How to isolate SFTP home directories with Azure Blob Storage

metalheart 366 Reputation points
2024-10-28T14:49:45.44+00:00

I'd like to SFTP users for uploading content at scale and in a way that each user is constrained to their home directory.

Is that even possible in a shared container and if so, how?

In my limited understanding I thought the approach might be:

  1. Create a home directory for the new user with permissions=rwxrwxrwx.
  2. Create a new local user using REST API with the home directory; container permissions = modify ownership + modify permissions.
  3. Log in using SFTP and transfer ownership to self (az storage fs access set seems to work only with Entra ID principals, not local users) and reduce permissions to rwx------.
  4. Clear container permissions (modify ownership + permissions) for the user.

The showstopper in all this is that I'm getting authorization exceptions from the SFTP client if the user does not have access to the container root (via the permissions for "others") - but being able to see other home directories defeats the requirement of isolation.

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,943 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Keshavulu Dasari 1,830 Reputation points Microsoft Vendor
    2024-10-30T19:23:53.9133333+00:00

    Hi metalheart,
    Due to the limitations of the az storage fs access set and the local users, let’s find another way to achieve the isolation you need.

    Alternative: Using Azure Blob Storage Containers

    Instead of trying to manage ACLs in a single container, you can create separate containers for each user. This way, each user has their own isolated space, and you can manage permissions more effectively.

    1. Create separate containers for each user

    Create local users with specific home directories: If you are creating local users identify their home directories as their respective collections, configure permissions on each repository, ensure that each repository has the correct permissions set for each user, you can be resolved by rejecting errors. By separating users into separate containers, you avoid the problem of users looking at each other's directories.

    If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you,


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

  2. Deas-0218 0 Reputation points
    2024-11-14T13:36:55.26+00:00

    I found out how to do it:

    1. Create a root user and container and give this user full permissions on that container. This user does NOT need ACL authorization
    2. Set the "Home (landing) directory" to the "root container". Should look like this: User's image
    3. Go to "Containers", click the three "..." on the right side of the newly created container and select "Manage ACL"
    4. Give "Other" the "Execute" permission. It should now look like this: User's image Execute is needed to be able to traverse the root directory where you have no permissions
    5. Open the container and create a home folder for each user in this root folder
    6. Create the users you want to have, activate "Allow ACL authorization" and - important - DO NOT create a container for this user and don´t select the "root container"!
    7. Set the "Home (landing) directory" to "root container/userfolder" for each user
    8. Open the just created user again and note the "User Id". A user should look like this: User's image
    9. Use WinSCP or any other supported SSH client and connect with the root user (<storageaccountname>.<rootusername>@<storageaccountname>.blob.core.windows.net)
    10. You are now in the root of the container and should see the folder(s) you created for your users
    11. With WinSCP select the user folder, open properties and set the "Owner" to the "User Id" you noted in step 8
    12. I would also remove the R and X permission for the Group as they are not needed. After this, it should look like this:
    13. User's image
    14. Finished! :)

    If you get a new user you have to do the step 5 to 12 again.

    If a users tries to go to the root folder, he gets this error in WinSCP:
    User's image

    Why is this working this way? Because ACLs are only evaluated, if the user has NO container permission! This link also explains the Execute permission set in step 4.

    https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support#how-acl-permissions-are-evaluated

    If you need a user for your automation tool to connect and download files, just create a user and give him permissions on the container. Container permissions are evaluated before ACL so it automatically has permissions on all folders. This should look like this:

    User's image

    Brgds Deas


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.