How to isolate SFTP home directories with Azure Blob Storage

Question

Is there a way to constrain SFTP local user to their home directory in a shared storage container?

In my limited understanding I thought the approach might be

Create new home directory with ACL permissions rwxrwxrwx.
Create new user with that home directory and container permissions "manage permissions + manage ownership".
Log in with the user per SFTP, transfer ownership to self (I understand there is only possible to assign ACL ownership to Entra ID principals in Azure CLI/REST/Portal) and set permissions to rwx------.
Remove container permissions from the user.

The issue I have is the user is unable to log in using a SFTP client like winSCP without also having permissions on the container root (which defeats the requirement of isolating users).

Answer

The key is to set the home directory scope when creating each SFTP local user. This scope limits the user's access strictly to their designated home directory, effectively isolating them from other directories and the container root.

Enable SFTP Support on Your Storage Account:
- In the Azure Portal, navigate to your storage account.
- Under Settings, select SFTP.
- Enable SFTP support.
Create a Container for User Home Directories:
- Go to Blob Service > Containers.
- Create a new container (e.g., users-container) that will hold all user directories.
Create Home Directories for Each User:
- Within the container, create a directory for each user (e.g., user1, user2).
- Set the Access Control Lists (ACLs) on each directory to grant the specific user the necessary permissions (read, write, execute).
Create SFTP Local Users with Home Directory Scope:
- In the storage account, go to Security + networking > SFTP > Local users.
- Click on Add local user.
  - Username: Enter a username (e.g., user1).
  - Authentication Method: Choose password or SSH key authentication.
  - Home Directory: Specify the path to the user's home directory (e.g., /users-container/user1).
  - Permission Scopes: Here is the crucial part—set the Home directory scope option. This ensures the user cannot navigate outside their home directory.
  - Permissions: Assign the necessary permissions (read, write, list, create, delete) for the user on their home directory.
Adjust Container Root Permissions (If Necessary):
- Ensure the container root has minimal permissions required for users to authenticate. Typically, users need only traverse (execute) permissions on the container root to access their home directories.
- Avoid granting unnecessary permissions at the container root level to prevent users from accessing other directories.
Test SFTP Access:
- Use an SFTP client like WinSCP to log in with the user's credentials.
- Verify that the user is restricted to their home directory and cannot navigate to other directories or the container root.

Example Using Azure CLI:


# Create a home directory for user1

az storage fs directory create \

    --account-name  \

    --file-system users-container \

    --name user1

# Set ACLs for user1's directory

az storage fs access set \

    --account-name  \

    --file-system users-container \

    --path user1 \

    --acl "user::rwx"

# Create SFTP local user with home directory scope

az storage account local-user create \

    --account-name  \

    --username user1 \

    --home-directory "users-container/user1" \

    --has-ssh-key false \

    --permission-scope sshPermissionScope=@permission.json

Content of permission.json:


[
  {

    "permissions": "rwx",

    "service": "blob",

    "resourceName": "users-container",

    "containerName": "users-container",

    "directoryPath": "user1",

    "isHomeDirectory": true

  }
]

Share via

How to isolate SFTP home directories with Azure Blob Storage

1 answer

Your answer