[scponly] Integrating a file sharing system (long)

Sven Ulland sveniu at ifi.uio.no
Thu Aug 24 15:44:33 EDT 2006 

Hi. I've started a project for a standalone file sharing system where
people can use both sftp/scp and a web interface (WebDAV or something)
for uploading and downloading files. This is to be used in a
development environment where people can share builds and other files.

The thing is, I want the entire system to resemble the design of
mailman and similar systems: The admin can create "projects" (mailing
lists in mailman) and add individual users (mail addresses in mailman)
to the projects.

Additionally, It would be truly sweet if each project could be
assigned an owner (list owner in mailman) that can add or remove
project members without bothering the admin for every little change.

The user base is kept in a local LDAP database, and the users are a
mixture of both internal (fetched from the main company LDAP database)
and external (added to the local LDAP database as needed) participants.

An example:
* Admin creates a project called "foobar-sdk".
* Admin assigns the user "joeblow" as project owner. (optional)
* joeblow or admin can use some sort of script or interface to add
  users to the project.
   - If the user is internal, fetch username and password from the
     main company LDAP database and store it in a local LDAP database.
   - If the user is external, add the user to the local LDAP database
     and set a password.
   - Set the users' homedirs to /opt/users/<user>//files (chroot to
     user homedir with scponly).
   - Add them to the appropriate posix groups (projects).
* Now the users can log in and upload/download files in any project
  they are members of.

This presents some challenges in regards to scp/sftp with scponly:
* A user "jane" can be a member of several projects, for example
  "foobar-sdk" and "parrot-db". A though-of solution to this is to use
  something like this upon login with sftp/scp/web:
    "mount --bind /opt/projects/foobar-sdk /opt/users/jane/files/foobar-sdk"
    "mount --bind /opt/projects/parrot-db /opt/users/jane/files/parrot-sdk"
  .. so that jane can see all her projects (and her own files) when
  logging in with scp/sftp.
* Also, each project folder (/opt/projects/*) would have the setgid
  bit set, so that the group membership is maintained for uploaded
  files.

This must surely call for code modification in scponly or the pam ldap
modules? What I'm thinking of doing is:
- In the LDAP database, each user can have a list of groups he/she is
  a member of (groups would here be projects, really).
- When the user logs in, scponly/pamldap fetches the list of groups
  and mounts all the project directories in the user's own homedir
  using "mount --bind".
- umount the project folders when logging out, or perhaps using a
  cronjob if it's hard to tell whether a user has logged out or not.

Maybe I have to allow sudo access to the "mount" command for the ssh
user?

(On a sidenote, I also plan to have an automated revision system for
all files: Using inotify (to see when directory contents change), I'll
run rsync to a backup directory so that the user always can go back to
previous versions of the files.)

So, any comments or suggestions on where to start or what to do?

regards,
Sven U

More information about the scponly mailing list