Rebex File Server

SFTP, SCP and SSH server library for .NET

Download 30-day free trial Buy from $349

More .NET libraries

Rebex SFTP
.NET SFTP client
Rebex FTP
.NET FTP client
Rebex Total Pack
All Rebex libraries together

Access control

Unrestricted file access

Each authenticated user can access a part of the file system specified by their virtual root directory. By default, Rebex File Server doesn't impose any additional restrictions.

However, OS-level access rights still apply. Since all File Server users are virtual, they access the designated subtree of the filesystem as the account under whom the server process is running. Limiting access to this account effectively limits virtual user accounts as well.

C#
VB.NET

// add a virtual user that can access the directory tree under 'c:\data\john'
server.Users.Add("john", "password", @"c:\data\john");


' add a virtual user that can access the directory tree under 'c:\data\john'
server.Users.Add("john", "password", "c:\data\john")

Disabling file access

It's even possible to disable filesystem access completely - to do this, just don't specify any virtual root directory. Users with no filesystem access won't be able to connect with SFTP, but they can still use the virtual shell (just with no filesystem access).

Declaring a user with no filesystem access might sound like a strange idea, but it can actually be useful in some scenarios - although the user can't access any files, he can still execute custom commands. If all you need is to provide an SSH shell access with several commands, this is the way to go.

C#
VB.NET

// add a virtual user with no filesystem access
// (this means no SCP support)
server.Users.Add("bob", "password");

// only bind virtual shell
server.Bind(FileServerProtocol.Shell);

// implement custom shell command 'date'
server.ShellCommand += (sender, e) =>
{
    if (e.Command == "date")
        e.WriteLine(DateTime.UtcNow);
};


' add a virtual user with no filesystem access
' (this means no SCP support)
server.Users.Add("bob", "password")

' only bind virtual shell
server.Bind(FileServerProtocol.Shell)

' implement custom shell command 'date'
AddHandler server.ShellCommand,
    Sub(sender, e)
        If e.Command = "date" Then
            e.WriteLine(DateTime.UtcNow)
        End If
    End Sub

Custom file access authorization

To restrict user's file access rights, use PathAccessAuthorization event. It's raised every time a user attempts an IO operation that needs to be authorized, making it possible to accept or deny the operation.

C#
VB.NET

// register PathAccessAuthorization event
server.PathAccessAuthorization += (sender, e) =>
{
    // completely deny access to "/no-access" directory and to its subtree
    if (e.Path.StartsWith("/no-access", StringComparison.OrdinalIgnoreCase))
    {
        // deny access
        e.Deny();
        return;
    }

    // guest user has read-only access
    if (e.User.Name == "guest")
    {
        // allow 'read' and 'list', deny the rest
        e.Allow(FileSystemOperation.Read | FileSystemOperation.List);
        return;
    }

    // allow other operations
    e.Allow();
};


' register PathAccessAuthorization event
AddHandler server.PathAccessAuthorization,
    Sub(sender, e)
        ' completely deny access to "/no-access" directory and to its subtree
        If e.Path.StartsWith("/no-access", StringComparison.OrdinalIgnoreCase) Then
            ' deny access
            e.Deny()
            Exit Sub
        End If

        ' guest user has read-only access
        If e.User.Name = "guest" Then
            ' allow 'read' and 'list', deny the rest
            e.Allow(FileSystemOperation.Read Or FileSystemOperation.List)
            Exit Sub
        End If

        ' allow other operations
        e.Allow()
    End Sub

Read-only file access

To make a user's virtual filesystem readonly, use PathAccessAuthorization event to only allow read and list operations:

C#
VB.NET

// register PathAccessAuthorization event
server.PathAccessAuthorization += (sender, e) =>
{
    // allow 'read' and 'list', deny the rest ('create', 'delete' and 'write')
    e.Allow(FileSystemOperation.Read | FileSystemOperation.List);
};


' register PathAccessAuthorization event
AddHandler server.PathAccessAuthorization,
    Sub(sender, e)
        ' allow 'read' and 'list', deny the rest ('create', 'delete' and 'write')
        e.Allow(FileSystemOperation.Read Or FileSystemOperation.List)
    End Sub

Back to feature list...