User Classes

Starting with NcFTPd 2.8.0, you can configure multiple user classes. A user class contains is a method of specifying users and a method to apply specific configuration options only to that class of users.

As of this writing, a user class is specified by using the u-restricted-groups option. This means that your user classes will be group-based (as in groups in the /etc/group file).

The only configuration option that applies to user classes is the u-restrict-mode option. This means that once you have determined which users are in a user class, your only option is to configure how they are restricted, but u-restrict-mode has been greatly enhanced for version 2.8.0. In addition to having a user restricted to his home directory, you can now apply additional "Extended User Permissions" that let you create users who are always read-only, for example.

How user classes are applied

When a user submits her username and password, if the login credentials were correct, the user's ID (UID) and group IDs (GIDs) are queried. Since user classes are group-based, NcFTPd iterates through the list of defined user classes and sees if any of the user's GIDs match that of a user class, and if so, assigns the user to that user class.

The default user class

If the user's GIDs did not correspond to any defined user class, she is assigned to the default user class. This class is automatically defined by NcFTPd, and is essentially u-restricted-groups=all and u-restrict-mode=homedir, meaning that any user that did not match one of your user classes is restricted to their home directory.

The most common scenario: a single defined user class

If you only need one user class (not counting the default class), you can simply continue to use u-restricted-groups and u-restrict-mode as you would with versions 2.7.3 and older: with one setting of u-restrict-mode and one setting of u-restricted-groups.

Example of a typical general.cf configuration:

Example configuration with one user class with all users read-only (using the "-W" user permissions string) and restricted to their home directory:

Example configuration with one user class with all users not restricted to their home directory:

Example configuration with one user class with all users read-only and not restricted to their home directory:

Multiple user classes

Often a single user class is sufficient. But what if you want to have some users read-only (and restricted to their home directory), and other users just restricted to their home directory? The configuration isn't much different, except you use the special options begin-new-user-class and end-user-class to start and end a new user class.

Example general.cf configuration with two user classes:

Same example, but using the (preferred) form with begin-new-user-class and end-user-class delimiting both classes:

Notice how these examples have provided a name for the user class, as well as indenting the options within the class. Neither is required, but both help improve readability.

One more example, with several user classes:

The last two user classes demonstrate some of the advanced control you can get with user permissions strings in the u-restrict-mode option. The "BrowseOnly" user class has removed all permissions with the exception of the ability to change and list directories. The "Dropbox" user class only allows users to upload new files, rename existing files, create new directories (and change and list directories).

Read more about user permissions strings and the u-restrict-mode option for details on what permission types are available and how to manage them.