Extended User Permissions

A new layer of fine-grained access controls which sits on top of the standard UNIX filesystem access controls was introduced starting with NcFTPd 2.8.0.

Using Extended User Permissions

Extended User Permissions were introduced because system administrators needed more control than NcFTPd's existing configurable options (such as u-write-permission, u-read-only-groups, and u-restricted-groups) could give them.

A user permissions string (UPS) is simply a list of the one letter option codes, preceded by a one-character modifier. The modifiers are "-", which disables a permission, and "+", which enables a permission. A simple UPS which removes read permission would be "-r".

User permissions strings can contain multiple operations. A UPS which removes Write permission but adds back Rename permission would be "-W +n". A UPS that removes all permissions but adds back FileRead, List, and Chdir permissions would be "-* +rCL".

There are three primary places where you would use a user permissions string: as part of a user class with the u-restrict-mode option; a specific virtual user's record in a ncftpd_passwd database; and a specific user as directed from an "Authd" (NcFTPd External Custom Authentication).

Any of those three places can apply a user permissions string to change the permissions attributes for the remote user. For example, if the user matched a restricted group and u-restrict-mode specified a UPS of "-Luo", the user would have the List, Umask, and Chmod permissions removed (but leaving other permissions settings intact).

Changing versus Setting
A user permissions string is designed to modify just the options specified. For example, if the UPS "-Luo" was applied, but the user already had the FileRead and Mkdir permissions removed, the resultant user permissions now in effect would be "+* -rM -Luo". If you want to have a UPS set the permissions rather than changing it, use the wildcard option "*" to add/remove all permissions and then remove/add only the ones you want, for example, "+* -Luo" or "-* +rmacdnCMDtl".
Extended User Permissions do not replace UNIX access controls

Remember that the file ownerships, group memberships, and permission bits on files still apply. NcFTPd's Extended User Permissions are intended to be used so you can deny permission irrespective of the UNIX access controls.

For example, if a NcFTPd user was configured by you with a UPS of "-R", the user will not be download any file no matter what the UNIX permissions are. But if the use has a UPS of "+R", meaning he could download files, the user still cannot download the file unless the UNIX permissions allow it.

The important thing to realize is that enabling a permission using extended user permissions does not ignore the underlying UNIX filesystem. For example, if a user has a UPS of "+R" he still can't download files such as /etc/shadow for which the user will not have UNIX read permission.

Common User Permissions Strings