Documentation forServ-U MFT & Serv-U FTP Server

User properties: Directory access

Directory access rules enable you to define which areas of the system are accessible to users.

Directory access rules are inherited unless specified; that means that unless a user has a directory access rules set up specifically for it, then it inherits the rules set up for the group containing it (if it belongs to a group). In the same way a group will inherit the rules set for the domain it belongs to, and a domain will inherit the rules set up at the global level - unless rules are specifically defined for it.

When you set the directory access path, you can use the %USER%, %HOME%, %USER_FULL_NAME%, and %DOMAIN_HOME% variables to simplify the process.

For example, use %HOME%/ftproot/ to create a directory access rule that specifies the ftproot folder in the home directory of the user.

Directory access rules specified in this manner are portable if the actual home directory changes while maintaining the same subdirectory structure. This leads to less maintenance for the file server administrator. If you specify the %USER% variable in the path, it is replaced with the user's login ID. This variable is useful in specifying a group's home directory to ensure that users inherit a logical and unique home directory. You can use the %USER_FULL_NAME% variable to insert the Full Name value into the path (the user must have a Full Name specified for this to function). For example, the user "Tom Smith" could use D:\ftproot\%USER_FULL_NAME% for D:\ftproot\Tom Smith. You can also use the %DOMAIN_HOME% macro to identify the user's home directory. For example, to place a user and their home directory into a common directory, use %DOMAIN_HOME%\%USER%.

Directory access rules are applied in the order listed below. The first rule in the list that matches the path of a client's request is the one applied for that rule. In other words, if a rule exists that denies access to a particular subdirectory but is listed below the rule that grants access to the parent directory, then a user still has access to the particular subdirectory. Use the arrows on the right of the directory access list to rearrange the order in which the rules are applied.

Serv-U File Server allows to list and open the parent directory of the directory the user is granted access to, even if no explicit access rules are defined for the parent directory. However, the parent directory accessed this way will only display the content to which the user has access.

Permissions

File Permission
Read

Allows users to read (download) files. This permission does not allow users to list the contents of a directory, which is granted by the List permission.

Write

Allows users to write (upload) files. This permission does not allow users to modify existing files, which is granted by the Append permission.

Append

Allows users to append data to existing files. This permission is typically used to enable users to resume transferring partially uploaded files.

Rename

Allows users to rename files. In Serv-U versions 15.4.2 and greater, the Rename permission functionality has changed and you will be unable to rename source files unless the target file has Write enabled. See the Rename permission section below.

Delete

Allows users to delete files.

Execute

Allows users to remotely execute files. The execute access is meant for remotely starting programs and usually applies to specific files. This is a powerful permission and great care should be used in granting it to users. Users with Write and Execute permissions can install any program on the system.

Directory Permission
List Allows users to list the files and subdirectories contained in the directory. Also allows users to list this folder when listing the contents of a parent directory.
Create

Allows users to create new directories within the directory.

Rename

Allows users to rename directories within the directory.

Remove

Allows users to delete existing directories within the directory.

If the directory contains files, the user also must have the Delete files permission to remove the directory.

Subdirectory Permission
Inherit

Allows all subdirectories to inherit the same permissions as the parent directory. The Inherit permission is appropriate for most circumstances, but if access must be restricted to subfolders (for example, when implementing mandatory access control), clear the Inherit check box and grant permissions specifically by folder.

Maximum size of directory contents

Setting the maximum size actively restricts the size of the directory contents to the specified value. Any attempted file transfers that would result in the directory content to exceed this value are rejected. This feature serves as an alternative to the traditional quota feature that relies upon tracking all file transfers (uploads and deletions) to calculate directory sizes and is not able to consider changes made to the directory contents outside of a user's file server activity.

Advanced: Access as Windows user (Windows only)

Files and folders may be kept on external servers in order to centralize file storage or provide additional layers of security. In this environment, files can be accessed by the UNC path (\\servername\folder\) instead of the traditional C:\ftproot\folder path. However, accessing folders stored across the network poses an additional challenge, because Windows services are run under the Local System account by default, which has no access to network resources.

To mitigate this problem for all of Serv-U File Server, you can configure the SolarWinds Serv-U File Server service to run under a network account. The alternative, preferred where many servers exist, or if the SolarWinds Serv-U File Server service has to run under Local System for security reasons, is to configure a directory access rule to use a specific Windows user for file access. Click Advanced to specify a specific Windows user for each directory access rule. As in Windows authentication, directory access is subject to NTFS permissions, and in this case also to the configured permissions in Serv-U File Server.

When you use Windows authentication, the NTFS permissions of the Windows user take priority over the directory access rules. This means that when a Windows user tries to access a folder, the security permissions of the user are applied instead of the credentials specified in the directory access rule.

Examples

Mandatory access control

You can use mandatory access control (MAC) in cases where users need to be granted access to the same home directory but should not necessarily be able to access the subdirectories below it. To implement mandatory access control at a directory level, disable the Inherit permission as shown below.

In the following example, the rule applies to C:\ftproot\.

Now, the user has access to the ftproot folder but to no folders below it. Permissions must individually be granted to subfolders that the user needs access to, providing the security of mandatory access control in SolarWinds Serv-U File Server.

Restrict file types

If users are using storage space on the SolarWinds Serv-U File Server to store non-work-related files, such as .mp3 files, you can prevent this by configuring a directory access rule placed above the main directory access rule to prevent .mp3 files from being transferred as shown below.

In the text entry for the rule, type *.mp3, and use the permissions shown below:

The rule denies permission to any transfer of files with the .mp3 extension and can be modified to reflect any file extension. Similarly, if accounting employees only need to transfer files with the .mdb extension, configure a pair of rules that grants permissions for .mdb files but denies access to all other files, as shown below.

In the first rule, enter the path that should be the user's home directory or the directory to which they need access.

In the second rule, enter the extension of the file that should be accessed, such as *.mdb.

These rules only allow users to access .mdb files within the specified directories. You can adapt these rules to any file extension or set of file extensions.

Rename permission functionality change

In Serv-U versions 15.4.2 and greater, the Rename permission functionality has changed. A user with Read, Delete, and Rename directory access will be unable to rename source files unless the target file has Write enabled. For example, with Read, Delete, and Rename permissions set for *.exe you could rename example.txt to example2.txt; but could not rename example.txt to example.exe. Serv-U will reject these commands with a "Permission Denied" prompt since there is no Write permission set for *.exe. This is an intentional change that will help protect your system from bypassing Directory Access rules. Consider the following example.

While in a remote user directory all the files have full access rights. The system Administrator wants to restrict the uploading of potentially malicious *.exe files. The Administrator established the following two directory access rules.

Directory Access Rule 1

Path: *exe

Write: OFF

Directory Access Rule 2

Path: %HOME%

Read: ON

Write: ON

Append: ON

Rename: ON

Delete: ON

Conclusion

With these two directory access rules set, an attacker could no longer bypass the directory access rule set for *exe:

  1. put Virus.NOEXE
  2. rename Virus.NOEXE Virus.EXE

This bypass wouldn't be possible because *.exe files are not allowed to write. In this example, you could rename A.txt to B.txt, but you could not rename A.txt to B.exe.