Recommended: Granting Read Permissions

The SailPoint method of acquiring the required permissions is to use the “cap_dac_read_search” capability.

This capability allows us to bypass file read permission checks and directory read and execute permission checks.

Since Linux capabilities can be applied to files, but not to users, we will create dedicated executables that will only be used by File Access Manager.

If the SSH, SFTP or ACL packages are updated after following these steps, then the duplicated executables should be recreated, and the steps below should be repeated (except for creating the user for File Access Manager).

Using root, perform the following operations in the Linux server:

  1. Create a user for File Access Manager

    1. Create the user famuser

      adduser  famuser

    2. Set password for the new user

      passwd famuser

    3. Make sure that famuser has the permissions as described in Mandatory Permissions.

  2. Create a variable that contains the path of the sftp server executable:

    For RHEL or CentOS distributions

    sftpsrv=/usr/libexec/openssh/sftp-server

    For Ubuntu

    sftpsrv=/usr/lib/openssh/sftp-server

    The sftp-server location could be different depending on the OS

  3. Copy the sftp executable: 

    cp -a ${sftpsrv} ${sftpsrv}-fam

  4. Make File Access Manager’s user the only user that can read and execute it.

    chmod 500 ${sftpsrv}-fam
    chown famuser ${sftpsrv}-fam

  5. Grant capability to bypass file read permission checks and directory read and execute permission checks

    /sbin/setcap cap_dac_read_search+ep ${sftpsrv}-fam

  6. Next, we will create a new SSH Subsystem.

    Open your SSH configuration, For OpenSSH, use the following:

    nano /etc/ssh/sshd_config

  7. Add the following line to the file. Make sure the path of the sftp executable matches the path described above, according to the distribution type.

    There will probably be a section for subsytems, look for a line that begins with “Subsystem” near the end of the file. it is best to add the line after the other subsystems.

    For RHEL or CentOS distributions

    Subsystem sftp-fam /usr/libexec/openssh/sftp-server-fam

    For Ubuntu

    Subsystem sftp-fam /usr/lib/openssh/sftp-server-fam

  8. Restart the ssh service:

    systemctl restart sshd