Configuring for Virtual Users

Virtual Users differ from restricted users, unrestricted users, and anonymous users in that they only exist for FTP. They do not require you to modify your system's account list (such as /etc/passwd), instead you create special files that are only used by NcFTPd.

Essentially, by using virtual users, you are telling NcFTPd that when a remote FTP client uses a certain username and password pair, that you want NcFTPd to allow access to a specified directory tree using a specified UID (user ID) and GIDs (group IDs). Note that actual UID and GID privileges are used for virtual users -- these UIDs/GIDs need not be registered with the system in /etc/passwd, but if they correspond to that of a registered user, a virtual user is running as that registered user for all intents and purposes.

For example, if you have an existing user in /etc/passwd named joeuser with UID 313, and you create a virtual user and assign UID 313, then the virtual user has access to the same files as joeuser. This can be good or bad, depending on what you want to do, but this should be understood before you create virtual users.

Password Databases

Virtual users are stored in NcFTPd Password Databases. To create virtual user accounts, you use the ncftpd_passwd utility program. Once created, you tell NcFTPd to use your database by using the option passwd and specify your database file.

A handy thing about the passwd option is that you can use two or more database files, or a combination of database files and /etc/passwd (which may be a misnomer, but you use the text "/etc/passwd" in the passwd option whenever you want NcFTPd to use your system's actual user authentication method, whether it be a real /etc/passwd file or NIS, LDAP, etc.). For example, if you want to be sure users in /etc/passwd take precedent over your virtual users for a particular domain, you could set "passwd=/etc/passwd,/usr/local/etc/ncftpd/my.passwd.db" for your domain's passwd option.

Virtual Users are also Restricted

For virtual users, you will most likely want to restrict them to their assigned directory; in fact, it is the default, unless you change the u-always-restrict-virtual-users configuration option. The reason for that default behavior is more of a sanity check, since that is what most sites prefer and it is possible to forget to place the virtual user in a restricted group, leaving your server's entire directory tree available for perusal.

back home