Rails - Oct 2005 - user home areas

Bit of a newbie question, I''m afraid, since I''m just getting
into web
apps. One of the things I need to include in the current application
is a sort of "web drive" - a way for users to upload and download
personal files through the web browser. I''m thinking the best way to
do this is to create a unix account for each user, and have the files
stored in their home areas - is this a good way to go about it? How
would I merge my webapp and linux authentication, so they can log in
using their linux password and have access to just their personal
files? Would my rails app itself need to be running as root to do all
this, and is that a bad idea? Any alternative arcchitectural
suggestions would be welcomed - I have a lot of ruby experience, but
none with rails.

martin

Make it all virtual and keep the files in the DB.

Lots of people will disagree with this method. :-)

Creating Unix home accounts for everyone is an unnecessary security
risk, IMHO.

-- 
-- Tom Mornini

On Oct 6, 2005, at 9:25 AM, Martin DeMello wrote:
> Bit of a newbie question, I''m afraid, since I''m just
getting into web
> apps. One of the things I need to include in the current application
> is a sort of "web drive" - a way for users to upload and download
> personal files through the web browser. I''m thinking the best way
to
> do this is to create a unix account for each user, and have the files
> stored in their home areas - is this a good way to go about it? How
> would I merge my webapp and linux authentication, so they can log in
> using their linux password and have access to just their personal
> files? Would my rails app itself need to be running as root to do all
> this, and is that a bad idea? Any alternative arcchitectural
> suggestions would be welcomed - I have a lot of ruby experience, but
> none with rails.

Tom Mornini <tmornini-W/9V78bTXriB+jHODAdFcQ@public.gmane.org> writes:
> Creating Unix home accounts for everyone is an unnecessary security
> risk, IMHO.
And can quickly become a management headache.  Count me as a vote for
no unix accounts.
-- 
Doug Alcorn - http://lathi.net/RubyOnRailsDeveloper
doug-jGAhs73c5XxeoWH0uzbU5w@public.gmane.org

Sounds like you want webdav - not sure where rails would fit into this?

On 06/10/05, Martin DeMello
<martindemello-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> Bit of a newbie question, I''m afraid, since I''m just
getting into web
> apps. One of the things I need to include in the current application
> is a sort of "web drive" - a way for users to upload and download
> personal files through the web browser. I''m thinking the best way
to
> do this is to create a unix account for each user, and have the files
> stored in their home areas - is this a good way to go about it? How
> would I merge my webapp and linux authentication, so they can log in
> using their linux password and have access to just their personal
> files? Would my rails app itself need to be running as root to do all
> this, and is that a bad idea? Any alternative arcchitectural
> suggestions would be welcomed - I have a lot of ruby experience, but
> none with rails.
>
> martin
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

--
Rasputin :: Jack of All Trades - Master of Nuns

It''s part of a larger app, but it''s the feature I''m
not really sure
how best to implement.

martin

On 10/7/05, Dick Davies
<rasputnik-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> Sounds like you want webdav - not sure where rails would fit into this?
>
> On 06/10/05, Martin DeMello
<martindemello-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > Bit of a newbie question, I''m afraid, since I''m just
getting into web
> > apps. One of the things I need to include in the current application
> > is a sort of "web drive" - a way for users to upload and
download
> > personal files through the web browser. I''m thinking the best
way to
> > do this is to create a unix account for each user, and have the files
> > stored in their home areas - is this a good way to go about it? How
> > would I merge my webapp and linux authentication, so they can log in
> > using their linux password and have access to just their personal
> > files? Would my rails app itself need to be running as root to do all
> > this, and is that a bad idea? Any alternative arcchitectural
> > suggestions would be welcomed - I have a lot of ruby experience, but
> > none with rails.
> >
> > martin
> > _______________________________________________
> > Rails mailing list
> > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
> >
>
>
> --
> Rasputin :: Jack of All Trades - Master of Nuns
>

Hi Martin,
 I mite face a similar problem in a couple of days time.
 Is this somewhat similar to FTP transfer?
 Thanks n Regards
Dibya Prakash

 On 10/7/05, Martin DeMello
<martindemello-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
>
> It''s part of a larger app, but it''s the feature
I''m not really sure
> how best to implement.
>
> martin
>
> On 10/7/05, Dick Davies
<rasputnik-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > Sounds like you want webdav - not sure where rails would fit into
this?
> >
> > On 06/10/05, Martin DeMello
<martindemello-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > Bit of a newbie question, I''m afraid, since I''m
just getting into web
> > > apps. One of the things I need to include in the current
application
> > > is a sort of "web drive" - a way for users to upload
and download
> > > personal files through the web browser. I''m thinking the
best way to
> > > do this is to create a unix account for each user, and have the
files
> > > stored in their home areas - is this a good way to go about it?
How
> > > would I merge my webapp and linux authentication, so they can log
in
> > > using their linux password and have access to just their personal
> > > files? Would my rails app itself need to be running as root to do
all
> > > this, and is that a bad idea? Any alternative arcchitectural
> > > suggestions would be welcomed - I have a lot of ruby experience,
but
> > > none with rails.
> > >
> > > martin
> > > _______________________________________________
> > > Rails mailing list
> > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > > http://lists.rubyonrails.org/mailman/listinfo/rails
> > >
> >
> >
> > --
> > Rasputin :: Jack of All Trades - Master of Nuns
> >
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

Well, fairly similar, except that everything has to be done through the browser.

martin

On 10/7/05, Dibya Prakash
<prakash.dibya-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> Hi Martin,
>
> I mite face a similar problem in a couple of days time.
>
> Is this somewhat similar to FTP transfer?
>
> Thanks n Regards
> Dibya Prakash
>
>
> On 10/7/05, Martin DeMello
<martindemello-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> >
> > It''s part of a larger app, but it''s the feature
I''m not really sure
> > how best to implement.
> >
> > martin
> >
> > On 10/7/05, Dick Davies
<rasputnik-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > Sounds like you want webdav - not sure where rails would fit into
this?
> > >
> > > On 06/10/05, Martin DeMello <
martindemello-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > > Bit of a newbie question, I''m afraid, since
I''m just getting into web
> > > > apps. One of the things I need to include in the current
application
> > > > is a sort of "web drive" - a way for users to
upload and download
> > > > personal files through the web browser. I''m
thinking the best way to
> > > > do this is to create a unix account for each user, and have
the files
> > > > stored in their home areas - is this a good way to go about
it? How
> > > > would I merge my webapp and linux authentication, so they
can log in
> > > > using their linux password and have access to just their
personal
> > > > files? Would my rails app itself need to be running as root
to do all
> > > > this, and is that a bad idea? Any alternative arcchitectural
> > > > suggestions would be welcomed - I have a lot of ruby
experience, but
> > > > none with rails.
> > > >
> > > > martin
> > > > _______________________________________________
> > > > Rails mailing list
> > > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > > > http://lists.rubyonrails.org/mailman/listinfo/rails
> > > >
> > >
> > >
> > > --
> > > Rasputin :: Jack of All Trades - Master of Nuns
> > >
> > _______________________________________________
> > Rails mailing list
> > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
> >
>
>

On 10/6/05, Martin DeMello
<martindemello-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
>
> It''s part of a larger app, but it''s the feature
I''m not really sure
> how best to implement.
>

One way...

Keep all files on disk in one big tree, with the top level directories being
the usernames. Have it all owned by the webserver user. The biggest pain is
coding the tree structure and the associated web interface. I would also run
a separate instance of the webserver that handles just this one application.
That way it won''t be possible for any other parts of your application
to
write to the file tree, whether on accident or through a security bug.

If the information is private in nature and you need good security, then
things could get considerably more complex.

Chris


_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

On Oct 7, 2005, at 12:07 PM, snacktime wrote:
> On 10/6/05, Martin DeMello
<martindemello-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> It''s part of a larger app, but it''s the feature
I''m not really sure
> how best to implement.
>
> One way...
>
> Keep all files on disk in one big tree, with the top level  
> directories being the usernames.  Have it all owned by the  
> webserver user.  The biggest pain is coding the tree structure and  
> the associated web interface.  I would also run a separate instance  
> of the webserver that handles just this one application.  That way  
> it won''t be possible for any other parts of your application to  
> write to the file tree, whether on accident or through a security bug.
And how does one provide even a modicum of security to this model?

And what if the username changes? That''s equivalent to creating DB
tables with non-synthetic  primary keys, a practice taught in lore, but
really abusively limiting in the real world, and certainly frowned upon
in the Rails frameworks...

What is everyone''s issue with storing images in a DB? Don''t
bother
with performance issues, because we can all agree that it''s faster to
serve them directly.

Of course, ISAM files are faster than relational DBs, but we rarely use
them anymore, either. :-)

-- 
-- Tom Mornini



_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

On 10/7/05, Tom Mornini <tmornini-W/9V78bTXriB+jHODAdFcQ@public.gmane.org>
wrote:
>
> On Oct 7, 2005, at 12:07 PM, snacktime wrote:
>
> On 10/6/05, Martin DeMello
<martindemello-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> >
> > It''s part of a larger app, but it''s the feature
I''m not really sure
> > how best to implement.
>
>
> One way...
>
> Keep all files on disk in one big tree, with the top level directories
> being the usernames. Have it all owned by the webserver user. The biggest
> pain is coding the tree structure and the associated web interface. I would
> also run a separate instance of the webserver that handles just this one
> application. That way it won''t be possible for any other parts of
your
> application to write to the file tree, whether on accident or through a
> security bug.
>
>
> And how does one provide even a modicum of security to this model?
>
I don''t see how it''s inherently any more or less secure than
using one
database user to access tables that store information for multiple users?

 >And what if the username changes? That''s equivalent to creating
DB
>tables with non-synthetic primary keys, a practice taught in lore, but
>really abusively limiting in the real world, and certainly frowned upon
>in the Rails frameworks...
I understand the logic, but I don''t see how it''s necessarily
limiting. It
depends on the application.


What is everyone''s issue with storing images in a DB? Don''t
bother
> with performance issues, because we can all agree that it''s faster
to
> serve them directly.
>
It''s an extra layer. Sometimes it might be a more reliable or easier to
use
layer, but it''s still an extra layer. Whether it''s better to
use the
filesystem or the DB depends on the application. One isn''t inherently
better
than the other.


Chris


_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

Have you guys looked at this:

  http://wiki.rubyonrails.com/rails/pages/HowtoUploadFiles

and this:

  http://wiki.rubyonrails.com/rails/pages/HowtoSendFiles

which says:

"... This is particularly useful for keeping a private file repository out
of the web server’s
document root and governing access per user. Assumes you are using Action Pack
0.8.0 (Rails 0.6.5)
or later"

HTH,
-- shanko

--- Martin DeMello <martindemello-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> Well, fairly similar, except that everything has to be done through the
browser.
> 
> martin
> 
> On 10/7/05, Dibya Prakash
<prakash.dibya-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > Hi Martin,
> >
> > I mite face a similar problem in a couple of days time.
> >
> > Is this somewhat similar to FTP transfer?
> >
> > Thanks n Regards
> > Dibya Prakash
> >
> >
> > On 10/7/05, Martin DeMello
<martindemello-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > >
> > > It''s part of a larger app, but it''s the feature
I''m not really sure
> > > how best to implement.
> > >
> > > martin
> > >
> > > On 10/7/05, Dick Davies
<rasputnik-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > > Sounds like you want webdav - not sure where rails would fit
into this?
> > > >
> > > > On 06/10/05, Martin DeMello <
martindemello-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > > > Bit of a newbie question, I''m afraid, since
I''m just getting into web
> > > > > apps. One of the things I need to include in the
current application
> > > > > is a sort of "web drive" - a way for users to
upload and download
> > > > > personal files through the web browser. I''m
thinking the best way to
> > > > > do this is to create a unix account for each user, and
have the files
> > > > > stored in their home areas - is this a good way to go
about it? How
> > > > > would I merge my webapp and linux authentication, so
they can log in
> > > > > using their linux password and have access to just
their personal
> > > > > files? Would my rails app itself need to be running as
root to do all
> > > > > this, and is that a bad idea? Any alternative
arcchitectural
> > > > > suggestions would be welcomed - I have a lot of ruby
experience, but
> > > > > none with rails.
> > > > >
> > > > > martin
> > > > > _______________________________________________
> > > > > Rails mailing list
> > > > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > > > > http://lists.rubyonrails.org/mailman/listinfo/rails
> > > > >
> > > >
> > > >
> > > > --
> > > > Rasputin :: Jack of All Trades - Master of Nuns
> > > >
> > > _______________________________________________
> > > Rails mailing list
> > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > > http://lists.rubyonrails.org/mailman/listinfo/rails
> > >
> >
> >
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
> 


		
__________________________________ 
Yahoo! Mail - PC Magazine Editors'' Choice 2005 
http://mail.yahoo.com