.

  2. J.D. J.D.

    Hey question, do you use this user for all docker containers?

    Some guides that for example Mariushosting, use root user or actual user info. I was just wondering if I am going to run into errors with certain containers like pi-hole, using this limited docker user.

    I have followed your guides and set up my NAS with your tutorials so thank you so much for your help. I got my Plex server with transcoding working because of you. Thank you!

    • Dr_Frankenstein Dr_Frankenstein

      Hey J.D

      Yes where possible we use this user for the containers. For security we want to avoid the root user for the main app inside the container.

      Let’s say that a container is compromised by someone or a bot as it was exposed to the internet such as Overseerr. The attacker will be likely working on the basis the internal container user is ‘root’. The root user has complete access to containers’ system files it can remove/amend/delete whatever it wants, this is bad as they could install additional apps and say ransomware the shares that container has access to, while a restricted user only has the ability to run the app or make changes to files it owns. PiHole introduced the ability to run as a non-root user a couple of years ago so in my guide I use this restricted user without issue. I am currently making my way through the guides to add some additional security related changes and investigating if for example I can get AdGuard and Spotweb running as non-root.

      Hope that helps.

    • Dr_Frankenstein Dr_Frankenstein

      You may have skipped a step, see the one where we add the user to the group.

      Next we are going to add this new user to the ‘dockergroup’ we just created as we don’t want it having any sort of admin access.

  3. Dr_Frankenstein Dr_Frankenstein

    What user are you logging in as? You should be able to login with your standard user account, ignore the error it relates to user homes.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

drfrankenstein.co.uk – writing Synology Docker Guides since 2016 – Join My Discord!