NcFTPd: User Management: Extended User Permissions

Extended User Permissions

A new layer of fine-grained access controls which sits on top of the standard UNIX filesystem access controls was introduced starting with NcFTPd 2.8.0.

Opt	Name	Description
`R`	ReadAll	Intended to include all file read permission type operations; currently only includes `r`.
`r`	FileRead	Controls whether a file can be downloaded.
`W`	WriteAll	Includes all file write permission type operations, the `m`, `a`, and `c` options, and also includes the other filesystem-modifying operations `d`, `n`, `M`, `D`, `t`, `o`, and `l`.
`w`	FileWrite	Includes all file write permission type operations, the `m`, `a`, and `c` options.
`m`	Modify	Controls whether an existing file can be uploaded into or overwritten.
`a`	Append	Controls whether a file can be appended to with uploaded data.
`c`	Create	Controls whether new files can be added.
`d`	Delete	Controls whether existing files can be deleted.
`n`	Rename	Controls whether existing files or directories can be renamed.
`L`	List	Controls whether directory listings are allowed.
`C`	Chdir	Controls whether changing the current working directory is allowed. It is recommended that a user always have this permission so that their FTP client programs work correctly.
`M`	Mkdir	Controls whether new directories can be created.
`D`	Rmdir	Controls whether existing directories can be deleted.
`t`	Utime	Controls whether existing files or directories can have their modification timestamp changed using a `SITE UTIME` command. Note: a user always has permission to set the timestamp of the last file the user successfully uploaded in the same login session.
`u`	Umask	Controls whether users are allowed to change their `umask` using a `SITE UMASK` command.
`o`	Chmod	Controls whether the standard UNIX filesystem permission bits can be changed with `chmod` via a `SITE CHMOD` command.
`l`	Symlink	Controls whether new symbolic links can be created using a `SITE SYMLINK` command.
`*`	All	Includes all options. Useful for situations where you want to remove all permissions and add back just a few. For example the user permissions string `"-* +CL"` creates a "browse-only" user by removing all permissions but adding back the ability to list and change directories.

Using Extended User Permissions

Extended User Permissions were introduced because system administrators needed more control than NcFTPd's existing configurable options (such as u-write-permission, u-read-only-groups, and u-restricted-groups) could give them.

A user permissions string (UPS) is simply a list of the one letter option codes, preceded by a one-character modifier. The modifiers are "-", which disables a permission, and "+", which enables a permission. A simple UPS which removes read permission would be "-r".

User permissions strings can contain multiple operations. A UPS which removes Write permission but adds back Rename permission would be "-W +n". A UPS that removes all permissions but adds back FileRead, List, and Chdir permissions would be "-* +rCL".

There are three primary places where you would use a user permissions string: as part of a user class with the u-restrict-mode option; a specific virtual user's record in a ncftpd_passwd database; and a specific user as directed from an "Authd" (NcFTPd External Custom Authentication).

Any of those three places can apply a user permissions string to change the permissions attributes for the remote user. For example, if the user matched a restricted group and u-restrict-mode specified a UPS of "-Luo", the user would have the List, Umask, and Chmod permissions removed (but leaving other permissions settings intact).

Changing versus Setting

A user permissions string is designed to modify just the options specified. For example, if the UPS "-Luo" was applied, but the user already had the FileRead and Mkdir permissions removed, the resultant user permissions now in effect would be "+* -rM -Luo". If you want to have a UPS set the permissions rather than changing it, use the wildcard option "*" to add/remove all permissions and then remove/add only the ones you want, for example, "+* -Luo" or "-* +rmacdnCMDtl".

Extended User Permissions do not replace UNIX access controls

Remember that the file ownerships, group memberships, and permission bits on files still apply. NcFTPd's Extended User Permissions are intended to be used so you can deny permission irrespective of the UNIX access controls.

For example, if a NcFTPd user was configured by you with a UPS of "-R", the user will not be download any file no matter what the UNIX permissions are. But if the use has a UPS of "+R", meaning he could download files, the user still cannot download the file unless the UNIX permissions allow it.

The important thing to realize is that enabling a permission using extended user permissions does not ignore the underlying UNIX filesystem. For example, if a user has a UPS of "+R" he still can't download files such as /etc/shadow for which the user will not have UNIX read permission.

Common User Permissions Strings

UPS	Description
`-W`	A "read-only" user (created by removing WriteAll).
`-R`	A "write-only" user (created by removing ReadAll).
`-RW +c`	An "add-new-files-only" user.
`-RW +cnM`	An "add-new-files-only" user that can rename items and create new directories.
`-* +CL`	A "browse-only" user that cannot transfer files, but can navigate the filesystem.