Running DVR as non-admin user on Synology DSM


#1

Hi, there! I’m running the Channels DVR server on my Synology DS916+ via the Package Center, so the process runs under my admin user, which seems less safe considering it has a web server that’s exposed to the internet.

I’m wondering if anyone knows if/how it’s possible to run the DVR under a user account that’s more locked down (i.e., can’t access my data) and whether it’s really necessary.

So far, it seems like the only way would be to set up a trigger task that runs as a specific user on startup, but for that I would need to know the command line that runs the server. (Anyone know what that is?)

Thanks!


#2

Do you know of other packages that use non-admin user?

Do they generally create a user?


#3

I’m new to Synology, myself, so I don’t have an authoritative answer. A first round of Googling didn’t turn up anything so far.

I don’t see a way to run packages from Package Center if I log in as a non-admin user, but it looks like there’s a separate http user group (available by default) for running web servers for hosting websites. Those are exposed more as services in DSM rather than normal apps, though.

I have, however, seen discussions where other users run their processes as role accounts. It just seems like this may not be a common enough use case for DSM to expose in its UI.


#4

Okay I can do some research too and see what the DSM developer docs say about it.


#5

According to this discussion on the Synology forum, the third-party package Subsonic creates a user during installation that can be assigned permissions in DSM. (The relevant reply is towards the middle.)

https://forum.synology.com/enu/viewtopic.php?f=190&t=99339&p=471395&hilit=Run+package+as+user#p471395


#6

I found some more examples of how to do this in the documentation.

I agree this is worth having and plan to update the SPK so a separate user is used by default. Should have some time early next week.


#7

Very cool. Thanks for looking into this!


#8

Hello again- I wanted to ask if this was available yet in the latest package. Thanks!


#9

Not yet. I’m going to order a Synology this week so I can figure this out.


#10

I ran into an issue yesterday that highlighted one of the drawbacks to running as a root user:

The disk on which Channels DVR was installed (/volume1) crashed last week, but I was able to copy all of my recordings over to a new drive (/volume4) and reinstalled the Channels DVR package there. I set the DVR location to “/volume4/dvr” and the server was able to restore all of my settings from one of the backups. Everything worked until yesterday, when I rebooted the NAS.

I’m not entirely sure why, but it seems that on startup, the Channels DVR server reverted to writing recordings to “/volume1” instead of “/volume4/dvr” (I confirmed this via the UI later). Since I had removed the crashed drive, the recordings ended up being written to a folder named “/volume1” in the system partition instead of the now-gone mount point “/volume1”. The system partition soon ran out of disk space and it became impossible to log into the NAS (that’s how I first realized something was amiss). Fortunately, I had SSH enabled so I eventually diagnosed the problem and fixed it.


#11

Can you post (or email [email protected]) the log? Would like to figure out why the path changed from /volume1 to /volume4

Fixing the root usage is still on my todo. One issue I ran into is that access to the hardware transcoder is only available as root.


#12

The log file in the UI starts after the reboot that caused the switch to happen. Is there a longer one on disk?


#13

Yea the full Log is on disk. You can also access http://x:8089/log?n=1000 to see more of the log


#14

I sent an email with the logs. There’s a gap between 11/15 and 11/29 that I can’t quite explain unless the entries were being written to the folder “/volume1” (which I deleted) and the old disk before I pulled it.