This is the README file for the ConFUSEd project.
Copyright 2010 Jeffrey A. Kintscher <websurfer@surf2c.net>
-- Licensing
ConFUSEd is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
ConFUSEd is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with ConFUSEd. If not, see <http://www.gnu.org/licenses/>.
The GNU General Public License can be found in the COPYING file.
-- About
ConFUSEd stands for "Conf Filesystem in USErspace daemon". It uses the FUSE
driver to provide a filesystem containing conf files that are dynamically
generated from a database. Conf files are files that consist of lines
containing keys and values in the format 'key=value'. Each file name, key,
and value are stored in a 3rd-party database.
Using a database server to serve-up conf files is a lot of overhead, but the
following use case explains the motivation for creating the project.
-- Use Case
The Very Secure FTP Daemon, vsftpd, has a mechanism for providing per-user
configuration options (see the vsftpd.conf man page for details). When a
user tries to login, vsftpd checks a specified directory for a file with the
same name as the user, and then uses any settings contained in the file to
override the same vsftpd.conf settings for that user's FTP session.
It is common to configure vsftpd to use PAM to lookup the user names and
passwords in a database. Combining virtual users with per-user config files
allows the creation of FTP sites with sophisticated user management.
There is one detail that can cause headaches for system administrators and
end-users: the FTP user config files and directory must belong to the same
system user and group as the vsftpd daemon, which is typically root.root (for
security reasons). The permissions for the directory and files are also
typically set to read/write for root and nothing for everyone else (again,
for valid security reasons). However, this means that only someone with
superuser access can create/modify the FTP user config files. So, while sys
admins can easily delegate FTP user creation/deletion/password management to
trusted database users, the sys admins still have to directly manage the FTP
user config files.
A scenario that illustrates this problem is an FTP server located at a remote
office that is managed by IT at the home office, which is several time zones
away. The FTP server is primarily used by the remote office to exchange
files with vendors/customers that are local to them. A trusted employee at
the remote office has permission to manage FTP user names and passwords in
the database, but has to wait for someone in IT at the home office to
create/modify the per-user config files. This tends to cause frustration at
the remote office because the differences in working hours and priorities
between the two offices can cause the simple task of FTP account changes to
take a few days.
With ConFUSEd, the contents of the per-user config files can be moved to the
same database as the FTP user names and passwords. The mount point for
ConFUSEd would be set to the user config directory specified in vsftpd.conf.
When a user tries to login, vsftpd looks for a file with the same name as the
user in the user config directory and checks the file ownership and
permissions. The FUSE driver passes the filesystem requests to ConFUSEd,
which queries the user (i.e. file) name in the database and, if found,
returns a directory entry with the correct file name, ownership, and
permissions. Vsftpd then opens and reads the file, with ConFUSEd returning
the file contents queried from the database.
In the scenario above, ConFUSEd allows someone at the remote office to manage
the FTP users without needing root access or involving someone in IT at the
home office.
-- Configuration
Follow the instructions in the INSTALL file to configure and build ConFUSEd.
The following comand line will configure ConFUSEd with MySQL support, build
the project, and install the files under /usr/local.
./configure --enable-mysql
make
make install
Next, edit the file /usr/local/etc/confused.conf (or whever you told
configure to install it). There are descritpions in the file, and xecuting "confused --check-conf-file" will have confused verify the contents and exit.
Don't forget to create the required database tables and users (which is beyond the scope of this documnet).