Rebex File Server
SFTP, SCP and SSH server library for .NET
Download 30-day free trial Buy from $349More .NET libraries
-
Rebex SFTP
.NET SFTP client
-
Rebex FTP
.NET FTP client
-
Rebex Total Pack
All Rebex libraries together
Back to feature list...
Access control
On this page:
Unrestricted file access
Each authenticated user can access a part of the file system specified by their virtual root directory. By default, Rebex File Server doesn't impose any additional restrictions.
However, OS-level access rights still apply. Since all File Server users are virtual, they access the designated subtree of the filesystem as the account under whom the server process is running. Limiting access to this account effectively limits virtual user accounts as well.
// add a virtual user that can access the directory tree under 'c:\data\john'
server.Users.Add("john", "password", @"c:\data\john");
' add a virtual user that can access the directory tree under 'c:\data\john'
server.Users.Add("john", "password", "c:\data\john")
Disabling file access
It's even possible to disable filesystem access completely - to do this, just don't specify any virtual root directory. Users with no filesystem access won't be able to connect with SFTP, but they can still use the virtual shell (just with no filesystem access).
Declaring a user with no filesystem access might sound like a strange idea, but it can actually be useful in some scenarios - although the user can't access any files, he can still execute custom commands. If all you need is to provide an SSH shell access with several commands, this is the way to go.
// add a virtual user with no filesystem access
// (this means no SCP support)
server.Users.Add("bob", "password");
// only bind virtual shell
server.Bind(FileServerProtocol.Shell);
// implement custom shell command 'date'
server.ShellCommand += (sender, e) =>
{
if (e.Command == "date")
e.WriteLine(DateTime.UtcNow);
};
' add a virtual user with no filesystem access
' (this means no SCP support)
server.Users.Add("bob", "password")
' only bind virtual shell
server.Bind(FileServerProtocol.Shell)
' implement custom shell command 'date'
AddHandler server.ShellCommand,
Sub(sender, e)
If e.Command = "date" Then
e.WriteLine(DateTime.UtcNow)
End If
End Sub
Custom file access authorization
To restrict user's file access rights, use PathAccessAuthorization event.
It's raised every time a user attempts an IO operation that needs to be authorized,
making it possible to accept or deny the operation.
// register PathAccessAuthorization event
server.PathAccessAuthorization += (sender, e) =>
{
// completely deny access to "/no-access" directory and to its subtree
if (e.Path.StartsWith("/no-access", StringComparison.OrdinalIgnoreCase))
{
// deny access
e.Deny();
return;
}
// guest user has read-only access
if (e.User.Name == "guest")
{
// allow 'read' and 'list', deny the rest
e.Allow(FileSystemOperation.Read | FileSystemOperation.List);
return;
}
// allow other operations
e.Allow();
};
' register PathAccessAuthorization event
AddHandler server.PathAccessAuthorization,
Sub(sender, e)
' completely deny access to "/no-access" directory and to its subtree
If e.Path.StartsWith("/no-access", StringComparison.OrdinalIgnoreCase) Then
' deny access
e.Deny()
Exit Sub
End If
' guest user has read-only access
If e.User.Name = "guest" Then
' allow 'read' and 'list', deny the rest
e.Allow(FileSystemOperation.Read Or FileSystemOperation.List)
Exit Sub
End If
' allow other operations
e.Allow()
End Sub
Read-only file access
To make a user's virtual filesystem readonly, use PathAccessAuthorization event
to only allow read and list operations:
// register PathAccessAuthorization event
server.PathAccessAuthorization += (sender, e) =>
{
// allow 'read' and 'list', deny the rest ('create', 'delete' and 'write')
e.Allow(FileSystemOperation.Read | FileSystemOperation.List);
};
' register PathAccessAuthorization event
AddHandler server.PathAccessAuthorization,
Sub(sender, e)
' allow 'read' and 'list', deny the rest ('create', 'delete' and 'write')
e.Allow(FileSystemOperation.Read Or FileSystemOperation.List)
End Sub
Back to feature list...