Appuser only for docker configuration (named appdata like in your guide)

I personally don't change these settings - and I am not sure you should as I understand that root owner is needed and you 'might' have issues changing this. You can probably change the group from root to users but I don't change this either.

the appuser account is generally used in compose files (environment variables) to limit the permissions that is granted to a container/docker.

My approach for permissions for the appuser account is 'as few permissions as needed' (so just a member of the users group).

for my plex container the appuser account needed additional permissions (vender, video) so I added these groups to the appuser account.

I would not add elevated permissions to appuser (sudo, root etc..) as this will then increase security risks for all containers using this account.

here is an example compose using the appuser account as environment variables.

services:
  bazarr:
    image: lscr.io/linuxserver/bazarr:latest
    container_name: bazarr
    hostname: bararr
    ports:
      - 6767:6767
    restart: unless-stopped
    environment:
      - PUID=${{ uid:"appuser" }}
      - PGID=${{ gid:"users" }}
      - TZ=${{ tz }}
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ${{ sf:"appdata" }}/bazarr/config:/config
      - ${{ sf:"media" }}:/media # SKIP_BACKUP  

Use appuser account only for your docker services.

Use another account or root for admin related stuff like ssh, etc. give this account access to what you need for admin tasks.

In the compose settings page, you do not want this to be appuser account.

I see. Linux permissions can be tricky.

How are you accessing the appdata folder? SMB share? SSH?

Have you installed the reset permissions plugin? If not install this plugin and check the permissions on the shared folder.

Post screenshot of permissions from the plugin.

Also post screen shot of permissions of appdata from storage > shared folders.

SSH from cli or are you using an app like winSCP?

appuser is an account used to run services in docker. I wouldn’t try to use it for system admin as well.

Create another account for sysadmin and give this account elevated permissions.

I personally use root for sysadmin but I know this is not ‘best practice’ from a security perspective and you need to be very careful as you can do anything (operator error).

Quote from chente

I would create a separate user for that. You're giving "superpowers" to the user running the containers.

snap. We are saying the same thing but I missed your post

fantozzi - here is a summary of how I setup my accounts and do sysadmin

service account: appuser - used for services such as docker containers. minimum permissions (users group only. add other permissions only if needed)

user account: jata - used for general access such as file sharing. minimum permissions (users). configure 'service' permissions in OMV UI

admin account: sysadmin - used for elevated stuff. add permissions as needed. sudo, cterm, _ssh etc... (I do not use this account much as I use root)

root account: root - can do absolutely everything. No need to set permissions. For full/max system admin. Used for CLI work

This is just an example of how I get stuff done in linux. Other folks will have their own approach to accounts and sysadmin.

The bottom line (for me) is that I choose to use root but I know the risks and I backup my system regularly and I test/know how to restore from backup.

I don’t think that is the right way to think about it.

This is how I think about it. Probably not perfect but helps me.

At the file system level, an account needs to be able to read and/or write and/or execute files and folders. Permissions on the target file/folder and the user account are compared and if there is a mismatch it doesn’t work and you get an error.

In omv this is simplified with the concepts of services and shared folders but it does not modify the underlying file system or user account permissions.

When you use ssh, you are outside of omv boundaries and normal Linux permission apply. So when you do stuff using ssh either at the cli or using an external app like winSCP, you are limited by the account and file system permissions you are using.

So I use root and never have problems unless I screw up my system (operator error). 😂

Quote from fantozzi

I cannot edit a .yaml file using WinSCP unless I am the owner of the appdata folder

I have just remembered something about using winSCP when not using root.

You need to run the connection/session in winSCP with elevated permissions rather than default. the SFTP server command you need is below. This basically runs the SFTP session as su and I think you will be able to edit files using a non-root account assuming the account has sudo and _ssh permissions/groups configured.

I hope this helps you but my key advice to you is to not use the appuser account for sysadmin work. Create a new user account for this stuff.

sudo su -c /usr/lib/openssh/sftp-server

To configure this in winSCP you need to edit the advance settings for the server/connection - see pic below.

and pic below for user permissions/groups in omv