[nos-bbs] 'ftpusers' basic guidelines

Gustavo Ponza g.ponza at tin.it
Mon Oct 24 10:39:32 EDT 2011


Hi all,
'keep it *very* simple to be efficient': my euro cent to the JNOS2 cause :)
73, Gustavo / I0OJJ

-------------------------------cut here--------------------------------
# FTPUSERS setup at i0ojj site (Sep 16, 2011):
#
# i0ojj [pwd] /jnos 127 # 'i0ojj' (me) is the Jnos SysOp (DON'T USE!)
i0ojj [pwd] /jnos/public 63 # 'i0ojj' (me) a normal user
univperm * /jnos/public 59 # ftp (read, create), ax.25, 'telnet' and
# 'netrom' gateway allowed
ve4klm * /jnos/public 8192
ir0gw * /jnos/public 8192
#gb7cip * /jnos/public 8192 # setup on Apr 12, 2011 (only for JNOS2 
tests: OK!)
--------------------------------cut here-------------------------------

HOW TO SETUP THE MAILBOX USER PERMISSIONS: the /ftpusers file
Aug 23, 2010 by Gus i0ojj

JNOS provides its own access control mechanisms.
The file ftpusers controls remote FTP and mailbox access.
The FTP default is no access; if this file does not exist, the FTP 
server will be unusable.
A remote user must first “log in” to the system with the USER and PASS 
commands,
giving a valid username and password listed in “ftpusers”, before he or 
she can transfer
files.
Each entry in ftpusers consists of a single line of the form:

username password /path permissions [ip_address]

There must be at least four fields, and there must be exactly one space 
between each field.
Comments may be added after the last field. Comment lines begin with '#' 
in column one.

username is the user's login name.

password is the required password.

Note that this is in plain text; therefore it is not a good idea to give 
general read
permission to the root directory.
A password of '*' (a single asterisk) means that any password is acceptable.

/path is the allowable prefix on accessible files.

Before any file or directory operation, the current directory and the 
user-specified file
name are joined to form an absolute path name in “canonical” form (i.e., 
a full path name
starting at the root, with “./” and “../” references, as well as 
redundant /'s, recognized and
removed).
The result MUST begin with the allowable path prefix; if not, the 
operation is denied.
This field must always begin with a “/”, i.e., at the root directory. 
Multiple directories can
be specified by separating them with a “;” character and no white space 
around them.

permissions is a decimal number granting permission for read, create and 
write operations.

If the low order bit (0x1) is set, the user is allowed to read a file 
subject to the path name
prefix restriction. If the next bit (0x2) is set, the user is allowed to 
create a new file if it
does not overwrite an existing file. If the third bit (0x4) is set, the 
user is allowed to write
a file even if it overwrites an existing file, and in addition he may 
delete files.
Again, all operations are allowed subject to the path name prefix 
restrictions.
Permissions may be combined by adding bits, for example, 0x3 (= 0x2 + 
0x1) means that
the user is given read and create permission, but not overwrite/delete 
permission.
Additional (practical and *updated*) permission bits used by the mailbox 
and PPP are:

Name value (hex)
FTP_READ 1 0x1 /* Read files */
FTP_CREATE 2 0x2 /* Create new files */
FTP_WRITE 4 0x4 /* Overwrite or delete existing files */
AX25_CMD 8 0x8 /* AX.25 gateway operation allowed */
TELNET_CMD 16 0x10 /* Telnet gateway operation allowed */
NETROM_CMD 32 0x20 /* NET/ROM gateway operation allowed */
SYSOP_CMD 64 0x40 /* Remote sysop access allowed */
EXCLUDED_CMD 128 0x80 /* This user is banned from the BBS */
/* 256 and 512 are used in PPP*/
NO_SENDCMD 1024 0x400 /* Disallow send command */
NO_READCMD 2048 0x800 /* Disallow read command */
NO_3PARTY 4096 0x1000 /* Disallow third-party mail */
IS_BBS 8192 0x2000 /* This user is a bbs */
IS_EXPERT 16384 0x4000 /* This user is an expert */
NO_CONVERS 32768 0x8000 /* Disallow convers command */
NO_ESCAPE 65536 0x10000 /* Default is no escape char */
NO_LISTS 131072 0x20000 /* No lists displayed from mailbox */
NO_LINKEDTO 262144 0x40000 /* disable '*** linked to' */
NO_LASTREAD 524288 0x80000 /* Ignore lastread in <area>.usr (shared 
accts) */
NO_FBBCMP 1048576 0x100000 /* Avoid FBB compression */
XG_ALLOWED 2097152 0x200000 /* Allow XG (dynip route) cmd */
T_NO_AMPRNET 4194304L 0x400000 /*Disallow Telnet to 44/8 */
T_AMPRNET_ONLY 8388608L 0x800000 /*Allow Telnet to only 44/8 */

ip_address is used for PPP only and is the remote IP address of the 
connected system.

A username of univperm has special meaning in the validation mechanism.
If univperm is included as a valid user in ftpusers then any unknown 
user (not in ftpusers)
will be mapped into 'univperm' and get its permission bits and file path.
If univperm is not included in ftpusers unknown users are not permitted 
nor validated.
--------------------------cut here---------------------------





More information about the nos-bbs mailing list