{"id":2131,"date":"2026-04-05T20:07:32","date_gmt":"2026-04-05T18:07:32","guid":{"rendered":"https:\/\/cln.io\/blog\/?p=2131"},"modified":"2026-04-05T20:07:44","modified_gmt":"2026-04-05T18:07:44","slug":"passwordless-sudo-for-docker-on-synology-dsm","status":"publish","type":"post","link":"https:\/\/cln.io\/blog\/passwordless-sudo-for-docker-on-synology-dsm\/","title":{"rendered":"Passwordless sudo for Docker on Synology DSM"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Docker on Synology DSM requires <code>sudo<\/code> for every command. if you&#8217;re tired of typing your password every time, here&#8217;s how to allow passwordless <code>sudo docker<\/code> via a sudoers drop-in file.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">add docker to your PATH<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">DSM doesn&#8217;t include <code>\/usr\/local\/bin<\/code> in your PATH by default, so you&#8217;d have to type the full path to docker every time. fix that by creating a <code>~\/.profile<\/code>:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\">echo 'export PATH=\"\/usr\/local\/bin:$PATH\"' > ~\/.profile<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">log out and back in (or <code>. ~\/.profile<\/code>) and you&#8217;re good. <code>which docker<\/code> should now return <code>\/usr\/local\/bin\/docker<\/code>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">add the sudoers rule<\/h2>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\">echo \"$(whoami) ALL=(ALL) NOPASSWD: \/usr\/local\/bin\/docker, \/usr\/local\/bin\/docker-compose\" | sudo tee \/etc\/sudoers.d\/$(whoami)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">this creates a file in <code>\/etc\/sudoers.d\/<\/code> that lets your user run <code>docker<\/code> and <code>docker-compose<\/code> without a password prompt.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">verify<\/h2>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\"># no password needed\n$ sudo docker ps\nNAMES                       STATUS\ndashboard                   Up 9 hours\ncloudflare-tunnel           Up 10 hours\nnetdata                     Up 10 hours\n\n# everything else still requires a password\n$ sudo ls \/root\nsudo: a password is required<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">know the risks<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">passwordless <code>sudo docker<\/code> is convenient but not without consequences. anyone with access to your user account (compromised SSH key, stolen session, etc.) can now run arbitrary containers without any additional authentication. and since Docker runs as root, that means:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>mounting the host filesystem (<code>-v \/:\/host<\/code>) gives full read\/write access to everything on the NAS<\/li>\n\n\n\n<li><code>--privileged<\/code> containers can access host devices, load kernel modules, and escape the container entirely<\/li>\n\n\n\n<li><code>--net=host --pid=host<\/code> breaks network and process isolation<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">in short \u2014 passwordless <code>sudo docker<\/code> is effectively passwordless root. it&#8217;s a tradeoff. for a home NAS behind a VPN with key-based SSH, that&#8217;s a risk I&#8217;m comfortable with. just make sure you are too.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">note on DSM updates<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">DSM updates can reset both <code>\/etc\/sudoers.d\/<\/code> and <code>~\/.profile<\/code>, so you may need to re-apply these after a major update.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p class=\"wp-elements-e310da23723257d0d909d6fce89b9a26 wp-block-paragraph\" style=\"color:#9ca3af;font-size:14px\">This post was written with the help of Claude (Opus 4), Anthropic&#8217;s AI assistant.<\/p>\n\n","protected":false},"excerpt":{"rendered":"<p>Docker on Synology DSM requires sudo for every command. if you&#8217;re tired of typing your password every time, here&#8217;s how to allow passwordless sudo docker via a sudoers drop-in file. add docker to your PATH [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2134,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48,26,58],"tags":[],"class_list":["post-2131","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-it","category-miscellaneous"],"_links":{"self":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/2131","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/comments?post=2131"}],"version-history":[{"count":5,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/2131\/revisions"}],"predecessor-version":[{"id":2139,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/2131\/revisions\/2139"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/media\/2134"}],"wp:attachment":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/media?parent=2131"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/categories?post=2131"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/tags?post=2131"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}