After a database has been created, you must configure the domain so that NcFTPd uses your database in place of (or in addition to) /etc/passwd. See the domain.cf option passwd for details. You will need to restart NcFTPd if you change the domain's passwd option, but you do not need to restart whenever you modify the database file.
Important:
Example 1: Add the mgleason user above, into a database named /usr/local/etc/ncftpd/pwdb/passwd.db.
Example 2: Add the mgleason user above, setting the password to secret.
Example 3: Add the mgleason user above, with user and group name replacement.
If you would prefer to input each field interactively (rather than constructing the colon-delimited record), you can (with version 2.8.6 or later) invoke ncftpd_passwd with the -A flag, like this:
Example: Change the password for mgleason to myxlplxx (using the -c flag also).
If you would prefer to edit each field interactively (rather than querying and modifying the colon-delimited record), you can (with version 2.8.6 or later) invoke ncftpd_passwd with the -U flag along with the user to edit, like this:
This flag can also be used by a non-superuser to change their own password entry. This requires some special setup, as described in the section on advanced options below.
Example 1: Change the password for mgleason to myxlplxx
root# ncftpd_passwd -f /usr/local/etc/ncftpd/pwdb/passwd.db -p mgleason New password for mgleason: Verify password for mgleason: Password changed for user mgleason.Example 2: Change the encrypted password for mgleason:
root# ncftpd_passwd -f /us.../passwd.db -p mgleason -P 'd.Ts7N8a3ozbQ'
Example: Query mgleason's record.
root# ncftpd_passwd -f /usr/local/etc/ncftpd/pwdb/passwd.db -Q mgleason User: mgleason Encrypted password: 75hv0xCjznz1U UID: 500 GID: 600 Supplementary GIDs: 700, 701, 702 GECOS: Mike Gleason Home directory: /home/mgleason Shell: /bin/ksh
Example: Delete mgleason's record.
Example: Dump the entire passwd.db database.
root# ncftpd_passwd -f /usr/local/etc/ncftpd/pwdb/passwd.db -x pgleason:ldDbXYr308x.w:502:600,700:Patrick Gleason:/home/pgleason:/bin/tcsh jgleason:OvHSMCPLgL6bA:501:600:Jimmy Gleason:/home/jgleason:/bin/bash mgleason:75hv0xCjznz1U:500:600,700,701,702:Mike Gleason:/home/mgleason:/bin/ksh
Example:
root# cat new.txt mmgleason:unUuvgMaz/h76:696:33,31:Michelle Gleason:/home/mmgleason:/bin/ksh ccw:cohBaSYXLIMZ2:296:37,32:Dawn Gleason:/home/ccw:/bin/ksh dgleason:vFSZRNvPk4qFI:894:34,26:Dani Gleason:/home/dgleason:/bin/ksh root# ncftpd_passwd -f /usr/local/etc/ncftpd/pwdb/passwd.db -i new.txt
Example:
NcFTPd uses a superset of the /etc/passwd format for user records, by adding additional fields after the shell field.
Here's an example that shows one record in /etc/passwd format and a second record which takes advantage of the additional fields:
mmgleason:unUuvgMaz/h76:696:33:Michelle Gleason:/home/mmgleason:/bin/ksh m2gleason:unUuvgMaz/h76:696:33:Michelle Gleason:/home/mmgleason:/bin/ksh:700:600:5:3:umask=027,perm=-W +nM:15:45
The complete list of fields is then:
| # | Field | Notes |
|---|---|---|
| 1. | Username | |
| 2. | Password | Encrypted; Standard UNIX DES password encryption is used by default. |
| 3. | UID | |
| 4. | GIDs | A comma-delimited list consisting of the primary GID followed by the supplementary group IDs. |
| 5. | Full name | Not used by NcFTPd. May be left blank. Traditionally, UNIX systems have used this field to also include "GECOS" information, such as phone numbers, office location, etc. |
| 6. | Home directory | |
| 7. | Shell | Not used by NcFTPd. May be left blank. |
| 8. | Disk usage kilobytes, hard limit | |
| 9. | Disk usage kilobytes, soft limit | |
| 10. | Maximum number of files, hard limit | |
| 11. | Maximum number of files, soft limit | |
| 12. | Miscellaneous data field | See below for details. |
| 13. | Download bandwidth limit, in kilobytes per second | |
| 14. | Upload bandwidth limit, in kilobytes per second |
Fields 5 (full name) and 7 (shell) are not used by NcFTPd and may be left blank. Older versions of NcFTPd required a valid shell field even though it was never used.
Fields 8, 9, 10, 11, 13, 14 are used for NcFTPd Quotas and are described in more detail there, but to enable those features you can simply use ncftpd_passwd with a record formatted similarly to the m2gleason record above. Quota fields do not take effect with a value of 0 or if they are empty.
Field 12 was formerly reserved for future use as a quota options field. This field is now a general "catch all" field for some extra variables (in a similar vein to how the full name field was extended to include GECOS information). The variables are comma-delimited option=value pairs. The following variables are defined:
| Variable | Value | Description |
|---|---|---|
| umask | octal digits | This can be used to assign the umask on a per-user basis, rather than a per-domain basis (via the u-umask domain.cf option). |
| perm | user permissions string | This can be used to assign the extended user permissions on a per-user basis rather than a group basis (via the u-restricted-groups general.cf option). |
The second mode (call it Mode 2) is where the system administrator decides to let a regular user own and maintain the password database, and the administrator configures a domain in NcFTPd's domain.cf file to use this file as a password database. In this mode, NcFTPd ignores the user ID and group ID fields in the password database, but instead all users in the database are treated as equivalent to the regular user that owns the password database.
The third mode (Mode 3) is where the system administrator changes ncftpd_passwd so that it is owned by root and enables the "setuid-bit". The password databases are owned by root and mode 0600, but ncftpd_passwd can be run by a regular user to create user accounts with the same privileges of his own. For this mode to work, the administrator must create a file called /etc/ftp.passwd.conf which contains a list of files that users may modify using ncftpd_passwd.
The fourth mode (Mode 4) is intended to be used by CGI programs. Like Mode 3, ncftpd_passwd is setuid-root, but unlike Mode 3, it can modify any and all accounts in the database, as well as add accounts with any privileges.
To use Mode 2, you simply set the password database name in the domain.cf file, and let the user run ncftpd_passwd to create users. Create the database with their first user, and make sure the database file is owned by the user you want to maintain it. You may want to create a shell script for them that simplifies use of the the program. For example, it is easy to forget to include the -f flag and the password database so you might have your script hard-code that inside the script.
Internet Service Providers often have a regular user own their own virtual domain, and in this case it makes sense to allow the domain owner to maintain the database of users that access this domain. However, you must remember that there's nothing to stop a malicious user from trying to exploit your system, because any users created have identical privileges. For example, a malicious user may create a user whose home directory is "/" which would give the user access to files and directories which his user privileges allow, such as read access to /usr/bin and /etc/passwd. It is up to you to properly restrict who runs ncftpd_passwd and what input is sent to it.
Using Mode 3 requires a special file to be created by the system administrator, the /etc/ftp.passwd.conf file. This file contains the files that regular users running ncftpd_passwd are allowed to modify. Each line in the (plain text) file should be the absolute pathname of a password database file followed by a space, followed by a comma-delimited list of users that are allowed to modify this database. You may use the keyword ALL in place of a user list to denote that any user may modify the database. In addition, a line can be commented-out by having the first character be a # character.
An example /etc/ftp.passwd.conf file:
# List of password databases: # /usr/local/etc/ncftpd/pwdb/dbfile1.db ALL /usr/local/etc/ncftpd/pwdb/dbfile2.db mgleason,mweiss,ccw
You would then make a setuid-root copy ncftpd_passwd and have it so only the users you wish to run the program are able to do so. The example below shows how to do this, but letting all users run the program, since the program is set to be publicly executable. You may wish to create a group in /etc/group and use group permissions to restrict access.
# chown root /usr/customers/bin/ncftpd_passwd # chgrp root /usr/customers/bin/ncftpd_passwd # chmod 4711 /usr/customers/bin/ncftpd_passwd # ls -l /usr/customers/bin/ncftpd_passwd -rws--x--x 1 root root 39960 Jul 18 00:09 ncftpd_passwd
Finally, the /etc/ftp.passwd.conf file must be owned by root and mode 0600.
Using Mode 4 also requires the /etc/ftp.passwd.conf file. The difference is that the list of users includes the special token allow-setuid-root. Example:
# List of password databases: # /usr/local/etc/ncftpd/passwd.db web,allow-setuid-root
Next, make a copy of ncftpd_passwd which is setuid to root and setgid to the web server user. This example assumes that the web server user is named web and is the only member of a group named web:
# chown root /home/httpd/bin/ncftpd_passwd # chgrp web /home/httpd/bin/ncftpd_passwd # chmod 4710 /home/httpd/bin/ncftpd_passwd # ls -l /home/httpd/bin/ncftpd_passwd -rws--x--- 1 root web 39960 Jul 18 00:09 ncftpd_passwd
You could then create a CGI program that would run this copy of ncftpd_passwd. It is up to you to secure this script so that only administrators can run it; for example, you might put it behind an SSL-enabled server and then have your CGI program prompt for a password. If you don't do that, anyone who knows the URL to your CGI can fully manipulate the password database!
Remember, it is up to your CGI program to restrict what input is sent to ncftpd_passwd. For example, you would probably want to ensure that users cannot be created with a privileged UID, or have a home directory of "/" unless you really want to do that.
