Restricted Users are a special type of non-anonymous user, with the only difference being that these users are not allowed to access any file or directory outside of their home directory. Therefore, before proceeding, be sure you have configured the server for regular non-anonymous users, since the same basic setup is required (i.e. you need to setup accounts in /etc/passwd, have their accounts' program shells match an entry in /etc/shells, etc.).
Restricting users to their home directories makes your system more secure since the user won't be able to access other files on the system that her permissions allow, such as system configuration files like /etc/passwd. Naturally, restricting users is not very useful if you also allow the user to login directly with telnet or ssh, so be sure you've read the previous section on how you can avoid that.
Note: As of NcFTPd 2.8.1, users are restricted to their
home directory by default. No additional setup with
The restricted groups are managed like you would normally manage user groups, which is usually the file /etc/group but could also be maintained using a service such as NIS or LDAP.
The /etc/group file (and NIS/LDAP/etc.) do not classify the groups
as restricted, but instead you tell NcFTPd which groups should
be considered restricted.
This is done by using the
For example, if you wanted to make sure that the groups customers
and guests were restricted, you could use
Naturally you will want to double-check that the user is really restricted once you have NcFTPd up and running. You can login with a command-line FTP program and make sure the server replies with "Restricted user logged in." You will also want to try accessing files that the user should not be able to access, i.e. those outside her directory.
Here is an example session using /usr/bin/ftp. Note how the last "230" line tells you that the user is restricted:
$ ftp localhost Connected to localhost.localdomain. 220 localhost.localdomain NcFTPd Server (licensed copy) ready. Name (localhost:gleason): joeuser 331 User joeuser okay, need password. Password: 230-You are user #1 of 60 simultaneous users allowed. 230- 230 Restricted user logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> quit
Starting with NcFTPd 2.8.0, you can configure multiple user classes, with each user class having its own set of groups
This should be obvious, but it bears mentioning. If users can simply follow symbolic links outside their restricted area, they aren't really restricted. That would be especially dangerous if the user has permission to create symbolic links.
Another similarly easy suggestion is to do something like