Azure Files for Linux - Shared Non-Root Access

Wednesday, January 15, 2020

Recently, one of my co-workers asked whether anyone had experience accessing Azure Files from Linux but without using root or wide open permissions. After looking at the documentation as well as the connect tab in the portal, neither mounted the Azure Files instance with permissions outside of root only access or 0777. After a bit of testing, this is what I developed relative to restricting access to the mounted files instance to a specific group (along with creating test users and groups to demonstrate it).

Prerequisites:

  • 1 Linux Virtual Machine (VM) running Ubuntu. In this example, the default login user for the VM is ‘thor’.
  • 1 Storage Account setup for Files access. In this example, the storage account is named ‘valhalla’ and the shared filesystem is named ‘sharedfs’.

Instructions

  • Log into the Linux VM.
  • Install required software:

    sudo apt update
    sudo apt install cifs-utils
    
  • Create a group to control access to the shared filesystem

    sudo groupadd azurefilesrw
    
  • Add a few users and include them in the group listed previously:

    sudo useradd -s /bin/bash -d /home/loki/ -m -G azurefilesrw loki
    sudo useradd -s /bin/bash -d /home/odin/ -m -G azurefilesrw odin
    
  • Add the original user to the group

    sudo usermod -a -G azurefilesrw thor
    
  • Navigate to the Azure Files blade in the portal by expanding the storage account, expanding ‘File shares’, and selecting the one you want to mount.

  • Click ‘Connect’, click the Linux tab on the right pane, and copy the shell script into a text file.

  • In the shell script, modify the following to meet requirements:

    • Change the mount point if necessary - the default is /mnt/<name of storage account>.
    • Change the lines for creating the fstab entry and the mount to use the group listed above.
    • Change the dir_mode and file_mode to something more appropriate such 0770 and 0660.
    • An example script appears below with these changes:

      sudo mkdir /mnt/valhalla
      if [ ! -d "/etc/smbcredentials" ]; then
      sudo mkdir /etc/smbcredentials
      fi
      if [ ! -f "/etc/smbcredentials/valhalla.cred" ]; then
      sudo bash -c 'echo "username=valhalla" >> /etc/smbcredentials/valhalla.cred'
      sudo bash -c 'echo "password=ThisObviouslyIsntMyPasswordButYoursShouldLookLikeARandomStringEndingWith==" >> /etc/smbcredentials/valhalla.cred'
      fi
      sudo chmod 600 /etc/smbcredentials/valhalla.cred
      sudo bash -c 'echo "//valhalla.file.core.windows.net/sharedfs /mnt/valhalla cifs nofail,vers=3.0,credentials=/etc/smbcredentials/valhalla.cred,dir_mode=0770,file_mode=0660,serverino,gid=azurefilesrw" >> /etc/fstab'
      sudo mount -t cifs //valhalla.file.core.windows.net/sharedfs /mnt/valhalla -o vers=3.0,credentials=/etc/smbcredentials/valhalla.cred,dir_mode=0770,file_mode=0660,serverino,gid=azurefilesrw
      
  • At this point, the users included in the azurefilesrw group should have access to read and write files within the mounted Azure Files share.

azurefileslinux

PSReadLine for Light Mode Terminals

comments powered by Disqus