FTP users for clients with disk quota

Events happening in the community are now at Drupal community events on www.drupal.org.
neokrish's picture
Posted by neokrish on August 4, 2010 at 10:08am

Is it possible with aegir (in future versions) that I can create ftp/ssh accounts for each client site that I create with disk quota limits? The problem as of now, is that I have the flexibility of creating sites for clients in a wink but cannot provide them with any ftp user accounts to upload files/modules.

Suggestion of creating a symlink as mentioned in http://groups.drupal.org/node/41584 does not solve the purpose. As that way, I cannot restrict the user from exceeding their disk quota (which is ubuntu set for their home folder).

Categories:

Comments

Not sure I follow?

Posted by jamiet on August 4, 2010 at 10:18am
jamiet's picture

Can you not create a user with ftp and disk quota's on their home directory (/home/ftpuser/) and have them use that directory to place all of their files and then symlink to that directory using a folder named files (/var/aegir/platform/site/mydomain.com/files/).

Have you tried that? The other comment about permissions and group membership / ownership may present other gotcha's I haven't considered though?

HTH,

JamieT

JamieT, my idea is to give

Posted by neokrish on August 4, 2010 at 10:35am
neokrish's picture

JamieT, my idea is to give complete access to clientdomain.com folder inside sites folder in any platform where the client has the site. This way they can add modules and themes as needed. Giving a symlink in clientdomain.com/clientfiles to /home/ftpusers/clientname will not allow them to add modules/themes.

OK - I was assuming you only

Posted by jamiet on August 4, 2010 at 10:56am
jamiet's picture

OK - I was assuming you only wanted this so the client can add images and local files. I personally would have reservations at allowing a client control of local modules and themes as that gives them the ability to access settings.php and 'hack' drupal through that file or a custom module this could also compromise the server. I guess it depends on the clients you have - most of my clients wouldn't know what to do with the module / theme / settings.php stuff anyway so I would try and hide it from them and give them just a files directory.

I guess for your scenario could you have the following structure:
/home/clientftp/files
/home/clientftp/modules
/home/clientftp/themes

and then within the site/clientdomain.com have symlinks as follows:
sites/clientdomain.com/files -> /home/clientftp/files
sites/clientdomain.com/modules-> /home/clientftp/modules
sites/clientdomain.com/themes-> /home/clientftp/themes

It's a bit more work to setup but could be easily scripted in a bash script if you are doing it regularly - this has the added benefit of hiding settings.php which aegir regenerates/controls so you would not want them modifying anyway.

HTH,

JamieT

This is completely wrong

Posted by omega8cc on August 4, 2010 at 11:20am
omega8cc's picture

This is completely wrong idea. You will break your Aegir install completely this way, so it will no longer be able to manage (migrate/verify/backup) the hosted sites properly, since it expects them as a standard vanilla drupal multisite directory structure, without using symlinks for sites/domain/modules, sites/domain/themes and sites/domain/files.

OK - it was just a suggestion

Posted by jamiet on August 4, 2010 at 11:57am
jamiet's picture

OK - it was just a suggestion I didn't realise it would not play nice with aegir? ;)

Out of curiosity how would it break or not work - I guess backup would not work properly and would need work arounds etc? Would the symlinks not copy across with a migrate function or is it the permissions issue that would get in the way?

Are symlinks a complete no-no in this scenario or could you still symlink a files folder just not modules / themes?

Would like to understand the reasoning for it not working so I avoid giving out duff info next time ;)

TIA,

JamieT

In short, you will end up

Posted by omega8cc on August 4, 2010 at 8:59pm
omega8cc's picture

In short, you will end up trying to clone Aegir built-in checks for system consistency (ownership and permissions on dirs/files) by hand and in custom shell scripting. You will also loose ability to migrate sites between (remote) servers. I'm not sure, but it can also break migration task (depending on some possible permissions issues which can break Aegir ability to check modules versions compatibility etc.) Some tasks may fail or at least stuck without completion, because it will be started just after the user have made another funny upload with permissions 600/700 on his module and your maintenance script was not fired up yet to fix those permissions etc. In short, you are opening a big doors to welcome many never known before problems and generate time consuming support requests. I think it is not worth playing that game. If you really want to track/limit your users disk usage (however you should probably worry rather about crappy code they are using to overload your database server, instead of worrying about disk space which is cheap these days), then why not to use your custom shell script to run periodically du -s -h on his sites/domain directories? I think you are trying to add some basic stuff (like monitoring disk space used) by breaking all possible good practices (by hacking Aegir) instead of using some trivial shell scripting to monitor and report/alert all sites disk usage.

[EDIT] And, if you really know what are you doing by opening FTP access per site (!), use PureFTPd server with its built-in virtual root (chroot), upload tracking etc, and set that user sites/domain as his $HOME .

wow.... wonderful

Posted by neokrish on August 5, 2010 at 2:51am
neokrish's picture

wow.... wonderful explanation, omega8cc. Thanks for taking time to respond in detail.

Thanks for explaining

Posted by jamiet on August 5, 2010 at 9:40am
jamiet's picture

Thanks for explaining further. I must admit I wasn't personally thinking of doing this as most of my clients are small businesses that want a website and do not want to get into the detail of drupal etc. As a result I wouldn't dream of giving them that kind of power and they are far more comfortable uploading files etc using the drupal contrib web interfaces etc. On the odd exception that a large file needed uploading I would handle that for them and make sure it all tied up nicely.

I suggested the symlink as an option for the OP - thanks for pointing out the flaws in the advice as I wouldn't want anyone to get burnt based on my random thoughts ;).

Regards,

JamieT

Adding ftp accounts, etc,

Posted by daledude on August 4, 2010 at 4:28pm
daledude's picture

Adding ftp accounts, etc, would be a cool feature for aegir. Whats better ... system level accounts (needed for filesystem quotas) or using any virtual quota system? Some ftp servers have interesting ways of dealing with users and quotas but then how to handle web server or ssh access?

Till then my initial attempt at this would be to symlink or "bind mount" platforms/*/sites/clientdomain.com to /home/clientname/clientdomain.com. chown clientname recursively across clientdomain.com. chmod g+rw recursively across clientdomain.com since everything should be group owned by aegir or www-data already and we need those groups to continue having read/write access. Might have to chmod g+s on clientdomain.com. Set umask for group write. Recursively do those perms using cron since file uploads through apache would be owned by www-data.

Or, use an ftp server with quotas. Proftpd keeps quotas in a file or db so you can script something to manage those numbers without messing with file system permissions.

Aegir hosting system

Group organizers

Group categories

Topic

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: