From owner-freebsd-questions  Thu Jun 27 19:44:43 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131])
	by hub.freebsd.org (Postfix) with ESMTP id D416637B400
	for <freebsd-questions@FreeBSD.ORG>; Thu, 27 Jun 2002 19:44:38 -0700 (PDT)
Received: from localhost (ryan@localhost)
	by ren.sasknow.com (8.11.6/8.11.6) with ESMTP id g5S2hKS42484;
	Thu, 27 Jun 2002 20:43:20 -0600 (CST)
	(envelope-from ryan@sasknow.com)
Date: Thu, 27 Jun 2002 20:43:20 -0600 (CST)
From: Ryan Thompson <ryan@sasknow.com>
To: Lee <lee@unassemble.co.uk>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: Quota in FreeBSD 4.6, Apache 1.3 & Proftpd
In-Reply-To: <012d01c21e20$e438a720$6400a8c0@Administrator>
Message-ID: <20020627202808.E18697-100000@ren.sasknow.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Lee wrote to freebsd-questions@FreeBSD.ORG:

> Say I have the above configuration running on a server as in the
> subject.  What I wish to achive is to only allow users to use an
> amount of disk space (quota) that they have paid for.
>
> Now here is the problem, I have read the quota documents form that
> handbook and man pages, the require you to have a different system
> account for each quota you wish to enable.

That's kind of the idea. The OS needs *some* way to differentiate
accounts to assess quotas. But read below.

> Apache runs as the same user (ok I know you can use SUEXEC)
> regardless of the web site being accessed.

Yes, but that doesn't mean that each web site can't (or shouldn't!)
have it's own account, as long as the public contents are readable by
Apache. You certainly don't want to have a tree of webs owned by the
Apache user! (But hopefully you knew that ;-)

> Proftpd has quota support enabled, but it seems a little unfinished
> and very little documents are available.  Also it appears to be
> based primarily on number of uploads/downloads rather than used disk
> space.

After trying just about everything else, I came back to ProFTPd and
have been happy ever since. I do not, however, rely on any quota
features it has.

> To top all this off I would prefer users to be virtual, i.e. no
> shell accounts at all, possibly with SQL database records instead.

Ok. It is easy for users to have an entry in the password database
(i.e., they have an "account", but not to be allowed shell access to
the system). Simply set their shell to /sbin/nologin. Just make sure
the shell exists in /etc/shells, or most FTPds will deny access. If
you're providing FTP, the users will need writeable home directories,
too.

The existing UNIX user account paradigm actually works for this kind
of setup. That is not to say it will do everything you want, so there
are alternatives that do indeed auth against an SQL database. Read up
on PAM, and the SQL auth modules that are available for it. ProFTPd
can be configured to auth via PAM (or is it by default, even?)


> I already have this sort of setup working for my e-mail using
> VPopMail & Qmail.  Idealy I am looking to have my whole setup based
> on databases to allow for a web-based managment system.

Good move. Again, read up on PAM.


> What I have though about doing is writing a shell or perl script
> that checks the used web space at regular intervals and logs it for
> another program to analysis, possibly for billing purposes.

For your quota problem, yes, this is a viable option. Many management
consoles and the like have support for quota checking... but if you
just want to know how much space each account is using,

	cd /home && du -d 1 | sort -n | mail ryan

works pretty good. :-) You'll probably want to run that as root, to
catch directories your regular user account may not have access to.

Note that the above doesn't attempt to *enforce* quotas... but then
you can bill your users for the extra storage :-)

With some only slightly more fancy scripting around that, you could
set it to check limits and only report the offenders, or send the
results right to your billing software, or disable uploads until some
files are deleted. Keep in mind it's a userland solution, and doesn't
protect against the old fill-up-your-disk DoS.


> Can anyone suggest an alternative solution and possibly different
> programs to the problem.
>
> Regards
>
> Lee
>
>
>

-- 
  Ryan Thompson <ryan@sasknow.com>

  SaskNow Technologies - http://www.sasknow.com
  901 1st Avenue North - Saskatoon, SK - S7K 1Y4

        Tel: 306-664-3600   Fax: 306-664-3630   Saskatoon
  Toll-Free: 877-727-5669     (877-SASKNOW)     North America


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message