Skip to content

Prerequisites

Make sure your system fits the descriptions below before starting the installation.

Software Requirements

File Access Manager requires the latest ASP.NET Core 6.0.x Hosting Bundle. This bundle consists of .NET Runtime and ASP .NET Core Runtime. You can download the latest 6.0.x Hosting Bundle version from here.

SSH and SFTP must be available on the Linux server.

Permissions

File Access Manager connects to the Linux server using SFTP and SSH.

A user with elevated permissions is required in order to read directories with restricted permissions. We recommend granting the required permissions as described in Granting Read Permissions. This method grants File Access Manager the minimal required permissions to read any file or directory. Alternatively, it is possible to skip Granting Read Permissions and allow File Access Manager to use root instead.

Using a user other than root and not granting the permission as described in Recommended: Granting Read Permissions is not recommended. The fetched information will be limited to the permissions that the given user possesses. For instance, if the given user is not allowed to read the permissions of a directory, then the information of that directory will not be collected.

Mandatory Permissions

  • Permissions to run the commands:

    • cat

    • getent - Only if you plan to use Active Directory as an Identity Collector.

    • ypcat - Only if you plan on using NIS as an Identity Collector.

  • Permissions to read:

    • /etc/passwd

    • /etc/group

In order to verify that a user has the required permissions, run the following commands with the desired user and make sure they succeed:

cat /etc/passwd 
cat /etc/groupgetent passwd 0 (Only if you plan on using Active Directory as an Identity Collector)
ypcat passwd (Only if you plan on using NIS as an Identity Collector)

The method of acquiring the required permissions is to use the cap_dac_read_search capability.

This capability allows us to bypass file read permission checks and directory read and execute permission checks.

Since Linux capabilities can be applied to files, but not to users, we will create dedicated executables that will only be used by File Access Manager.

Warning

If the SSH, SFTP or ACL packages are updated after following these steps, then the duplicated executables should be recreated, and the steps below should be repeated (except for creating the user for File Access Manager).

Using root, perform the following operations in the Linux server:

  1. Create a user for File Access Manager

    1. Create the user famuser

      adduser famuser

    2. Set password for the new user

      passwd famuser

    3. Make sure that famuser has the permissions as described in Mandatory Permissions.

  2. Create a variable that contains the path of the sftp server executable:

    • For RHEL or CentOS distributionssftpsrv=/usr/libexec/openssh/sftp-server
    • For Ubuntusftpsrv=/usr/lib/openssh/sftp-server

    Note

    The sftp-server location could be different depending on the OS

  3. Copy the sftp executable:

    cp -a ${sftpsrv} ${sftpsrv}-fam

  4. Make File Access Manager’s user the only user that can read and execute it.

    chmod 500 ${sftpsrv}-fam

    chown famuser ${sftpsrv}-fam

  5. Grant capability to bypass file read permission checks and directory read and execute permission checks

    /sbin/setcap cap_dac_read_search+ep ${sftpsrv}-fam

  6. Next, we will create a new SSH Subsystem.Open your SSH configuration, For OpenSSH, use the following:

    nano /etc/ssh/sshd_config

  7. Add the following line to the file. Make sure the path of the sftp executable matches the path described above, according to the distribution type.

    Note

    There will probably be a section for subsystems, look for a line that begins with “Subsystem” near the end of the file. it is best to add the line after the other subsystems.

    • For RHEL or CentOS distributions - Subsystem sftp-fam /usr/libexec/openssh/sftp-server-fam
    • For Ubuntu - Subsystem sftp-fam /usr/lib/openssh/sftp-server-fam
  8. Restart the ssh service:

    systemctl restart sshd

Optional - Grant Read Permissions for ACLs

This section should only be followed if you wish to read ACL permissions.

  1. Copy the getfacl executable:

    cp -a /bin/getfacl /bin/getfacl-fam

  2. Make File Access Manager’s user the only user that can read and execute it.

    chmod 500 /bin/getfacl-fam

    chown famuser /bin/getfacl-fam

  3. Grant the executable the capability to bypass file read permission checks and directory read and execute permission checks

    /sbin/setcap cap_dac_read_search+ep /bin/getfacl-fam

Communications Requirements

Requirement Source Destination Port
File Access Manager Internal Access Application File Access Manager Servers 8000-8008
File Access Manager Message Broker Permissions Collector RabbitMQ 5671
Permissions Collection Permissions Collection service Target Linux server Configurable SSH port

Configuration Requirements

File Access Manager supports reading permissions of users from Active Directory only if the display format of Active Directory users in the Linux machine is user@domain (which is the default format).