Organization of quota access via ftp?

F

faustoFF2012-11-24 16:17:22

linux

faustoFF, 2012-11-24 16:17:22

Hello!
Goal : automatically give users quota (limited data storage) ftp access to some personal files.
How it looks for the user :
1) the user registers on the site;
2) orders goods on it (game server);
3) gets quota ftp access to its server configuration;
4) configures the server configs (either deletes or uploads new files);
5) starts the server and rejoices.
Currently used tools :
1) Debian (proftpd + quota + quotatool)
2) Apache
3) PHP
Solution :
I started by carrying out the procedure for creating a new ftp user, at least with my hands from the console from root, and this is what came of it:

useradd -b /home/ -m server
passwd server
#далее копируем дефолтную сборку игрового сервера в /home/ созданного юзера
#квотируем место под файлы сервера
quotatool -u server -bl '500 Mb' /home

After that, the user has ftp access to the files of his game server.
Problem :
If you do this whole thing through exec () in PHP, then of course it doesn’t work, because. www-data, under which Apache runs, has neither useradd nor cp rights to the created user's home directory. Giving such permissions to www-data is somehow a bit vague, but proftpd and quota work with the user account without unnecessary hemorrhoids and this is very convenient, so I don’t want to give up these tools.
Questions : how to solve the problem, if you follow the path outlined above in the solution? Or what is an alternative solution to the problem (approaches to the solution)?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

K

kamazee, 2012-11-24
@faustoFF

If you answer the question asked, then you can agree with the answer egorinsk .
Unless in my case, the SUID bit was replaced by sudo(the reasons are roughly described here ) and the server can listen not only to TCP, but also to the socket file.
With sudo, the solution was this: there is an unprivileged user (www-data, for example), who is given permission to run from sudoone script, which can only be read and executed by this user. There's a big one case .. esacwith possible options. Although, generally speaking, the Orthodoxy of such decisions is a big question.
About the alternative way.
1. Is FTP really needed? For some reason, it seems to me that you can minimally fix the config or download the archive with configs from the web muzzle.
2. What are the local users that are created in the example above used for? If only for ftp access, it is better to use virtual ones. Why create a system user just for FTP when there can be many clients? But I suspect that, perhaps, the instances of the game server themselves will be launched from the same users.

E

egorinsk, 2012-11-24
@egorinsk

suid shell script with careful checking of incoming parameters and key. Or a server running as root that accepts requests to create users via TCP.