Prerequisites
Make sure your system fits the descriptions below before starting the installation.
Software Requirements
File Access Manager requires the latest ASP.NET Core 6.0.x Hosting Bundle. This bundle consists of .NET Runtime and ASP .NET Core Runtime. You can download the latest 6.0.x Hosting Bundle version from here.
SSH and SFTP must be available on the Linux server.
Permissions
File Access Manager connects to the Linux server using SFTP and SSH.
A user with elevated permissions is required in order to read directories with restricted permissions. We recommend granting the required permissions as described in Granting Read Permissions. This method grants File Access Manager the minimal required permissions to read any file or directory. Alternatively, it is possible to skip Granting Read Permissions and allow File Access Manager to use root instead.
Using a user other than root and not granting the permission as described in Recommended: Granting Read Permissions is not recommended. The fetched information will be limited to the permissions that the given user possesses. For instance, if the given user is not allowed to read the permissions of a directory, then the information of that directory will not be collected.
Mandatory Permissions
-
Permissions to run the commands:
-
cat
-
getent
- Only if you plan to use Active Directory as an Identity Collector. -
ypcat
- Only if you plan on using NIS as an Identity Collector.
-
-
Permissions to read:
-
/etc/passwd
-
/etc/group
-
In order to verify that a user has the required permissions, run the following commands with the desired user and make sure they succeed:
cat /etc/passwd
cat /etc/groupgetent passwd 0 (Only if you plan on using Active Directory as an Identity Collector)
ypcat passwd (Only if you plan on using NIS as an Identity Collector)
Recommended: Granting Read Permissions
The method of acquiring the required permissions is to use the cap_dac_read_search
capability.
This capability allows us to bypass file read permission checks and directory read and execute permission checks.
Since Linux capabilities can be applied to files, but not to users, we will create dedicated executables that will only be used by File Access Manager.
Warning
If the SSH, SFTP or ACL packages are updated after following these steps, then the duplicated executables should be recreated, and the steps below should be repeated (except for creating the user for File Access Manager).
Using root, perform the following operations in the Linux server:
-
Create a user for File Access Manager
-
Create the user famuser
adduser famuser
-
Set password for the new user
passwd famuser
-
Make sure that
famuser
has the permissions as described in Mandatory Permissions.
-
-
Create a variable that contains the path of the sftp server executable:
- For RHEL or CentOS distributions
sftpsrv=/usr/libexec/openssh/sftp-server
- For Ubuntu
sftpsrv=/usr/lib/openssh/sftp-server
Note
The sftp-server location could be different depending on the OS
- For RHEL or CentOS distributions
-
Copy the sftp executable:
cp -a ${sftpsrv} ${sftpsrv}-fam
-
Make File Access Manager’s user the only user that can read and execute it.
chmod 500 ${sftpsrv}-fam
chown famuser ${sftpsrv}-fam
-
Grant capability to bypass file read permission checks and directory read and execute permission checks
/sbin/setcap cap_dac_read_search+ep ${sftpsrv}-fam
-
Next, we will create a new SSH Subsystem.Open your SSH configuration, For OpenSSH, use the following:
nano /etc/ssh/sshd_config
-
Add the following line to the file. Make sure the path of the sftp executable matches the path described above, according to the distribution type.
Note
There will probably be a section for subsystems, look for a line that begins with “Subsystem” near the end of the file. it is best to add the line after the other subsystems.
- For RHEL or CentOS distributions -
Subsystem sftp-fam /usr/libexec/openssh/sftp-server-fam
- For Ubuntu -
Subsystem sftp-fam /usr/lib/openssh/sftp-server-fam
- For RHEL or CentOS distributions -
-
Restart the ssh service:
systemctl restart sshd
Optional - Grant Read Permissions for ACLs
This section should only be followed if you wish to read ACL permissions.
-
Copy the
getfacl
executable:cp -a /bin/getfacl /bin/getfacl-fam
-
Make File Access Manager’s user the only user that can read and execute it.
chmod 500 /bin/getfacl-fam
chown famuser /bin/getfacl-fam
-
Grant the executable the capability to bypass file read permission checks and directory read and execute permission checks
/sbin/setcap cap_dac_read_search+ep /bin/getfacl-fam
Communications Requirements
Requirement | Source | Destination | Port |
---|---|---|---|
File Access Manager Internal Access | Application | File Access Manager Servers | 8000-8008 |
File Access Manager Message Broker | Permissions Collector | RabbitMQ | 5671 |
Permissions Collection | Permissions Collection service | Target Linux server | Configurable SSH port |
Configuration Requirements
File Access Manager supports reading permissions of users from Active Directory only if the display format of Active Directory users in the Linux machine is user@domain (which is the default format).