NcFTPd: User Management: Configuring for Restricted Users

Configuring for Restricted Users

Restricted Users are a special type of non-anonymous user, with the only difference being that these users are not allowed to access any file or directory outside of their home directory. Therefore, before proceeding, be sure you have configured the server for regular non-anonymous users, since the same basic setup is required (i.e. you need to setup accounts in /etc/passwd, have their accounts' program shells match an entry in /etc/shells, etc.).

Restricting users to their home directories makes your system more secure since the user won't be able to access other files on the system that her permissions allow, such as system configuration files like /etc/passwd. Naturally, restricting users is not very useful if you also allow the user to login directly with telnet or ssh, so be sure you've read the previous section on how you can avoid that.

Note: As of NcFTPd 2.8.1, users are restricted to their home directory by default. No additional setup with u-restricted-groups is required. If you don't want users restricted to their home directories, you can set u-restrict-mode=unrestricted in the general.cf file.

Restricted groups

The way NcFTPd distinguishes between restricted and unrestricted users is by the concept of a Restricted Group. When a user logs in, the user's group list is checked and if the user is a member of a restricted group, the user is classifed as a Restricted User.

The restricted groups are managed like you would normally manage user groups, which is usually the file /etc/group but could also be maintained using a service such as NIS or LDAP.

The /etc/group file (and NIS/LDAP/etc.) do not classify the groups as restricted, but instead you tell NcFTPd which groups should be considered restricted. This is done by using the u-restricted-groups option in the general.cf file.

For example, if you wanted to make sure that the groups customers and guests were restricted, you could use "u-restricted-groups=customers,guests" in your general.cf file. See the documentation for the u-restricted-groups option for more elaborate examples.

Verifying that a user is restricted

Naturally you will want to double-check that the user is really restricted once you have NcFTPd up and running. You can login with a command-line FTP program and make sure the server replies with "Restricted user logged in." You will also want to try accessing files that the user should not be able to access, i.e. those outside her directory.

Here is an example session using /usr/bin/ftp. Note how the last "230" line tells you that the user is restricted:

$ ftp localhost
Connected to localhost.localdomain.
220 localhost.localdomain NcFTPd Server (licensed copy) ready.
Name (localhost:gleason): joeuser
331 User joeuser okay, need password.
Password:
230-You are user #1 of 60 simultaneous users allowed.
230-
230 Restricted user logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit

Multiple restricted user classes

Starting with NcFTPd 2.8.0, you can configure multiple user classes, with each user class having its own set of groups (u-restricted-groups) and restriction options (u-restrict-mode). The reason that might be appealing is because you could create different types of restricted users, such as one class ("read-only") that can download files but not upload new files, and another class ("add-only") that can add new files but not download files. It would also let you do something like have a class that is allowed to download files, not allowed to upload or delete files, but is allowed to create and remove directories. See the documentation on user classes for details.

Symbolic links are not allowed outside restricted users' home directories

This should be obvious, but it bears mentioning. If users can simply follow symbolic links outside their restricted area, they aren't really restricted. That would be especially dangerous if the user has permission to create symbolic links.

Additional Notes

If you choose to restrict users by using restricted groups, you may want to consider creating a single master restricted group in /etc/group rather than trying to specify dozens of group names to u-restricted-groups. For example, if you create and maintain a group named restrict and add each user you want to restrict to that group, then you can simply use "u-restricted-groups=restrict" with NcFTPd and not have to reconfigure NcFTPd each time you tweak the list of users you want to restrict. Since users can be members of multiple groups, it makes sense to create a separate master restricted group for use only by NcFTPd.

Another similarly easy suggestion is to do something like "u-restricted-groups=all except wheel,admins" and restrict everyone except a small group of administrators.