From Tim Pellett on Fri, 20 Aug 1999
I found you on the internet and was wondering if you could answer my question/problem.
I am renting space on a Unix/Apache server and am at the user level. We are allowed to redistribute the space given to us and I want to set up file quotas. I do not want to give space to other people w/o setting up file size limits.
I asked the ISP and they said I can do it myself using 'file quota software'. I cannot find such a product for a unix/apache server. Everything is Win 95/NT etc. I cannot use the quota command b/c I do not have access to sys admin files.
Do you have any suggestions? I have been trying to figure this out for months now, and am getting frustrated!
Let's see if I got this right ... you have some virtual hosted web space (not a co-located server but an account on your ISP's web server). They somehow allow you to create further accounts in your virtual space. You want to do this, and to apply quotas to those sublet accounts.
I can't help but ask the obvious economic question, why would someone go through you to get this service rather than getting directly from your ISP? Is there really enough wiggle room in the margins for an arbitrage opportunity here?
In any event, getting back to the technical question...
You don't mention which version of UNIX you are using. Suppport for system quotas is one of those things that varies considerably from one version of UNIX to another.
If your ISPs support people say it can be done with software that they know of --- please press them for the specifics.
My guess would be that the solution would depend quite a bit on which version of UNIX this system was running, and a bit on the specifics of their account management system. If they are providing you with your own chroot jail, and giving you access to create your own UNIX accounts within that jail, they'd have to be providing some pretty hairy clones to a large number of administrative utilities in order to have any chance of maintaining any semblance of system security.
(Technically all of the account management in UNIX is done in user space. The kernel only respects UIDs and GIDs for making access determinations. Consequently, you could theoretically create almost any sort of account management scheme you wanted, if you were willing to rewrite enough of the utility and library infrastructure to support it. I doubt they've done this, so I have serious misgivings about the security of their approach).
Of course I'm guessing that you're talking about some sort of relatively generalized shell/FTP/mail support for these "sublet" user IDs.
If you're willing to force your customers to go through a custom interface to update their web pages (and you're constraining them solely to web page publication) you could use somewhat simpler models.
Let's assume that you are only interested in web page publication. I'm guessing that the account management then boils down to something like a set of CGI/PHP scripts that allow users to update their accounts (and manage the usernames, passwords, directory structures and any accounting data that you maintain).
You'd also be providing some sort of mechanism for them to upload their new web masterpieces. Whatever mechanism you provide to do this (presumably a set of CGI programs or scripts) can perform the quota calculations and implement your policy enforcement. It seems like quite a lot of custom coding to duplicate a set of functions that are already provided by the underlying operating system.
All in all it seems like it would be much easier and not much more expensive to co-locate a server of your own at some ISP site. Then you could use established OS system features and utilities to manage all of this.
Otherwise I can see a general solution to your question that doesn't involve an utter lack of security on the part of your ISP. If they essentially give you 'root' access to this shared server then you have to ask what protection they are offering their customers from one another. That becomes a question of how they are protecting your customers from their other customers (some of whom might be your competitors in this bizarre multi-level ISP scheme).
I notice that you don't actually say you're trying to sell this space to other people. The technical problems are the same in any event.
In any event you'd have to provide quite a bit more details about what version of UNIX this ISP is using, (and keep in mind that I'm the Linux AnswerGuy so Solaris, AIX, and other UNIX questions may be ignored), about what account management mechanisms they are using, about which services you intend to provide and about what mechanisms and protocols you intend for them to use in updating their web pages.