NcFTPd: Using ncftpd

Using `ncftpd_passwd`

The ncftpd_passwd utility program is used to create and modify NcFTPd Password Databases. These databases are not regular text files like /etc/passwd, so a separate program is needed to manage them. The reason the files are in a binary format instead of human-readable format is because one of the advantages of using a file other than /etc/passwd is for performance -- an indexed database file is very efficient to read, while the /etc/passwd file must be scanned sequentially. A database file can handle a large number of users without any noticeable performance degradation.

After a database has been created, you must configure the domain so that NcFTPd uses your database in place of (or in addition to) /etc/passwd. See the domain.cf option passwd for details. You will need to restart NcFTPd if you change the domain's passwd option, but you do not need to restart whenever you modify the database file.

Working with password databases
Tips
Advanced options

Working with password databases

The files themselves should be owned by root and have mode 0600 (no read or write permission for group nor public). This is recommended because the databases contain the encrypted password. Having the encrypted password publicly available can be a security risk, which is why most modern UNIX systems have moved the encrypted passwords out of the /etc/passwd file into a separate file (often called the shadow password file).

Creating and removing databases

To create a database you simply use the utility with the add user operation described below. The database file will be created for you automatically if it did not exist. To delete a database, you can simply remove it with /bin/rm.

Record format

The user entries are identical to the lines in the /etc/passwd file with one exception: the group field is a comma-delimited list of group IDs. Therefore, the records look like this:

username:password:UID:GIDs:Real Name:directory:shell

Example:

mgleason:75hv0xCjznz1U:500:600,700,701,702:Mike Gleason:/home/mgleason:/bin/ksh

This user has user ID 500, home directory of /home/mgleason, primary group ID of 600, and membership in supplementary group IDs 700, 701, and 702.

Important:

NIX

/etc/passwd

Adding users

To add a user, run the program specifying the database file with the -f flag, and the complete user record specified by the -a flag. Since the user record may have whitespace in it, use your shell's quote characters appropriately.

Example 1: Add the mgleason user above, into a database named /usr/local/etc/ncftpd/pwdb/passwd.db.

root# ncftpd_passwd -f /usr/local/etc/ncftpd/pwdb/passwd.db -a "mgleason:75hv0xCjznz1U:500:600,700,701,702:Mike Gleason:/home/mgleason:/bin/ksh"

It is inconvenient to use some other program to create the encrypted password based off of the cleartext password, so you can use the -c flag to tell the utility to encrypt the contents of the password field for you before adding the record.

Example 2: Add the mgleason user above, setting the password to secret.

root# ncftpd_passwd -f /us.../passwd.db -c -a "mgleason:secret:500:600,700,701,702:Mike Gleason:/home/mgleason:/bin/ksh"

If you want to create a user whose user ID is identical to an existing user in the /etc/passwd file, you may use that user's name instead of manually look up the user ID. Similarly, you may substitute group names for group IDs and the utility will look them up for you.

Example 3: Add the mgleason user above, with user and group name replacement.

root# ncftpd_passwd -f /us.../passwd.db -a "mgleason:75hv0xCjznz1U:mikegl:users,admin,dev,ops:Mike Gleason:/home/mgleason:/bin/ksh"

Changing users

Modifying a user entry is the same as adding a new one, except you need to use the update flag (-u), instead of the add flag (-a).

Example: Change the password for mgleason to myxlplxx (using the -c flag also).

root# ncftpd_passwd -f /us.../passwd.db -c -u "mgleason:myxlplxx:mikegl:users,admin,dev,ops:Mike Gleason:/home/mgleason:/bin/ksh"

Changing passwords

While the update flag lets you change an entire record, often all that is desired is to change the password field of the record. You can do this by using the -p flag to specify a user record, and then ncftpd_passwd will prompt you for a new password. You can also use the -P flag to specify the encrypted password directly, if you happen to have it.

This flag can also be used by a non-superuser to change their own password entry. This requires some special setup, as described in the section on advanced options below.

Example 1: Change the password for mgleason to myxlplxx

root# ncftpd_passwd -f /usr/local/etc/ncftpd/pwdb/passwd.db -p mgleason
New password for mgleason:
Verify password for mgleason:
Password changed for user mgleason.

Example 2: Change the encrypted password for mgleason:

root# ncftpd_passwd -f /us.../passwd.db -p mgleason -P 'd.Ts7N8a3ozbQ'

Querying users

To print the record for a user, specify the user name with the -q flag along with the database.

Example: Query mgleason's record.

root# ncftpd_passwd -f /usr/local/etc/ncftpd/pwdb/passwd.db -q mgleason
    User:                mgleason
    Encrypted password:  75hv0xCjznz1U
    UID:                 500
    GID:                 600
    Supplementary GIDs:  700, 701, 702
    GECOS:               Mike Gleason
    Home directory:      /home/mgleason
    Shell:               /bin/ksh

Deleting users

To remove a user's record, specify the user name with the -d flag along with the database.

Example: Delete mgleason's record.

root# ncftpd_passwd -f /usr/local/etc/ncftpd/pwdb/passwd.db -d mgleason

Printing the entire database

You may use the export flag (-e) to convert a database into a textual format.

Example: Dump the entire passwd.db database.

root# ncftpd_passwd -f /usr/local/etc/ncftpd/pwdb.db -x
pgleason:ldDbXYr308x.w:502:600,700:Patrick Gleason:/home/pgleason:/bin/tcsh
jgleason:OvHSMCPLgL6bA:501:600:Jimmy Gleason:/home/jgleason:/bin/bash
mgleason:75hv0xCjznz1U:500:600,700,701,702:Mike Gleason:/home/mgleason:/bin/ksh

Importing records

You can add records in batch mode by creating an import file and using the import flag (-i). You can also use the -c flag and user name and group name replacement when you import the records.

Example:

root# cat new.txt 
mmgleason:unUuvgMaz/h76:696:33,31:Michelle Gleason:/home/mmgleason:/bin/ksh
ccw:cohBaSYXLIMZ2:296:37,32:Dawn Gleason:/home/ccw:/bin/ksh
dgleason:vFSZRNvPk4qFI:894:34,26:Dani Gleason:/home/dgleason:/bin/ksh

root# ncftpd_passwd -f /usr/local/etc/ncftpd/pwdb/passwd.db -i new.txt

Importing the `/etc/passwd` file

You may elect to not use the /etc/passwd at all in favor of using just password databases, but you may want to load all the users from it into a database. When you use the special -I flag, the /etc/passwd file is imported. The special treatment is that the encrypted passwords are taken from the shadow password file (if needed), and the group field is created from the /etc/group file.

Example:

root# ncftpd_passwd -f /usr/local/etc/ncftpd/pwdb/passwd.db -I

Tips

For sites with a large number of users, use a password database for performance.
For small sites with no need for virtual users, use /etc/passwd instead of a password database.
You may share password databases for different domains.
Avoid using too many databases in your passwd configuration option line in your domain.cf file to prevent unwanted disk accesses.
You can share a user ID for restricted virtual users whose directory trees do not overlap. You may want to create a real user named virtual in the /etc/passwd file, and use that same user ID over and over again for your virtual users.
Virtual users improve system security by removing the threat of that user ID being able to really login. See the chapter on User Management for more information about virtual users.
You can modify the databases while NcFTPd is running, and the changes you make take effect immediately for new logins.

Advanced Options

There are four modes of operation which NcFTPd and ncftpd_passwdoperate in regards to password databases. In the standard mode, the Superuser runs ncftpd_passwd (note: not a regular user running ncftpd_passwd with setuid-root) and password databases are owned by root and of mode 0600.

The second mode (call it Mode 2) is where the system administrator decides to let a regular user own and maintain the password database, and the administrator configures a domain in NcFTPd's domain.cf file to use this file as a password database. In this mode, NcFTPd ignores the user ID and group ID fields in the password database, but instead all users in the database are treated as equivalent to the regular user that owns the password database.

The third mode (Mode 3) is where the system administrator changes ncftpd_passwd so that it is owned by root and enables the "setuid-bit". The password databases are owned by root and mode 0600, but ncftpd_passwd can be run by a regular user to create user accounts with the same privileges of his own. For this mode to work, the administrator must create a file called /etc/ftp.passwd.conf which contains a list of files that users may modify using ncftpd_passwd.

The fourth mode (Mode 4) is intended to be used by CGI programs. Like Mode 3, ncftpd_passwd is setuid-root, but unlike Mode 3, it can modify any and all accounts in the database.

Internet Service Providers often have a regular user own their own virtual domain, and in this case it makes sense to allow the domain owner to maintain the database of users that access this domain. However, you must remember that there's nothing to stop a malicious user from trying to exploit your system, because any users created have identical privileges. You must ensure that the user's access privileges do not allow him from accessing files on the system that you do not want users working with. For example, you may implicitly assume that a user would not try to set the FTP user's startup directory to something other than the user's real home directory or a subdirectory, but the user could simply set the directory to "/" and any files under the root directory that the user's privileges can access that newly-created FTP user will be able to access.

To use Mode 2, you simply set the password database name in the domain.cf file, and let the user run ncftpd_passwd to create users. Create the database with their first user, and make sure the database file is owned by the user you want to maintain it. You may want to create a shell script for them that simplifies use of the the program. For example, it is easy to forget to include the -fflag and the password database so you might have your script hard-code that inside the script.

Using Mode 3 requires a special file to be created by the system administrator, the /etc/ftp.passwd.conf file. This file contains the files that regular users running ncftpd_passwd are allowed to modify. Each line in the (plain text) file should be the absolute pathname of a password database file followed by a space, followed by a comma-delimited list of users that are allowed to modify this database. You may use the keyword ALL in place of a user list to denote that any user may modify the database. In addition, a line can be commented-out by having the first character be a # character.

An example /etc/ftp.passwd.conf file:

# List of password databases:
#
/usr/local/etc/ncftpd/pwdb/dbfile1.db ALL
/usr/local/etc/ncftpd/pwdb/dbfile2.db mgleason,mweiss,ccw

Finally, the /etc/ftp.passwd.conf file must be owned by root and mode 0600.

Using Mode 4 also requires the /etc/ftp.passwd.conf file. The difference is that the list of users includes the special token allow-setuid-root. Example:

# List of password databases:
#
/usr/local/etc/ncftpd/passwd.db web,allow-setuid-root

You would then make a setuid-root copy ncftpd_passwd and have it so only the web server user can run it. This example assumes that there are no other users in the web group other than the web user:

# chown root /home/httpd/bin/ncftpd_passwd
# chgrp web /home/httpd/bin/ncftpd_passwd
# chmod 4710 /home/httpd/bin/ncftpd_passwd 
# ls -l /home/httpd/bin/ncftpd_passwd 
-rws--x---   1 root     web         39960 Jul 18 00:09 ncftpd_passwd

You could then create a CGI program that would run this copy of ncftpd_passwd. It is up to you to secure this script so that only administrators can run it; for example, you might put it behind an SSL-enabled server and then have your CGI program prompt for a password. If you don't do that, anyone who knows the URL to your CGI can fully manipulate the password database!

Using ncftpd_passwd

Working with password databases

Creating and removing databases

Record format

Adding users

Changing users

Changing passwords

Querying users

Deleting users

Printing the entire database

Importing records

Importing the /etc/passwd file

Tips

Advanced Options

Using `ncftpd_passwd`

Importing the `/etc/passwd` file