FTP Retrieval System
OverviewThis page documents the configuration and process for allowing warehouse data requesters to retrieve their data over ftp.
The goals of this system are as follows:
- Allow users to retrieve their requested data over the internet.
- Limit users to retrieving only the data they have requested
- Disallow shell access for users - File retrieval only
- Require that users provide a username and password when retrieving their data.
- Require users to retrieve their data within a specified time frame.
- Avoid duplicating data on the server.
- Prevent users from changing data housed on the server.
- Maintain the directory structure of requested data.
- Automate the system configuration as much as possible.
The basic procedure is as follows:
- Configure the ftp server to restrict users to their home directory
- Create a user account and home directory for the data requester. The account is created with an expiration date and prohibition of ssh access.
- Create a directory tree to match that of the requested data within the users home directory.
- Use mount --bind to effectively symlink the tree in the users home directory to the requested data in the main data store.
- Generate a wget script containing the users credentials to download the requested data from the mounts in their home directory.
Preliminary ConfigurationThis section describes the steps necessary to configure the ftp server to accomplish the goals above. These steps have already been applied to viking.
Create a user group for ftponly usersThis step is necessary to allow the ssh daemon to differentiate ftp-only users from general users. FTP is normally served (on viking/centos) byt vsftpd, but in order to allow ftp-only access and prohibit shell access the ssh daemon has an ftp-only subsystem. The following creates a group called sftponly:
Create an alternate home directory for ftponly usersThis step is not strictly necessary but may simplify maintenance later. Users with ftp-only access are given their own home directory which is distinct from /home/ which is shared among legitimate users. The following creates an alternate root directory called /home-ftponly/
sudo mkdir /home-ftponly/
Enable sftp-only subsystem for the ssh daemonThe ssh daemon has an ftp-only subsystem. This is an alternate to the normal ftp server vsftpd. Using the ftp subsystem of the ssh daemon is an easy way to block shell access for ftp-only users. The following configuration matches any user belonging to the ftponly group (here called sftponly) and forces those users into their own home directory (shown here as /home-ftponly/[username])
Configuration of /etc/ssh/sshd_config
##The following section enables sftp-only access for users in the sftponly group Subsystem sftp internal-sftp Match Group sftponly ChrootDirectory /home-ftponly/%u AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp
In order to fully enable the ftp access a few more steps are necessary, these steps are performed when a new ftponly user is created using the script described in another section.
- Give root ownership of /home-ftponly/username
sudo chown root:root /home-ftponly/username
- Give read and execute permissions to group and other
sudo chmod go+rx /home-ftponly/username sudo chmod go+rx /home-ftponly/username/any/mounts/
then create directories and mount. Script performs user setup /var/DWUtils/FTPAccount/usermaker.sh Script for user deletion /var/DWUtils/FTPAccount/userdel.sh Created user account ftpacctmaker added to sudoers with nopassword access for above scripts only. web codebehind executes above script under ftpacctmaker account to create account and set up mounts.
FTP User account management scripts
Usermaker.shThe user account creation script will create an ftp-only user account and configure the account accordingly, including the creation of read-only mounts which reference directories on the warehouse file system. This script can also be used to mount additional directories for access for existing accounts. This script should only be used for ftp-only user accounts. Attempting to use this script for general users may have unexpected consequences as this script manipulates permissions on the users home directory.
[request-id] [ftp-username] [ftp-password] [account-expiration] [paths-to-mount...]
- authorizer - User name of warehouse admin executing this script. This is only used for logging.
request-id- The request id for which this account is being created or for which the given paths are being mounted. This is only used for logging.
ftp-username- The user name to be created and whose home directory will be used as the mount destination. The user account may already exist.
ftp-password- The password for a newly created ftp-only user account. If the account given by ftp-usernamealready exists this parameter has no effect and an arbitrary placeholder value should be used.
account-expiration- An date formatted as YYYY-MM-DD upon which the user account will expire. If the user account given by ftp-usernamealready exists then the expiration of that account is set to account-expiration
paths-to-mount...- A Space delimited list of file system paths which will be mounted as read-only mount points in the user's home directory.