Using mount bind to share local folders (Azure)
Overview
Sometimes you want two SFTP users to have read-write access to a folder that is shared among them.
You don't want to use the built-in shared/ folder, because
all SFTP users have access to it. Also, the built-in shared/
folder is read-only, because it is a sync target.
This article walks you through configuring this writable folder that is shared by a subset of SFTP users.
Note: This folder resides on the Linux file system, and has no interaction with Blob storage.
Create a group folder
Let's say that you have two users:
- UserA
- UserB
And you want both of them to have read-write access to a folder
named group1.
Create this folder, using the following commands:
sudo su
cd /opt/sftpgw/
mkdir group1
Set special permissions on this folder
Then you want to set some permissions on this folder:
chown root:sftponly group1
chmod 775 group1/
chmod g+s group1/
setfacl -d -m g::rwx group1/
These commands are a bit complicated, but here is an explanation for what they do, in case you're curious:
Both UserA and UserB are in the group called sftponly. So you set the group ownership to sftponly
You allow the group sftponly to write to that folder (775 means that the group has write access)
By default, if UserA creates a subfolder, it will be owned by UserA. So, you have to set the "sticky bit" (g+s) so that new subfolders inherit the group ownership of the parent, which is sftponly
By default, any new subfolders created will have the permissions of 755, because the server's umask is set to 0022. Since 755 does not allow for group-write permission, UserB will not be able to write to any subfolders UserA creates. So, we use the setfacl command to modify the default group permission to read-write rwx. This means any subfolders will have 775 permissions.
Mount the group folder
Once this special folder is created, you can "mount-bind" it to each SFTP user.
cd /home/UserA/home/UserA/local/
mkdir group1
mount --bind /opt/sftpgw/group1/ group1/
And then do the same for UserB:
cd /home/UserB/home/UserB/local/
mkdir group1
mount --bind /opt/sftpgw/group1/ group1/
Testing
At this point, the private group folder should be working.
To test this, do the following:
- Connect via SFTP to the
UserAaccount - Go to the
/local/group1folder - Create a new folder, named
/local/group1/subfolderA/ - Drop a file:
test.txt - Connect via SFTP to the
UserBaccount - Go to
/local/group1/subfolderA/ - Delete the test file:
test.txt - Drop a new file
testB.txt
Persist after a reboot
These mounts are temporary, and will be lost after a reboot.
To persist these changes after a reboot, append the following lines to /etc/fstab:
/opt/sftpgw/group1 /home/UserA/home/UserA/local/group1 none defaults,bind 0 0
/opt/sftpgw/group1 /home/UserB/home/UserB/local/group1 none defaults,bind 0 0
Disable usersetup on login
When an SFTP user logs in, SFTP Gateway runs a script that fixes folder
permissions. This includes setting the ownership of the local
directory.
Unfortunately, this wipes away the delicate permissions that you created manually.
So, you need to prevent the usersetup script from running
whenever the SFTP user logs in.
Edit the file:
/usr/local/bin/pamwrapper.sh
Comment out all the lines in the if statement, so that it looks
like this:
#!/bin/sh
user=${PAM_USER}
#if [[ "$PAM_TYPE" == "close_session" ]]; then
# # TODO: hook this up in pam
# (/usr/local/bin/ts-folderscan -n bash -c '${0} ${1+"$@"}' /usr/local/bin/userfolderscan "$user") &
# exit 0
#elif [[ "$PAM_TYPE" == "open_session" ]]; then
# /usr/local/bin/usersetup "$user"
#fi
In bash, anything on the line following the # symbol is treated
as a comment.
Save and quit.
Now, your manual permission changes will remain intact, even after the SFTP user logs in.