User Management
Anonymous users
Traditionally there have always been two sets of FTP users, anonymous
users and the rest -- the non-anonymous users. Anonymous users
are typically those from outside your network who visit your site to download
files your site has made available to the public. These users login
to an FTP server with the username anonymous and for common courtesy,
use their e-mail address as their password. The FTP server then gives
them access to a file area set aside for public access.
Non-anonymous users
The non-anonymous users are those who have real accounts on the FTP server
machine. These users have access to the entire filesystem (because
they have it when they login and use the machine itself), and whose typical
use is just for copying to and from the machine for their personal use.
Restricted users
With the advent of the world-wide-web, it is now common for users to never
need to actually login to an FTP server machine, although a user has a real
account on the machine. These user accounts serve only as a drop-off
point for data files used by other processes on the server machine, such
as an HTTP server. Internet Service Providers (ISPs) often create
user accounts on the server machine, and require that the user use FTP
to manage their web document tree, instead of logging into the machine
directly.
For these types of users, NcFTPd offers a feature called restricted
users. The server administrator classifies those users by having
them share a common UNIX group ID (often named restrict), and
configures NcFTPd to have those users be restricted to their home
directory, so they would not be able to use FTP to download /etc/passwd
or upload to /tmp, for example. The administrator could
also take additional measures on that account, such as removing the ability
to login with telnet, receive mail, etc., so that the server machine
has fewer security risks to worry about.
Separate password databases and virtual users
Non-anonymous users and restricted users still require the creation of
a real user account. NcFTPd also lets you create and manage
your own NcFTPd Password Databases whose sole purpose is for FTP
login authentication. You will often create accounts in a password
database that also exist in the system's regular /etc/passwd file,
but the real power and flexibility comes from being able to create additional
accounts that exist only in a NcFTPd password database. Users
that exist in a password database but not the /etc/passwd are
called virtual users.
Reasons you will want to use virtual users:
-
Security: users cannot telnet in using that account.
-
Manageability: Your /etc/passwd is not cluttered with a
large number of accounts that really don't use the machine.
You also don't have to go through the regular setup process of creating
a real user account.
-
Performance: User authentication using the /etc/passwd
degrades with a large number of accounts because the entire file must be
sequentially scanned, while a password database is indexed for speed.
You can use a NcFTPd password database as a replacement or a supplement
for your /etc/passwd. For each domain hosted by the machine,
you can have NcFTPd configured to check different or shared password
databases, with or without the /etc/passwd, and in any order.
Since NcFTPd does not require any supplementary files in the
FTP directory, it's painless to setup a new user -- you just use the
ncftpd_passwd
utility program to add a user to a password database (and make sure that
their directory exists).
Since virtual users emulate real users, the default for a virtual login
is for them to have a home directory but not be restricted to that
directory. Most often you will want to have virtual users also be
restricted users, so that a virtual user cannot get outside of their designated
directory. For restricted virtual users, you simply give the
virtual user membership in a restricted group, just like you do with regular
non-anonymous users.