I'd like to SFTP users for uploading content at scale and in a way that each user is constrained to their home directory. Is that even possible in a shared container and if so, how? In my limited understanding I thought the approach might be: Create a home directory for the new user with permissions= rwxrwxrwx . Create a new local user using REST API with the home directory; container permissions = modify ownership + modify permissions. Log in using SFTP and transfer ownership to self ( az storage fs access set seems to work only with Entra ID principals, not local users) and reduce permissions to rwx------ . Clear container permissions (modify ownership + permissions) for the user. The showstopper in all this is that I'm getting authorization exceptions from the SFTP client if the user does not have access to the container root (via the permissions for "others") - but being able to see other home directories defeats the requirement of isolation.

Hi metalheart , Due to the limitations of the az storage fs access set and the local users, let’s find another way to achieve the isolation you need. Alternative: Using Azure Blob Storage Containers Instead of trying to manage ACLs in a single container, you can create separate containers for each user. This way, each user has their own isolated space, and you can manage permissions more effectively. Create separate containers for each user Create local users with specific home directories: If you are creating local users identify their home directories as their respective collections, configure permissions on each repository, ensure that each repository has the correct permissions set for each user, you can be resolved by rejecting errors. By separating users into separate containers, you avoid the problem of users looking at each other's directories. If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you, Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

I found out how to do it: Create a root user and container and give this user full permissions on that container. This user does NOT need ACL authorization Set the "Home (landing) directory" to the "root container". Should look like this: Go to "Containers", click the three "..." on the right side of the newly created container and select "Manage ACL" Give "Other" the "Execute" permission. It should now look like this: Execute is needed to be able to traverse the root directory where you have no permissions Open the container and create a home folder for each user in this root folder Create the users you want to have, activate "Allow ACL authorization" and - important - DO NOT create a container for this user and don´t select the "root container"! Set the "Home (landing) directory" to "root container/userfolder" for each user Open the just created user again and note the "User Id". A user should look like this: Use WinSCP or any other supported SSH client and connect with the root user (<storageaccountname>.<rootusername>@<storageaccountname>.blob.core.windows.net) You are now in the root of the container and should see the folder(s) you created for your users With WinSCP select the user folder, open properties and set the "Owner" to the "User Id" you noted in step 8 I would also remove the R and X permission for the Group as they are not needed. After this, it should look like this: Finished! :) If you get a new user you have to do the step 5 to 12 again. If a users tries to go to the root folder, he gets this error in WinSCP: Why is this working this way? Because ACLs are only evaluated, if the user has NO container permission! This link also explains the Execute permission set in step 4. https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support#how-acl-permissions-are-evaluated If you need a user for your automation tool to connect and download files, just create a user and give him permissions on the container. Container permissions are evaluated before ACL so it automatically has permissions on all folders. This should look like this: Brgds Deas

How to isolate SFTP home directories with Azure Blob Storage

metalheart 366

I'd like to SFTP users for uploading content at scale and in a way that each user is constrained to their home directory.

Is that even possible in a shared container and if so, how?

In my limited understanding I thought the approach might be:

Create a home directory for the new user with permissions=rwxrwxrwx.
Create a new local user using REST API with the home directory; container permissions = modify ownership + modify permissions.
Log in using SFTP and transfer ownership to self (az storage fs access set seems to work only with Entra ID principals, not local users) and reduce permissions to rwx------.
Clear container permissions (modify ownership + permissions) for the user.

The showstopper in all this is that I'm getting authorization exceptions from the SFTP client if the user does not have access to the container root (via the permissions for "others") - but being able to see other home directories defeats the requirement of isolation.

Hari Babu Vattepally 710 Reputation points Microsoft Vendor

2024-10-28T15:15:30.82+00:00

Duplicate thread: https://learn.microsoft.com/en-us/answers/questions/2112394/how-to-isolate-sftp-home-directories-with-azure-bl
metalheart 366 Reputation points

2024-10-28T15:18:03.7933333+00:00

Yes it's duplicate because the site was giving me a 404 for the new question even minutes after creation. Feel free to merge them together.
Keshavulu Dasari 1,730 Reputation points Microsoft Vendor

2024-10-28T22:29:26.31+00:00
Hi metalheart,
Welcome to Microsoft Q&A Forum, thank you for posting your query here!
Yes you're on the right track it is possible to configure SFTP users in such a way that each user is bound to their own home directory, even in a shared container. Here is a much easier way to achieve this.

Enable SFTP on Azure Blob Storage: Ensure that your storage account has hierarchical namespace enabled, as SFTP support requires it.

Create Local Users: Use the Azure portal or Azure CLI to create local users for SFTP access. Each user will have their own home directory within the container.

Set Permissions:

Home Directory Creation: Create a home directory for each user with the appropriate permissions. Initially, you can set permissions to rwxrwxrwx to allow setup.

Assign Ownership: Use the Azure CLI to assign ownership of the home directory to the respective user. This can be done using the az storage fs access set command, specifying the user and directory.

Restrict Permissions: Once ownership is transferred, reduce the permissions of the home directory to rwx------ to ensure isolation.

Clear Container-Level Permissions: Ensure that the container-level permissions do not grant access to other users. This can be managed through the Azure portal or CLI by modifying the access control settings. For more information:

https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support

SFTP Client Configuration: Ensure that the SFTP client is configured correctly to avoid authorization exceptions. This might involve setting specific client options or ensuring compatibility with Azure Blob Storage’s SFTP implementation.
For more information:
https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-known-issues

By following these steps, you can effectively isolate each user’s access to their home directory while using SFTP in a shared container environment. If you encounter specific issues, such as authorization exceptions, double-check the permissions and ensure that the SFTP client settings are correctly configured

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you
metalheart 366 Reputation points

2024-10-29T06:59:02.7933333+00:00
Thanks for your answer, I have two questions:

Can you show me a way how to assign ACLs to local users with az storage fs access set? The documentation only mentions Azure Entra ID principals. I see when I change the owner with SFTP that the owner is set to "lu-<uid>" but even using that gives me: (InvalidOwner) The owner or group is not valid.

When the root container ACLs are set to "rwxrwx---" (effectively giving no access to the local user), I'm getting the below exception (I'm using WinSCP) - what configuration options are causing this in particular?
Permission denied.

Error code: 3

Error message from server (en): AuthorizationPermissionMismatch:
Keshavulu Dasari 1,730 Reputation points Microsoft Vendor

2024-10-29T18:36:25.6933333+00:00
Hi metalheart,

Assigning ACLs to Local Users with az storage fs access set

Assigning ACLs to local users in Azure Data Lake Storage Gen2 can be tricky since the az storage fs access set command primarily supports Azure Entra ID principals. However, you can try using the local user identifier format lu-<uid> when setting ACLs.
example:

az storage fs access set --acl "user:lu-<uid>:rwx" --file-system <container-name> --path <path> --account-name <storage-account>

If you encounter the (InvalidOwner) The owner or group is not valid error, it might be due to the local user identifier not being recognized correctly. Ensure that the UID is accurate and corresponds to the local user created.

Handling Authorization Exceptions in WinSCP

The Permission denied. Error code: 3 and AuthorizationPermissionMismatch errors occur because the root container ACLs are too restrictive. Here are some steps to troubleshoot and resolve this issue:

Ensure Minimum Permissions:

The root container should have at least execute (x) permissions for the user to traverse directories. Set the root container ACLs to rwxr-x--- to allow users to navigate to their home directories without seeing other directories.

az storage fs access set --acl "user::rwx,group::r-x,other::---" --file-system <container-name> --path /

Check Sticky Bit:

The sticky bit can cause permission issues. Ensure it is not set on the root directory unless necessary.

az storage fs access set --permissions rwxrwxr-x -p / -f <container-name> --account-name <storage-account>

WinSCP Configuration:

In WinSCP, ensure that the option to preserve timestamps or set permissions is disabled, as these can sometimes cause conflicts.

Go to Preferences > Transfer > Endurance and uncheck Preserve timestamp and Set permissions.

By following this, you should be able to resolve the authorization issues and ensure that each user is constrained to their home directory while using SFTP.

For more information:

https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-acl-cli
https://learn.microsoft.com/en-us/cli/azure/storage/fs/access?view=azure-cli-latest
https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-acl-powershell

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you
metalheart 366 Reputation points

2024-10-30T07:35:22.46+00:00

I already got a very similar response from ChatGPT but as I said, az storage fs access set with "lu-<uid>" does not work for me regardless or using --owner or --acl. Your answer about the root directory also doesn't tick the box as assigning these permissions would enable the users to see other users' home directories and I indicated I don't want that. Any other suggestions?
Deas-0218 0 Reputation points

2024-10-30T15:55:55.8566667+00:00

I am in the same situation - I want to setup an SFTP with a root folder and subfolders for clients with native MS services. The clients should only see their own folder and I need an account that is able to read the whole data structure. I think playing with the permissions is not the best solution. Because this always involves doing something when a new account is added.

The easiest/best solution would be to get a "make home folder root" next to where the home folder is set so a user is unable to get one level higher. But this would mean MS must change it...
Keshavulu Dasari 1,730 Reputation points Microsoft Vendor

2024-11-01T20:37:46.1666667+00:00

Hi metalheart,
If the issue persists, I would like to work closer on this issue! ---Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Keshavulu Dasari 1,730 Reputation points Microsoft Vendor

2024-11-04T17:24:54.9233333+00:00

Hi metalheart,
If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you,
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

2 answers

Keshavulu Dasari 1,730 Reputation points Microsoft Vendor

2024-10-30T19:23:53.9133333+00:00
Hi metalheart,
Due to the limitations of the az storage fs access set and the local users, let’s find another way to achieve the isolation you need.

Alternative: Using Azure Blob Storage Containers

Instead of trying to manage ACLs in a single container, you can create separate containers for each user. This way, each user has their own isolated space, and you can manage permissions more effectively.

Create separate containers for each user

Create local users with specific home directories: If you are creating local users identify their home directories as their respective collections, configure permissions on each repository, ensure that each repository has the correct permissions set for each user, you can be resolved by rejecting errors. By separating users into separate containers, you avoid the problem of users looking at each other's directories.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you,

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Deas-0218 0 Reputation points

2024-11-14T13:36:55.26+00:00
I found out how to do it:

Create a root user and container and give this user full permissions on that container. This user does NOT need ACL authorization

Set the "Home (landing) directory" to the "root container". Should look like this:

Go to "Containers", click the three "..." on the right side of the newly created container and select "Manage ACL"

Give "Other" the "Execute" permission. It should now look like this: Execute is needed to be able to traverse the root directory where you have no permissions

Open the container and create a home folder for each user in this root folder

Create the users you want to have, activate "Allow ACL authorization" and - important - DO NOT create a container for this user and don´t select the "root container"!

Set the "Home (landing) directory" to "root container/userfolder" for each user

Open the just created user again and note the "User Id". A user should look like this:

Use WinSCP or any other supported SSH client and connect with the root user (<storageaccountname>.<rootusername>@<storageaccountname>.blob.core.windows.net)

You are now in the root of the container and should see the folder(s) you created for your users

With WinSCP select the user folder, open properties and set the "Owner" to the "User Id" you noted in step 8

I would also remove the R and X permission for the Group as they are not needed. After this, it should look like this:

Finished! :)

If you get a new user you have to do the step 5 to 12 again.

If a users tries to go to the root folder, he gets this error in WinSCP:

Why is this working this way? Because ACLs are only evaluated, if the user has NO container permission! This link also explains the Execute permission set in step 4.

https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support#how-acl-permissions-are-evaluated

If you need a user for your automation tool to connect and download files, just create a user and give him permissions on the container. Container permissions are evaluated before ACL so it automatically has permissions on all folders. This should look like this:

Brgds Deas
Please sign in to rate this answer.
Keshavulu Dasari 1,730 Reputation points Microsoft Vendor

2024-11-14T17:49:43.5933333+00:00

Hi Deas-0218,
Great you’ve got a solid process for setting up users and permissions in Azure Blob Storage with ACLs and container permissions. This setup ensures that users can only access their designated folders while maintaining security and proper access control

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you,
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to isolate SFTP home directories with Azure Blob Storage

2 answers

Your answer