How to isolate SFTP home directories with Azure Blob Storage

Question

How to isolate SFTP home directories with Azure Blob Storage

metalheart 406

I'd like to SFTP users for uploading content at scale and in a way that each user is constrained to their home directory.

Is that even possible in a shared container and if so, how?

In my limited understanding I thought the approach might be:

Create a home directory for the new user with permissions=rwxrwxrwx.
Create a new local user using REST API with the home directory; container permissions = modify ownership + modify permissions.
Log in using SFTP and transfer ownership to self (az storage fs access set seems to work only with Entra ID principals, not local users) and reduce permissions to rwx------.
Clear container permissions (modify ownership + permissions) for the user.

The showstopper in all this is that I'm getting authorization exceptions from the SFTP client if the user does not have access to the container root (via the permissions for "others") - but being able to see other home directories defeats the requirement of isolation.

Hari Babu Vattepally 1,740 Reputation points Microsoft External Staff

2024-10-28T15:15:30.82+00:00

Duplicate thread: https://learn.microsoft.com/en-us/answers/questions/2112394/how-to-isolate-sftp-home-directories-with-azure-bl
metalheart 406 Reputation points

2024-10-28T15:18:03.7933333+00:00

Yes it's duplicate because the site was giving me a 404 for the new question even minutes after creation. Feel free to merge them together.
Keshavulu Dasari 4,110 Reputation points Microsoft External Staff

2024-10-28T22:29:26.31+00:00
Hi metalheart,
Welcome to Microsoft Q&A Forum, thank you for posting your query here!
Yes you're on the right track it is possible to configure SFTP users in such a way that each user is bound to their own home directory, even in a shared container. Here is a much easier way to achieve this.

Enable SFTP on Azure Blob Storage: Ensure that your storage account has hierarchical namespace enabled, as SFTP support requires it.

Create Local Users: Use the Azure portal or Azure CLI to create local users for SFTP access. Each user will have their own home directory within the container.

Set Permissions:

Home Directory Creation: Create a home directory for each user with the appropriate permissions. Initially, you can set permissions to rwxrwxrwx to allow setup.

Assign Ownership: Use the Azure CLI to assign ownership of the home directory to the respective user. This can be done using the az storage fs access set command, specifying the user and directory.

Restrict Permissions: Once ownership is transferred, reduce the permissions of the home directory to rwx------ to ensure isolation.

Clear Container-Level Permissions: Ensure that the container-level permissions do not grant access to other users. This can be managed through the Azure portal or CLI by modifying the access control settings. For more information:

https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support

SFTP Client Configuration: Ensure that the SFTP client is configured correctly to avoid authorization exceptions. This might involve setting specific client options or ensuring compatibility with Azure Blob Storage’s SFTP implementation.
For more information:
https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-known-issues

By following these steps, you can effectively isolate each user’s access to their home directory while using SFTP in a shared container environment. If you encounter specific issues, such as authorization exceptions, double-check the permissions and ensure that the SFTP client settings are correctly configured

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you
metalheart 406 Reputation points

2024-10-29T06:59:02.7933333+00:00
Thanks for your answer, I have two questions:

Can you show me a way how to assign ACLs to local users with az storage fs access set? The documentation only mentions Azure Entra ID principals. I see when I change the owner with SFTP that the owner is set to "lu-<uid>" but even using that gives me: (InvalidOwner) The owner or group is not valid.

When the root container ACLs are set to "rwxrwx---" (effectively giving no access to the local user), I'm getting the below exception (I'm using WinSCP) - what configuration options are causing this in particular?
Permission denied.

Error code: 3

Error message from server (en): AuthorizationPermissionMismatch:
Keshavulu Dasari 4,110 Reputation points Microsoft External Staff

2024-10-29T18:36:25.6933333+00:00
Hi metalheart,

Assigning ACLs to Local Users with az storage fs access set

Assigning ACLs to local users in Azure Data Lake Storage Gen2 can be tricky since the az storage fs access set command primarily supports Azure Entra ID principals. However, you can try using the local user identifier format lu-<uid> when setting ACLs.
example:

az storage fs access set --acl "user:lu-<uid>:rwx" --file-system <container-name> --path <path> --account-name <storage-account>

If you encounter the (InvalidOwner) The owner or group is not valid error, it might be due to the local user identifier not being recognized correctly. Ensure that the UID is accurate and corresponds to the local user created.

Handling Authorization Exceptions in WinSCP

The Permission denied. Error code: 3 and AuthorizationPermissionMismatch errors occur because the root container ACLs are too restrictive. Here are some steps to troubleshoot and resolve this issue:

Ensure Minimum Permissions:

The root container should have at least execute (x) permissions for the user to traverse directories. Set the root container ACLs to rwxr-x--- to allow users to navigate to their home directories without seeing other directories.

az storage fs access set --acl "user::rwx,group::r-x,other::---" --file-system <container-name> --path /

Check Sticky Bit:

The sticky bit can cause permission issues. Ensure it is not set on the root directory unless necessary.

az storage fs access set --permissions rwxrwxr-x -p / -f <container-name> --account-name <storage-account>

WinSCP Configuration:

In WinSCP, ensure that the option to preserve timestamps or set permissions is disabled, as these can sometimes cause conflicts.

Go to Preferences > Transfer > Endurance and uncheck Preserve timestamp and Set permissions.

By following this, you should be able to resolve the authorization issues and ensure that each user is constrained to their home directory while using SFTP.

For more information:

https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-acl-cli
https://learn.microsoft.com/en-us/cli/azure/storage/fs/access?view=azure-cli-latest
https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-acl-powershell

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you
metalheart 406 Reputation points

2024-10-30T07:35:22.46+00:00

I already got a very similar response from ChatGPT but as I said, az storage fs access set with "lu-<uid>" does not work for me regardless or using --owner or --acl. Your answer about the root directory also doesn't tick the box as assigning these permissions would enable the users to see other users' home directories and I indicated I don't want that. Any other suggestions?
Deas-0218 10 Reputation points

2024-10-30T15:55:55.8566667+00:00

I am in the same situation - I want to setup an SFTP with a root folder and subfolders for clients with native MS services. The clients should only see their own folder and I need an account that is able to read the whole data structure. I think playing with the permissions is not the best solution. Because this always involves doing something when a new account is added.

The easiest/best solution would be to get a "make home folder root" next to where the home folder is set so a user is unable to get one level higher. But this would mean MS must change it...
Keshavulu Dasari 4,110 Reputation points Microsoft External Staff

2024-11-01T20:37:46.1666667+00:00

Hi metalheart,
If the issue persists, I would like to work closer on this issue! ---Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Keshavulu Dasari 4,110 Reputation points Microsoft External Staff

2024-11-04T17:24:54.9233333+00:00

Hi metalheart,
If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you,
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

2 answers

Your answer

Hari Babu Vattepally 1,740 Reputation points Microsoft External Staff

2024-10-28T15:15:30.82+00:00

Duplicate thread: https://learn.microsoft.com/en-us/answers/questions/2112394/how-to-isolate-sftp-home-directories-with-azure-bl
metalheart 406 Reputation points

2024-10-28T15:18:03.7933333+00:00

Yes it's duplicate because the site was giving me a 404 for the new question even minutes after creation. Feel free to merge them together.
metalheart 406 Reputation points

2024-10-29T06:59:02.7933333+00:00

Thanks for your answer, I have two questions:

Can you show me a way how to assign ACLs to local users with az storage fs access set? The documentation only mentions Azure Entra ID principals. I see when I change the owner with SFTP that the owner is set to "lu-<uid>" but even using that gives me: (InvalidOwner) The owner or group is not valid.

When the root container ACLs are set to "rwxrwx---" (effectively giving no access to the local user), I'm getting the below exception (I'm using WinSCP) - what configuration options are causing this in particular?
Permission denied.

Error code: 3

Error message from server (en): AuthorizationPermissionMismatch:
metalheart 406 Reputation points

2024-10-30T07:35:22.46+00:00

I already got a very similar response from ChatGPT but as I said, az storage fs access set with "lu-<uid>" does not work for me regardless or using --owner or --acl. Your answer about the root directory also doesn't tick the box as assigning these permissions would enable the users to see other users' home directories and I indicated I don't want that. Any other suggestions?
Deas-0218 10 Reputation points

2024-10-30T15:55:55.8566667+00:00

I am in the same situation - I want to setup an SFTP with a root folder and subfolders for clients with native MS services. The clients should only see their own folder and I need an account that is able to read the whole data structure. I think playing with the permissions is not the best solution. Because this always involves doing something when a new account is added.

The easiest/best solution would be to get a "make home folder root" next to where the home folder is set so a user is unable to get one level higher. But this would mean MS must change it...
Keshavulu Dasari 4,110 Reputation points Microsoft External Staff

2024-11-01T20:37:46.1666667+00:00

Hi metalheart,
If the issue persists, I would like to work closer on this issue! ---Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Keshavulu Dasari 4,110 Reputation points Microsoft External Staff

2024-11-04T17:24:54.9233333+00:00

Hi metalheart,
If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you,
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 1

Deas-0218 10

I found out how to do it:

Create a root user and container and give this user full permissions on that container. This user does NOT need ACL authorization
Set the "Home (landing) directory" to the "root container". Should look like this:
Go to "Containers", click the three "..." on the right side of the newly created container and select "Manage ACL"
Give "Other" the "Execute" permission. It should now look like this: Execute is needed to be able to traverse the root directory where you have no permissions
Open the container and create a home folder for each user in this root folder
Create the users you want to have, activate "Allow ACL authorization" and - important - DO NOT create a container for this user and don´t select the "root container"!
Set the "Home (landing) directory" to "root container/userfolder" for each user
Open the just created user again and note the "User Id". A user should look like this:
Use WinSCP or any other supported SSH client and connect with the root user (<storageaccountname>.<rootusername>@<storageaccountname>.blob.core.windows.net)
You are now in the root of the container and should see the folder(s) you created for your users
With WinSCP select the user folder, open properties and set the "Owner" to the "User Id" you noted in step 8
I would also remove the R and X permission for the Group as they are not needed. After this, it should look like this:
Finished! :)

If you get a new user you have to do the step 5 to 12 again.

If a users tries to go to the root folder, he gets this error in WinSCP:
User's image

Why is this working this way? Because ACLs are only evaluated, if the user has NO container permission! This link also explains the Execute permission set in step 4.

https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support#how-acl-permissions-are-evaluated

If you need a user for your automation tool to connect and download files, just create a user and give him permissions on the container. Container permissions are evaluated before ACL so it automatically has permissions on all folders. This should look like this:

User's image

Brgds Deas

Keshavulu Dasari 4,110 Reputation points Microsoft External Staff

2024-11-14T17:49:43.5933333+00:00

Hi Deas-0218,
Great you’ve got a solid process for setting up users and permissions in Azure Blob Storage with ACLs and container permissions. This setup ensures that users can only access their designated folders while maintaining security and proper access control

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you,
Rok Banko 5 Reputation points

2024-12-03T16:00:44.04+00:00

Thank you for this helpful answer. The only guide I could find to make it work.
Keshavulu Dasari 4,110 Reputation points Microsoft External Staff

2024-12-04T06:44:04.3766667+00:00

Hi Rok Banko,
Good to see that the issue has been resolved and thank you for posting your solution so that others experiencing the same thing can easily reference this!
Manjunath Patelappa 1 Reputation point

2025-03-10T14:53:09.7333333+00:00

Did anyone receive this error in winscp? "server returned empty listing for directory"

It doesn't like the user root directory to be empty. like in above example, newsftroot/newtestuser this directory cant be empty
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Answer 2

Hi metalheart,
Due to the limitations of the az storage fs access set and the local users, let’s find another way to achieve the isolation you need.

Alternative: Using Azure Blob Storage Containers

Instead of trying to manage ACLs in a single container, you can create separate containers for each user. This way, each user has their own isolated space, and you can manage permissions more effectively.

Create separate containers for each user

Create local users with specific home directories: If you are creating local users identify their home directories as their respective collections, configure permissions on each repository, ensure that each repository has the correct permissions set for each user, you can be resolved by rejecting errors. By separating users into separate containers, you avoid the problem of users looking at each other's directories.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you,

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

How to isolate SFTP home directories with Azure Blob Storage

2 answers

Your answer