More .NET components

Access control

Unrestricted file access #

Each authenticated user can access a part of the file system specified by their virtual root directory. By default, Rebex File Server doesn't impose any additional restrictions.

However, OS-level access rights still apply. Since all File Server users are virtual, they access the designated subtree of the filesystem as the account under whom the server process is running. Limiting access to this account effectively limits virtual user accounts as well.

CSharp

// add a virtual user that can access the directory tree under 'c:\data\john'
server.Users.Add("john", "password", @"c:\data\john");

VisualBasic

' add a virtual user that can access the directory tree under 'c:\data\john'
server.Users.Add("john", "password", "c:\data\john")

Disabling file access #

It's even possible to disable filesystem access completely - to do this, just don't specify any virtual root directory. Users with no filesystem access won't be able to connect with SFTP, but they can still use the virtual shell (just with no filesystem access).

Declaring a user with no filesystem access might sound like a strange idea, but it can actually be useful in some scenarios - although the user can't access any files, he can still execute custom commands. If all you need is to provide an SSH shell access with several commands, this is the way to go.

CSharp

// add a virtual user with no filesystem access
// (this means no SCP support)
server.Users.Add("bob", "password");

// only bind virtual shell
server.Bind(FileServerProtocol.Shell);

// implement custom shell command 'date'
server.ShellCommand += (sender, e) =>
{
    if (e.Command == "date")
        e.WriteLine(DateTime.UtcNow);
};

VisualBasic

' add a virtual user with no filesystem access
' (this means no SCP support)
server.Users.Add("bob", "password")

' only bind virtual shell
server.Bind(FileServerProtocol.Shell)

' implement custom shell command 'date'
AddHandler server.ShellCommand,
    Sub(sender, e)
        If e.Command = "date" Then
            e.WriteLine(DateTime.UtcNow)
        End If
    End Sub

Custom file access authorization #

To restrict user's file access rights, use PathAccessAuthorization event. It's raised every time a user attempts an IO operation that needs to be authorized, making it possible to accept or deny the operation.

CSharp

// register PathAccessAuthorization event
server.PathAccessAuthorization += (sender, e) =>
{
    // completely deny access to "/no-access" directory and to its subtree
    if (e.Path.StartsWith("/no-access", StringComparison.OrdinalIgnoreCase))
    {
        // deny access
        e.Deny();
        return;
    }

    // guest user has read-only access
    if (e.User.Name == "guest")
    {
        // allow 'read' and 'list', deny the rest
        e.Allow(FileSystemOperation.Read | FileSystemOperation.List);
        return;
    }

    // allow other operations
    e.Allow();
};

VisualBasic

' register PathAccessAuthorization event
AddHandler server.PathAccessAuthorization,
    Sub(sender, e)
        ' completely deny access to "/no-access" directory and to its subtree
        If e.Path.StartsWith("/no-access", StringComparison.OrdinalIgnoreCase) Then
            ' deny access
            e.Deny()
            Exit Sub
        End If

        ' guest user has read-only access
        If e.User.Name = "guest" Then
            ' allow 'read' and 'list', deny the rest
            e.Allow(FileSystemOperation.Read Or FileSystemOperation.List)
            Exit Sub
        End If

        ' allow other operations
        e.Allow()
    End Sub

Read-only file access #

To make a user's virtual filesystem readonly, use PathAccessAuthorization event to only allow read and list operations:

CSharp

// register PathAccessAuthorization event
server.PathAccessAuthorization += (sender, e) =>
{
    // allow 'read' and 'list', deny the rest ('create', 'delete' and 'write')
    e.Allow(FileSystemOperation.Read | FileSystemOperation.List);
};

VisualBasic

' register PathAccessAuthorization event
AddHandler server.PathAccessAuthorization,
    Sub(sender, e)
        ' allow 'read' and 'list', deny the rest ('create', 'delete' and 'write')
        e.Allow(FileSystemOperation.Read Or FileSystemOperation.List)
    End Sub