Recently, one of my co-workers asked whether anyone had experience accessing Azure Files from Linux but without using root or wide open permissions. After looking at the documentation as well as the connect tab in the portal, neither mounted the Azure Files instance with permissions outside of root only access or 0777. After a bit of testing, this is what I developed relative to restricting access to the mounted files instance to a specific group (along with creating test users and groups to demonstrate it).
- 1 Linux Virtual Machine (VM) running Ubuntu. In this example, the default login user for the VM is ‘thor’.
- 1 Storage Account setup for Files access. In this example, the storage account is named ‘valhalla’ and the shared filesystem is named ‘sharedfs’.
- Log into the Linux VM.
Install required software:
sudo apt update sudo apt install cifs-utils
Create a group to control access to the shared filesystem
sudo groupadd azurefilesrw
Add a few users and include them in the group listed previously:
sudo useradd -s /bin/bash -d /home/loki/ -m -G azurefilesrw loki sudo useradd -s /bin/bash -d /home/odin/ -m -G azurefilesrw odin
Add the original user to the group
sudo usermod -a -G azurefilesrw thor
Navigate to the Azure Files blade in the portal by expanding the storage account, expanding ‘File shares’, and selecting the one you want to mount.
Click ‘Connect’, click the Linux tab on the right pane, and copy the shell script into a text file.
In the shell script, modify the following to meet requirements:
- Change the mount point if necessary - the default is /mnt/<name of storage account>.
- Change the lines for creating the fstab entry and the mount to use the group listed above.
- Change the dir_mode and file_mode to something more appropriate such 0770 and 0660.
An example script appears below with these changes:
sudo mkdir /mnt/valhalla if [ ! -d "/etc/smbcredentials" ]; then sudo mkdir /etc/smbcredentials fi if [ ! -f "/etc/smbcredentials/valhalla.cred" ]; then sudo bash -c 'echo "username=valhalla" >> /etc/smbcredentials/valhalla.cred' sudo bash -c 'echo "password=ThisObviouslyIsntMyPasswordButYoursShouldLookLikeARandomStringEndingWith==" >> /etc/smbcredentials/valhalla.cred' fi sudo chmod 600 /etc/smbcredentials/valhalla.cred sudo bash -c 'echo "//valhalla.file.core.windows.net/sharedfs /mnt/valhalla cifs nofail,vers=3.0,credentials=/etc/smbcredentials/valhalla.cred,dir_mode=0770,file_mode=0660,serverino,gid=azurefilesrw" >> /etc/fstab' sudo mount -t cifs //valhalla.file.core.windows.net/sharedfs /mnt/valhalla -o vers=3.0,credentials=/etc/smbcredentials/valhalla.cred,dir_mode=0770,file_mode=0660,serverino,gid=azurefilesrw
At this point, the users included in the azurefilesrw group should have access to read and write files within the mounted Azure Files share.