Setting up a Secure Shared projects folder for distributed users
We use a VPS server hosted on the web as our shared projects folder to share files between our team members in a safe and secure way. This is set up in such a way that users can mount a folder on the VPS on to their local machines via SSHFS and access contents on the shared folder. The permissions in the folder is managed via a script that is running on the server. The script and its configuration is being managed using an automatic deployment process using git. In the following article we have described how you can set up your own secure shared folder on the web.
Setting up a VPS
You will have to buy a VPS from one of the VPS providers out there. The following are providers we have worked with and and are happy with - Linode.com, wiredtree.com, hostgator.com. For
- Linode - http://bit.ly/HSAxRd
- Hostgator - http://bit.ly/rr8MDO
- Wiredtree - http://bit.ly/u6Zd8O
System Requirements
The script was written for a CentOS based VPS. You will have to ensure that the package acl is installed in the server.
Get script from github
The script which we have developed for the secured shared projects folder can be obtained from our github repository. You can download this from - https://github.com/zyxware/Secure-Shared-Document-Store
What does the script do (in brief)
The cron job runs the script every 10 minutes (or whatever interval you had set). If there is any change in the config then the script will sync the changes from the config file on to the server. For example it will add new users & groups who/which have been added in the conf, disable users & groups who/which have been disabled in the conf, add/modify folders in the conf. The script will also sync permissions of folders and files which have been created by users who use the shared folder. During syncing of folder/file permissions all child folders/files created outside of the configuration file will inherit the permissions of its parent.
Setting up the script on the VPS
For setting up the script on the server you will have to have access to a public git server. You can use github or if you have your own git server like we do you can use that. Create a repository in your git server and add the script folder to the repo. Next log on to the VPS as root user and clone this this newly created script repository on to the VPS say to a folder named /root/doc-store-admin. Now add a cron job to run the sync-users.sh script every hour. You can set this to shorter time intervals if you wish faster syncing between the configuration and the actual system state.
Configuring the script
Clone the script repository from your git repository on to your local machine. Make modifications in the doc-store.conf file for the creation/modification of users or groups or folders on the VPS. Commit these changes and push. That is all. When the cron runs next on the server the changes will get reflected in the server. Changes and any errors will duly be logged in the log files and will be pushed back into the repository. You will be able to see these the next time you pull from the repository.
The following variables have to be initialized correctly inside the script
HOME_DIR="/home/team" GROUP_PREFIX="z_" USER_PREFIX="u_" KEY_FOLDER="keys" BASE_PATH="/home/doc-store"
You can make modifications according to your preference
Managing Users
The system uses key based login for the users. The user configuration is very simple. For every user you wish to add on the server you have to create a section in the config file with the following information
[user user_name] keys = keyfile.pub status = enabled
The status field is optional and need be used when you wish to disable a user by setting the value to disabled. The key field allows you to add multiple keys for the same user. When you make changes in the key field the corresponding changes will get reflected in the server. Remember to ensure that the key file is added to the keys folder inside the script folder.
Managing Groups
[group group_name]
users = user_1 user_name_2 user_3
status = enabled
The status field is optional and need be used when you wish to disable a group by setting the value to disabled. The users field allows you to add the users you wish to add to the group. When you add or remove users from an existing group the corresponding change will get reflected on the server as well.
Managing Projects
You can use the script to manage read/write permissions for users and groups on folders on the machine. The configuration for managing this is as follows
[folder path_to_folder]
owner = user_1 group = group_name_1 rousers = user_4 user_5 rogroup = group_name_2 rwusers = user_2 user_3 rwgroups = project_managers
The relative path to the folder from the doc-store root need to be set as path_to_folder. The rest of the fields are more or less self explanatory. The owner and group defines the owner and group for the folder and any files in the folder. The rousers and rogroups are users and groups who should have read only access on the files. The rwusers and rwgroups are the users and groups who should have read and write permissions on the folder and files inside the folder.