Box.net or DropBox open source alternatives?
August 13, 2010 2:30 PM Subscribe
Is there an open source / free version of something like Box.net or DropBox? My needs are simple: the ability to password protect folders, and a web interface to download it. Is this something that "comes with" OpenFiler or similar product?
I cannot use a third party to do this.
I need the ability to upload files and share them with people outside the company. Ideally it'd go like this:
1. Create a folder, upload files, put a password on the folder.
2. Send an e-mail to a list of people that includes a link and the password.
Right now I'm having to use FTP, which works but it is a bit clunky.
I cannot use a third party to do this.
I need the ability to upload files and share them with people outside the company. Ideally it'd go like this:
1. Create a folder, upload files, put a password on the folder.
2. Send an e-mail to a list of people that includes a link and the password.
Right now I'm having to use FTP, which works but it is a bit clunky.
The first 2GB of DropBox storage are provided free.
posted by teedee2000 at 2:51 PM on August 13, 2010
posted by teedee2000 at 2:51 PM on August 13, 2010
If your FTP upload went to an Apache installation with directory listings turned on for those specific directories it could do something like this. No web interface to set the passwords, though, you'd have to edit config files for that. Also, I believe that there are ways to customize the directory listings pages.
posted by XMLicious at 3:07 PM on August 13, 2010
posted by XMLicious at 3:07 PM on August 13, 2010
WebDAV will give you the interface you're looking for as far as file upload/download goes; but won't, by itself, do the user management; you good try tools like Nephthys for the management.
posted by rodgerd at 3:11 PM on August 13, 2010 [1 favorite]
posted by rodgerd at 3:11 PM on August 13, 2010 [1 favorite]
I think you guys missed this part:
I cannot use a third party to do this.
What you're describing isn't really a dropbox clone. It's just a web server with password-protected directories. There are many tools for setting up simple web-servers off of your computer, assuming that you have admin rights and that you are able to get through your corporate firewall. (Apache, Tornado, Lighttpd, etc.) Hell, you can even serve files using a single line of python.
That said, if you do want the file-syncing capabilities of dropbox, you could try something like these:
Sparkleshare is a bunch of people working together to build an open-source dropbox (with the underlying code based on git, IIRC). You can build it from source.
You can also try to roll your own. It'd be easy enough to point apache to the same directory that you're sharing this way, and then set up password protection so that you can access it securely through the web.
posted by chrisamiller at 3:15 PM on August 13, 2010 [6 favorites]
I cannot use a third party to do this.
What you're describing isn't really a dropbox clone. It's just a web server with password-protected directories. There are many tools for setting up simple web-servers off of your computer, assuming that you have admin rights and that you are able to get through your corporate firewall. (Apache, Tornado, Lighttpd, etc.) Hell, you can even serve files using a single line of python.
That said, if you do want the file-syncing capabilities of dropbox, you could try something like these:
Sparkleshare is a bunch of people working together to build an open-source dropbox (with the underlying code based on git, IIRC). You can build it from source.
You can also try to roll your own. It'd be easy enough to point apache to the same directory that you're sharing this way, and then set up password protection so that you can access it securely through the web.
posted by chrisamiller at 3:15 PM on August 13, 2010 [6 favorites]
A bit lower-level than you're looking for, but I'm loving Unison for syncing directories across machines. You'd have to throw a web interface on top for publishing, but that ain't rocket science.
posted by Leon at 3:23 PM on August 13, 2010
posted by Leon at 3:23 PM on August 13, 2010
Response by poster: It's just a web server with password-protected directories.
Yeah I should have phrased it that way. Right now I'm using Apache/FTP. I don't need syncing across machines.
And forgive me if this is naive: Are there any configs out there that allow permissions to be set to a directory, easily?
This is probably the big key. I don't need each external user to have their own username/password, ideally I'd have something like an htaccess file (and forgive me if htaccess files can already do this ...), where I tell a user, "Put this file in the directory you want to share, open it in notepad and change the password to whatever you want."
Basically, I really, really don't want to have to be doing this every time someone wants to share something.
posted by geoff. at 3:31 PM on August 13, 2010
Yeah I should have phrased it that way. Right now I'm using Apache/FTP. I don't need syncing across machines.
And forgive me if this is naive: Are there any configs out there that allow permissions to be set to a directory, easily?
This is probably the big key. I don't need each external user to have their own username/password, ideally I'd have something like an htaccess file (and forgive me if htaccess files can already do this ...), where I tell a user, "Put this file in the directory you want to share, open it in notepad and change the password to whatever you want."
Basically, I really, really don't want to have to be doing this every time someone wants to share something.
posted by geoff. at 3:31 PM on August 13, 2010
1. Create a folder, upload files, put a password on the folder.The problem you've stated is simple to solve:
2. Send an e-mail to a list of people that includes a link and the password.
1. Create a folder and upload your files with FTP/SCP/WebDAV. Create an .htpasswd file.
2. Email recipients the credentials you placed in the .htpasswd, and the link to this content. You can even embed it in the URL if desired.
You could write a webapp to embed this in HTTP/HTML, but at that point there's bound to be a CMS system that does this already.
posted by pwnguin at 3:43 PM on August 13, 2010
Maybe a bit half-ass, but couldn't you accomplish this with most version control systems? Set up a Subversion server, create a repository, shut off anonymous browsing, add one (or more) user accounts and then have your users check out a copy of the repository. That would give you the ability to sync locally and, if your users are on Windows, Explorer integration with TortoiseSVN so they don't have to go to the command line.
posted by yerfatma at 3:52 PM on August 13, 2010
posted by yerfatma at 3:52 PM on August 13, 2010
geoff.: "where I tell a user, "Put this file in the directory you want to share, open it in notepad and change the password to whatever you want.""
How important is this data really? If you just made everything public with a hard to guess URL, would that be sufficiently "secure"?
Because as I think about it, you're hoping that nobody ever shares passwords, while making it impossible to detect who actually did so. That's why we have an expectation not to share credentials with anyone, and username/password pairs. So when someone shares credentials, we know who the culprit was. And it's why we store passwords hashed, so that blame cannot shift to the sysadmin who has access to the password file.
posted by pwnguin at 3:55 PM on August 13, 2010
How important is this data really? If you just made everything public with a hard to guess URL, would that be sufficiently "secure"?
Because as I think about it, you're hoping that nobody ever shares passwords, while making it impossible to detect who actually did so. That's why we have an expectation not to share credentials with anyone, and username/password pairs. So when someone shares credentials, we know who the culprit was. And it's why we store passwords hashed, so that blame cannot shift to the sysadmin who has access to the password file.
posted by pwnguin at 3:55 PM on August 13, 2010
Response by poster: pwguin, I agree with you, and this is the way I've been doing for close to 7 years. Today someone outside the company must have attended some seminar and now insists that we password protect every directory. They also insist that we send out the password in the e-mail.
I tried, in vain, to explain how this just gave the illusion of security and the way we are doing it now is just as secure. Giving up, I set up a Box.net account as they have the ability to do this right out of the box. Then they came back and insisted that we need to have the ability to "do this internally." The data is not that sensitive, but this is how it is sometimes.
I spent way too much time trying to explain how these things work, but they aren't going to be happy unless it is coming from our domain and they see a password box of some sort.
posted by geoff. at 4:14 PM on August 13, 2010
I tried, in vain, to explain how this just gave the illusion of security and the way we are doing it now is just as secure. Giving up, I set up a Box.net account as they have the ability to do this right out of the box. Then they came back and insisted that we need to have the ability to "do this internally." The data is not that sensitive, but this is how it is sometimes.
I spent way too much time trying to explain how these things work, but they aren't going to be happy unless it is coming from our domain and they see a password box of some sort.
posted by geoff. at 4:14 PM on August 13, 2010
Yes, OpenFiler does WebDAV (along with all the usual suspects), and ties into Windows/Unix auth systems or comes with its own LDAP, and iSCSI server/initiator for remoting disks. It's great. I use it for share and user management, and Solaris on the back-end for ZFS (which is also great).
posted by meehawl at 5:04 PM on August 13, 2010
posted by meehawl at 5:04 PM on August 13, 2010
I'm a big fan of the Pogoplug, a device that acts as a way to get USB drives into the "cloud." You provide the drives. There's a nice web interface where you can set up sharing, it gives nice-looking previews for multimedia files, a nice photo interface, etc.
You can think of it as a Dropbox where you provide the storage, and it's not far off.
They've announced a Pogoplug Biz that will have some customization features, allow for public uploads, etc., that looks like it'd be a pretty nice solution for you.
posted by eafarris at 6:35 PM on August 13, 2010
You can think of it as a Dropbox where you provide the storage, and it's not far off.
They've announced a Pogoplug Biz that will have some customization features, allow for public uploads, etc., that looks like it'd be a pretty nice solution for you.
posted by eafarris at 6:35 PM on August 13, 2010
Best answer: geoff., the easiest way I know of to set passwords on directories in Apache is to use .htaccess config files. There's lots of Googleable pages that will talk about this, here's one for example. One thing to note is that in current versions of Apache per-directory config files can be disabled (and that might even be the default for security purposes, I don't remember), so if you try this and it doesn't seem to be working that could be why.
posted by XMLicious at 6:59 PM on August 13, 2010
posted by XMLicious at 6:59 PM on August 13, 2010
Well probably not suited for you
googleFS
Can be encrypted too.
Use it only with a new, clean gmail account.
posted by yoyo_nyc at 7:31 PM on August 13, 2010
googleFS
Can be encrypted too.
Use it only with a new, clean gmail account.
posted by yoyo_nyc at 7:31 PM on August 13, 2010
Best answer: XMLicious: "(and that might even be the default for security purposes, I don't remember)"
Also performance. It's a huge hit if Apache has to recurse a up to docroot to find out there's no .htaccess files. So you can disable it. I don't think it's default, at least in Debian/Ubuntu. The part that's security oriented is preventing the world from reading it, or overwriting it.
Hopefully if the boss wants it done in house the boss won't have a problem with configuring apache as required to make it happen.
posted by pwnguin at 9:49 PM on August 13, 2010
Also performance. It's a huge hit if Apache has to recurse a up to docroot to find out there's no .htaccess files. So you can disable it. I don't think it's default, at least in Debian/Ubuntu. The part that's security oriented is preventing the world from reading it, or overwriting it.
Hopefully if the boss wants it done in house the boss won't have a problem with configuring apache as required to make it happen.
posted by pwnguin at 9:49 PM on August 13, 2010
I think that the security reason for disabling it would be that you wouldn't even have to worry about making sure your FTP server / filesystem prevents overwriting the files because they're up in /etc or wherever the apache2.cfg is; it decreases the attack surface.
posted by XMLicious at 10:09 PM on August 13, 2010
posted by XMLicious at 10:09 PM on August 13, 2010
Response by poster: That worked! It was disabled by default. To be honest it has been a long time since I've mucked around with htaccess files. I was so close to just biting the bullet and rolling my own application in Python. Probably wouldn't have been that hard, but I wanted to spend this weekend doing non-work related things. You guys are awesome. Thanks again.
posted by geoff. at 7:12 AM on August 14, 2010
posted by geoff. at 7:12 AM on August 14, 2010
This thread is closed to new comments.
posted by Oktober at 2:41 PM on August 13, 2010