zoukankan      html  css  js  c++  java
  • Ubuntu14.04 vsftpd

    Ubuntu14.04 vsftpd

    参考文档:
    http://www.cnblogs.com/acpp/archive/2010/02/08/1666054.html
    http://segmentfault.com/a/1190000000438443
    Vsftpd虚拟用户设置

    一.安装
    apt-get -y install vsftpd
    root@localhost:~# lsb_release -a 2>/dev/null
    Distributor ID:    Ubuntu
    Description:    Ubuntu 14.04.1 LTS
    Release:    14.04
    Codename:    trusty
    root@localhost:~# vsftpd -v
    vsftpd: version 3.0.2
    root@localhost:/usr/share/doc/vsftpd/examples# pwd
    /usr/share/doc/vsftpd/examples
    root@localhost:/usr/share/doc/vsftpd/examples# ls
    INTERNET_SITE  INTERNET_SITE_NOINETD  PER_IP_CONFIG  README  VIRTUAL_HOSTS  VIRTUAL_USERS  VIRTUAL_USERS_2
    提示:发行版的安装包中自带了很多帮助文档和配置范例,非常有情怀


    二.匿名用户
    cp /etc/vsftpd.conf{,.default}
    养成修改前做备份的习惯
    1.开启匿名访问
    anonymous_enable=YES
    #匿名访问只需要对默认的配置文件修改上面一行即可,但只能读
    root@localhost:~# touch /srv/ftp/Test2015
    root@localhost:~# ftp localhost
    ftp: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    Connected to localhost.
    220 (vsFTPd 3.0.2)
    Name (localhost:ubuntu): ftp
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> pwd
    257 "/"
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    -rw-r--r--    1 0                     0 Aug 02 03:51 Test2015
    226 Directory send OK.
    默认的匿名用户为ftp或者anonymous,密码为空
    2.修改匿名用户的根目录
    #默认的匿名根是/srv/ftp
    root@localhost:~# mkdir /ftp_guest
    root@localhost:~# touch /ftp_guest/ftp
    root@localhost:~# vim /etc/vsftpd.conf
    anon_root=/ftp_guest

    root@localhost:~# service vsftpd restart
    vsftpd stop/waiting
    vsftpd start/running, process 4823
    root@localhost:~# ftp localhost
    ftp: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    Connected to localhost.
    220 (vsFTPd 3.0.2)
    Name (localhost:ubuntu): ftp
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> pwd
    257 "/"
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    -rw-r--r--    1 0                     0 Aug 02 03:49 ftp
    226 Directory send OK.

    三.本地用户
    1.本地用户全局FTP根目录
    root@localhost:~# mkdir -p /ftp_admin/{leader,foo}
    root@localhost:~# vim /etc/vsftpd.conf
    root@localhost:~# useradd -M -s /bin/false leader
    root@localhost:~# echo leader:leader|chpasswd
    问题1:密码输入正确了仍然提示密码不对
    注意:ubuntu登录shell设置为/bin/false或/usr/sbin/nologin都会提示incorrect,按照rhel的模式来配置会有问题
    root@localhost:~# ftp localhost
    ftp: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    Connected to localhost.
    220 (vsFTPd 3.0.2)
    Name (localhost:ubuntu): leader
    331 Please specify the password.
    Password:
    530 Login incorrect.
    Login failed.
    ftp> 221 Goodbye.
    问题2:提示不能切换到家目录
    root@localhost:~# chsh -s /bin/bash leader
    root@localhost:~# ftp localhost
    ftp: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    Connected to localhost.
    220 (vsFTPd 3.0.2)
    Name (localhost:ubuntu): leader
    331 Please specify the password.
    Password:
    500 OOPS: cannot change directory:/home/leader
    Login failed.
    421 Service not available, remote server has closed connection
    解决办法1:修改/etc/passwd把对应家目录的栏位补全为合法的目录(实际存在的目录即可)
    root@localhost:~# usermod leader -d /ftp_admin/leader
    root@localhost:~# ftp localhost
    ftp: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    Connected to localhost.
    220 (vsFTPd 3.0.2)
    Name (localhost:ubuntu): leader
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> pwd
    257 "/ftp_admin"
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    drwxr-xr-x    2 0                  4096 Aug 02 04:03 foo
    drwxr-xr-x    2 0                  4096 Aug 02 04:03 leader
    226 Directory send OK.
    这里显示的根在/ftp_admin是因为全局配置文件中定义的根在/ftp_admin
    解决办法2:删除该用户后重新建
    root@localhost:~# userdel -r leader
    userdel: leader mail spool (/var/mail/leader) not found
    userdel: /ftp_admin/leader not owned by leader, not removing
    root@localhost:~# useradd -m -s /bin/bash leader
    root@localhost:~# echo leader:leader|chpasswd
    root@localhost:~# ftp localhost
    ftp: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    Connected to localhost.
    220 (vsFTPd 3.0.2)
    Name (localhost:ubuntu): leader
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> pwd
    257 "/ftp_admin"
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    drwxr-xr-x    2 0                  4096 Aug 02 04:03 foo
    drwxr-xr-x    2 0                  4096 Aug 02 04:03 leader
    226 Directory send OK.
     

    2.锁定所有本地用户的FTP根目录
    root@localhost:~# ftp localhost
    ftp: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    Connected to localhost.
    220 (vsFTPd 3.0.2)
    Name (localhost:ubuntu): leader
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> pwd
    257 "/ftp_admin"
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    drwxr-xr-x    2 0                  4096 Aug 02 04:03 foo
    drwxr-xr-x    2 0                  4096 Aug 02 04:24 leader
    226 Directory send OK.
    ftp> cd ..
    250 Directory successfully changed.
    ftp> pwd
    257 "/"
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    drwxr-xr-x    2 0                  4096 Aug 02 01:58 bin
    drwxr-xr-x    4 0                  1024 Aug 01 19:09 boot
    drwxr-xr-x    2 0                  4096 Aug 02 01:44 ccc
    drwxr-xr-x    3 0                  4096 Aug 02 03:33 data
    drwxr-xr-x   15 0                  4020 Aug 01 20:58 dev
    drwxr-xr-x   82 0                  4096 Aug 02 04:29 etc
    drwxr-xr-x    5 0                  4096 Aug 02 04:03 ftp_admin
    drwxr-xr-x    2 0                  4096 Aug 02 03:49 ftp_guest
    drwxr-xr-x    8 0                  4096 Aug 02 04:21 home
    lrwxrwxrwx    1 0                    33 Aug 01 18:59 initrd.img -> boot/initrd.img-3.13.0-32-generic
    drwxr-xr-x   21 0                  4096 Aug 01 19:08 lib
    drwxr-xr-x    2 0                  4096 Aug 01 18:57 lib64
    drwx------    2 0                 16384 Aug 01 18:56 lost+found
    drwxr-xr-x    2 0                  4096 Jul 23  2014 media
    drwxr-xr-x    2 0                  4096 Apr 11  2014 mnt
    drwxr-xr-x    2 0                  4096 Jul 23  2014 opt
    dr-xr-xr-x  100 0                     0 Aug 01 20:58 proc
    drwx------    5 0                  4096 Aug 02 04:29 root
    drwxr-xr-x   19 0                   600 Aug 01 21:05 run
    drwxr-xr-x    2 0                  4096 Aug 01 19:10 sbin
    drwxr-xr-x    3 0                  4096 Aug 01 21:05 srv
    dr-xr-xr-x   13 0                     0 Aug 01 20:58 sys
    drwxrwxrwt    2 0                  4096 Aug 02 04:24 tmp
    drwxr-xr-x   10 0                  4096 Aug 01 18:57 usr
    drwxr-xr-x   11 0                  4096 Aug 01 18:57 var
    lrwxrwxrwx    1 0                    30 Aug 01 18:59 vmlinuz -> boot/vmlinuz-3.13.0-32-generic
    226 Directory send OK.
    注意:默认配置是允许本地合法用户切换目录的,如上,该用户直接可以看到服务器真实的根/,实在太危险。可以通过
    chroot_local_user=YES来禁用根目录跳转
    root@localhost:~# ftp localhost
    ftp: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    Connected to localhost.
    220 (vsFTPd 3.0.2)
    Name (localhost:ubuntu): leader
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> pwd
    257 "/"
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    drwxr-xr-x    2 0                  4096 Aug 02 04:03 foo
    drwxr-xr-x    2 0                  4096 Aug 02 04:24 leader
    226 Directory send OK.
    ftp> cd ..
    250 Directory successfully changed.
    ftp> pwd
    257 "/"
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    drwxr-xr-x    2 0                  4096 Aug 02 04:03 foo
    drwxr-xr-x    2 0                  4096 Aug 02 04:24 leader
    226 Directory send OK.



    3.FTP根禁锢白名单(只有指定的用户才能跳出FTP根目录)
    通过搭配能实现以下几种效果:
    ①当chroot_list_enable=YES,chroot_local_user=YES时,在/etc/vsftpd.chroot_list文件中列出的用户,可以切换到其他目录;未在文件中列出的用户,不能切换到其他目录。
    ②当chroot_list_enable=YES,chroot_local_user=NO时,在/etc/vsftpd.chroot_list文件中列出的用户,不能切换到其他目录;未在文件中列出的用户,可以切换到其他目录。
    ③当chroot_list_enable=NO,chroot_local_user=YES时,所有的用户均不能切换到其他目录。
    ④当chroot_list_enable=NO,chroot_local_user=NO时,所有的用户均可以切换到其他目录。
    这里设置如下:
    chroot_local_user=YES
    chroot_list_enable=YES
    chroot_list_file=/etc/vsftpd.chroot_list


    root@localhost:~# echo leader >>/etc/vsftpd.chroot_list
    root@localhost:~# ftp localhost
    ftp: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    Connected to localhost.
    220 (vsFTPd 3.0.2)
    Name (localhost:ubuntu): leader
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> pwd
    257 "/ftp_admin"
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    drwxr-xr-x    2 0                  4096 Aug 02 04:03 foo
    drwxr-xr-x    2 0                  4096 Aug 02 04:24 leader
    226 Directory send OK.
    ftp> cd ..
    250 Directory successfully changed.
    ftp> pwd
    257 "/"
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    drwxr-xr-x    2 0                  4096 Aug 02 01:58 bin
    drwxr-xr-x    4 0                  1024 Aug 01 19:09 boot
    ... ...

    4.允许本地用户写权限
    a.配置文件加上write_enable=YES
    b.本地文件系统有写权限
    注意:(Warning! chroot'ing can be very dangerous. If using chroot, make sure that the user does not have write access to the top level directory within the chroot)
    只要本地FTP用户对配置文件中的FTP根目录有写权限,就会报500,oops错误
    所以FTP根对FTP用户来说是不能有写权限的,这样就出现了很多问题
    问题1:用户对自己的根目录没有写权限才能登录,那么就只能下载不能上传,功能缺陷,必须解决
    问题2:根目录的子目录对用户可以有写权限,可行
    配置文件的根定义为/ftp_admin
    root@localhost:~# setfacl -R -b /ftp_admin/
    root@localhost:~# useradd -m -s /bin/bash foo
    root@localhost:~# echo foo:foo|chpasswd
    root@localhost:~# chown -R foo:foo /ftp_admin/foo/
    root@localhost:~# ll -d /ftp_admin/ /ftp_admin/foo/
    drwxr-xr-x 4 root root 4096 Aug  2 04:43 /ftp_admin/
    drwxr-xr-x 2 foo foo 4096 Aug  2 04:47 /ftp_admin/foo/
    root@localhost:~# ftp localhost
    ftp: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    Connected to localhost.
    220 (vsFTPd 3.0.2)
    Name (localhost:ubuntu): foo
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> pwd
    257 "/"
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    drwxr-xr-x    2 1006     1006         4096 Aug 02 04:47 foo
    drwxr-xr-x    2 0                  4096 Aug 02 04:24 leader
    226 Directory send OK.
    ftp> cd foo
    250 Directory successfully changed.
    ftp> put /etc/passwd
    local: /etc/passwd remote: /etc/passwd
    200 PORT command successful. Consider using PASV.
    553 Could not create file.
    注意:foo用户对/ftp_admin/foo是有写入权限的,但上面上传出错
    多番测试,发现是ftp命令的问题,换成lftp就可以正常上传,这个现象不知道大家有什么看法,期待大家的交流与回复
    root@localhost:~# lftp localhost
    lftp localhost:~> user foo
    Password:
    lftp foo@localhost:~> ls
    drwxr-xr-x    2 1006     1006         4096 Aug 02 04:47 foo
    drwxr-xr-x    2 0                  4096 Aug 02 04:24 leader
    lftp foo@localhost:/> put /etc/passwd
    put: /etc/passwd: Access failed: 553 Could not create file. (passwd)
    lftp foo@localhost:/> cd foo
    cd ok, cwd=/foo
    lftp foo@localhost:/foo> ls
    -rw-r--r--    1 1006     1006            0 Aug 02 04:47 my_name_is_foo
    lftp foo@localhost:/foo> put /etc/passwd
    1390 bytes transferred
    lftp foo@localhost:/foo> ls
    -rw-r--r--    1 1006     1006            0 Aug 02 04:47 my_name_is_foo
    -rw-------    1 1006     1006         1390 Aug 02 05:04 passwd
    如上,已经成功传输文件到/ftp_admin/foo目录,对其它没有写权限的目录是不能上传的,但能查看和下载,所以这还不够完美
    有没有一种完美解决方案,如:各用户有不同的根,能自己的根目录有全权限,但对其它人根目录没有任何权限,或者说根本看不到其它人的根目录,答案就是子配置文件加allow_writeable_chroot=YES

    5.chroot()权限问题
    root@localhost:~# ll -d /ftp_admin/
    drwxr-xr-x 5 root root 4096 Aug  2 04:03 /ftp_admin//
    root@localhost:~# setfacl -m u:leader:rwx /ftp_admin/
    root@localhost:~# getfacl /ftp_admin/
    getfacl: Removing leading '/' from absolute path names
    # file: ftp_admin/
    # owner: root
    # group: root
    user::rwx
    user:leader:rwx
    group::r-x
    mask::rwx
    other::r-x
    root@localhost:~# ftp localhost
    ftp: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    Connected to localhost.
    220 (vsFTPd 3.0.2)
    Name (localhost:ubuntu): leader
    331 Please specify the password.
    Password:
    500 OOPS: vsftpd: refusing to run with writable root inside chroot()
    Login failed.
    421 Service not available, remote server has closed connection
    注意:
    Ubuntu14.04/CentOS7这些比较新的发行版提供的vsftpd版本都是3.x,而从vsftpd-2.3.5之后,vsftpd增强了安全检查,如果用户被限定在local_root下,则该用户不能对自己的家目录再具有写权限!如果检查发现还有写权限,就会报该错误。
    我就纳闷了大半天,之前CentOS6相同的配置没有任何问题,到Ubuntu上就出现这个错,在网上查了好久,和selinux无办毛钱关系,就是vsftp新版本的更高安全性所致

    解决方案1:chmod a-w /home/user去除用户主目录的写权限,用户对自己的FTP根无写权限,但对根下的其它目录有全权限,对网站或共享没有实质影响,只是多进一层目录而己。
    解决方案2:在vsftpd的配置文件中增加一行allow_writeable_chroot=YES,这样对FTP根也具有写权限,实测有效,完美解决

    6.子配置文件
    user_config_dir=/etc/vsftpd_user_conf

    root@localhost:~# mkdir /etc/vsftpd_user_conf
    root@localhost:~#cat >/etc/vsftpd_user_conf/foo <<HERE
    local_root=/ftp_admin/foo
    HERE
    root@localhost:~#cat >/etc/vsftpd_user_conf/leader <<HERE
    local_root=/ftp_admin/leader
    HERE
    root@localhost:~# touch /ftp_admin/foo/my_name_is_foo
    root@localhost:~# touch /ftp_admin/foo/leader_is_me
    root@localhost:~# chown -R foo:foo /ftp_admin/foo/
    root@localhost:~# chown -R leader:leader /ftp_admin/leader/
    root@localhost:~# ll -d /ftp_admin/ /ftp_admin/foo/ /ftp_admin/leader/
    drwxr-xr-x 4 root   root   4096 Aug  2 14:53 /ftp_admin/
    drwxr-xr-x 2 foo    foo    4096 Aug  2 14:54 /ftp_admin/foo/
    drwxr-xr-x 2 leader leader 4096 Aug  2 14:54 /ftp_admin/leader/
    root@localhost:~# service vsftpd restart
    vsftpd stop/waiting
    vsftpd start/running, process 5479
    root@localhost:~# lftp localhost
    lftp localhost:~> user leader
    Password:
    lftp leader@localhost:~> put /etc/passwd
    1433 bytes transferred                        
    lftp leader@localhost:~> ls
    -rw-r--r--    1 1005     1005            0 Aug 02 14:54 leader_is_me
    -rw-------    1 1005     1005         1433 Aug 02 15:01 passwd
    lftp leader@localhost:~> cd ..
    cd ok, cwd=/ftp_admin
    lftp leader@localhost:/ftp_admin> ls
    drwxr-xr-x    2 1008     1008         4096 Aug 02 14:54 foo
    drwxr-xr-x    2 1005     1005         4096 Aug 02 15:01 leader
    lftp leader@localhost:/ftp_admin> user foo
    Password:
    lftp foo@localhost:~> put /etc/shadow
    1699 bytes transferred                        
    lftp foo@localhost:/> ls
    -rw-r--r--    1 1008     1008            0 Aug 02 14:54 my_name_is_foo
    -rw-------    1 1008     1008         1699 Aug 02 15:01 shadow
    lftp foo@localhost:/> cd ..
    lftp foo@localhost:/> ls
    -rw-r--r--    1 1008     1008            0 Aug 02 14:54 my_name_is_foo
    -rw-------    1 1008     1008         1699 Aug 02 15:01 shadow

    7.全局白名单,黑名单
    a.白名单userlist
    root@localhost:~# cat /etc/vsftpd.user_list
    foo
    root@localhost:~# ftp localhost
    ftp: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    Connected to localhost.
    220 (vsFTPd 3.0.2)
    Name (localhost:ubuntu): foo
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> 221 Goodbye.
    root@localhost:~# ftp localhost
    ftp: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    Connected to localhost.
    220 (vsFTPd 3.0.2)
    Name (localhost:ubuntu): leader
    530 Permission denied.
    Login failed.
    只有写入usrlist_file中的用户才能登录,不在列表里的用户还不等输入密码就报permission denied
    b.黑名单ftpusers
    注意:这是由PAM控制和定义的/etc/pam.d/vsftpd
    root@localhost:~# echo foo >>/etc/ftpusers
    root@localhost:~# cat /etc/ftpusers
    # /etc/ftpusers: list of users disallowed FTP access. See ftpusers(5).

    root
    daemon
    bin
    sys
    sync
    games
    man
    lp
    mail
    news
    uucp
    nobody
    foo
    root@localhost:~# ftp localhost
    ftp: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    Connected to localhost.
    220 (vsFTPd 3.0.2)
    Name (localhost:ubuntu): foo
    331 Please specify the password.
    Password:
    530 Login incorrect.
    Login failed.
    如上,foo用户既在白名单又在黑名单中,此时,黑名单优先,最终foo用户无法登录

    8.隐藏特定文件
    root@localhost:~# touch /ftp_admin/foo/{1..3}.{txt,mp3,png}
    root@localhost:~# ls /ftp_admin/foo/
    1.mp3  1.png  1.txt  2.mp3  2.png  2.txt  3.mp3  3.png  3.txt  my_name_is_foo  shadow
    root@localhost:~# ftp localhost
    ftp: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    Connected to localhost.
    220 (vsFTPd 3.0.2)
    Name (localhost:liujun): foo
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    -rw-r--r--    1 0                     0 Aug 02 15:14 1.mp3
    -rw-r--r--    1 0                     0 Aug 02 15:14 1.png
    -rw-r--r--    1 0                     0 Aug 02 15:14 1.txt
    -rw-r--r--    1 0                     0 Aug 02 15:14 2.mp3
    -rw-r--r--    1 0                     0 Aug 02 15:14 2.png
    -rw-r--r--    1 0                     0 Aug 02 15:14 2.txt
    -rw-r--r--    1 0                     0 Aug 02 15:14 3.mp3
    -rw-r--r--    1 0                     0 Aug 02 15:14 3.png
    -rw-r--r--    1 0                     0 Aug 02 15:14 3.txt
    -rw-r--r--    1 1008     1008            0 Aug 02 14:54 my_name_is_foo
    -rw-------    1 1008     1008         1699 Aug 02 15:01 shadow
    226 Directory send OK.
    修改配置增加一行,hide_file={*.mp3,*.mp4}
    root@localhost:~# echo 'hide_file={*.mp3,*.mp4}' >>/etc/vsftpd_user_conf/foo
    root@localhost:~# service vsftpd restart
    vsftpd stop/waiting
    vsftpd start/running, process 2245
    root@localhost:~# ftp localhost
    ftp: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    Connected to localhost.
    220 (vsFTPd 3.0.2)
    Name (localhost:liujun): foo
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    -rw-r--r--    1 0                     0 Aug 02 15:14 1.png
    -rw-r--r--    1 0                     0 Aug 02 15:14 1.txt
    -rw-r--r--    1 0                     0 Aug 02 15:14 2.png
    -rw-r--r--    1 0                     0 Aug 02 15:14 2.txt
    -rw-r--r--    1 0                     0 Aug 02 15:14 3.png
    -rw-r--r--    1 0                     0 Aug 02 15:14 3.txt
    -rw-r--r--    1 1008     1008            0 Aug 02 14:54 my_name_is_foo
    -rw-------    1 1008     1008         1699 Aug 02 15:01 shadow
    226 Directory send OK.


    四.虚拟用户
    1.新建虚拟用户列表
    格式:一行用户名,一行口令
    cat >>/tmp/vsftpd.virtual_user.txt <<HERE
    virt1
    123
    virt2
    123
    virt3
    123
    HERE
    注意:奇数行为账户名,偶数行为密码。也就是1.3.5.等行为用户名,2.4.6行为密码;
    最后一行需要回车(否则建立数据库文件时无法识别最后一行,导致报奇数行错误)。
    
    这里建了3个虚拟用户(virt1,virt2,virt3)密码统一为123,存放在/tmp/vsftpd.virtual_user.txt中
    2.生成虚拟用户数据库
    root@localhost:~# apt-get -y install db5.3-util
    root@localhost:~# db5.3_load -T -t hash -f /tmp/vsftpd.virtual_user.txt /etc/vsftpd.virtual_user.db
    root@localhost:~# file /etc/vsftpd.virtual_user.db
    /etc/vsftpd.virtual_user.db: Berkeley DB (Hash, version 9, native byte-order)
    root@localhost:~# chmod 600 /etc/vsftpd.virtual_user.db
    3.配置PAM认证
    root@localhost:~# cp -fv /etc/pam.d/vsftpd{,default}
    ‘/etc/pam.d/vsftpd’ -> ‘/etc/pam.d/vsftpddefault’
    root@localhost:~# vim /etc/pam.d/vsftpd
    最上方添加如下两行,PAM认证顺序很重要,放末尾会报Login Failed
    auth    sufficient      pam_userdb.so     db=/etc/vsftpd.virtual_user
    account sufficient   pam_userdb.so     db=/etc/vsftpd.virtual_user
    注意:db=/etc/vsftpd.virtual_user,没有.db,认证时会自动补全.db,因此前面生成的db文件一定要以.db结尾. pam_userdb.so可参照原生样例写,建议写相对路径
    centos6/7 64bit: /lib64/security/pam_userdb.so
    ubuntu14.04 64bit: /lib/x86_64-linux-gnu/security/pam_userdb.so

    4.定义虚拟用户配置文件
    a.创建虚拟用户及修改相关权限
    root@localhost:~# mkdir -p /ftp_virtual/virt{1,2,3}
    root@localhost:~# useradd -d /ftp_virtual/ -s /bin/false ftp_virtual
    提示:指定的目录即为虚拟用户将要访问的目录,宿主用户不要设定密码。不用来登陆,只用来让虚拟用户访问ftp
    root@localhost:~# chown -R ftp_virtual:ftp_virtual /ftp_virtual/
    root@localhost:~# ll -d /ftp_virtual/*
    drwxr-xr-x 2 ftp_virtual ftp_virtual 4096 Aug  2 15:49 /ftp_virtual/virt1/
    drwxr-xr-x 2 ftp_virtual ftp_virtual 4096 Aug  2 15:49 /ftp_virtual/virt2/
    drwxr-xr-x 2 ftp_virtual ftp_virtual 4096 Aug  2 15:49 /ftp_virtual/virt3/
    b.启用虚拟用户
    修改全局主配置文件,添加如下2行
    guest_enable=YES
    guest_username=ftp_virtual
    root@localhost:~# echo ftp_virtual >>/etc/vsftpd.user_list
    注意:一旦启用了虚拟用户,则原来的本地用户权限会受到影响,如原来可以写的现在会没有写权限
    root@localhost:~# ftp localhost
    ftp: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    Connected to localhost.
    220 (vsFTPd 3.0.2)
    Name (localhost:root): virt2
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> pwd
    257 "/"
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    drwxr-xr-x    2 1001     1001         4096 Aug 13 00:26 virt1
    drwxr-xr-x    2 1001     1001         4096 Aug 13 00:26 virt2
    drwxr-xr-x    2 1001     1001         4096 Aug 13 00:26 virt3
    226 Directory send OK.
    ftp> cd ..
    250 Directory successfully changed.
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    drwxr-xr-x    2 1001     1001         4096 Aug 13 00:26 virt1
    drwxr-xr-x    2 1001     1001         4096 Aug 13 00:26 virt2
    drwxr-xr-x    2 1001     1001         4096 Aug 13 00:26 virt3
    226 Directory send OK.
    ftp> 221 Goodbye.
    c.定义虚拟用户各自配置文件
    write_enable=YES #写权限总开关
    anon_world_readable_only=NO #开放列出文件权限
    anon_upload_enable=YES #开放上传权限
    download_enable=YES #开放下载权限
    anon_mkdir_write_enable=YES #开放创建目录的权限
    anon_other_write_enable=YES #开放删除和重命名的权限

    virt1只能上传不能下载
    cat >/etc/vsftpd_user_conf/virt1 <<HERE
    local_root=/ftp_virtual/virt1
    write_enable=YES
    anon_world_readable_only=NO
    anon_upload_enable=YES
    download_enable=NO
    anon_mkdir_write_enable=NO
    anon_other_write_enable=NO

    HERE

    root@localhost:~# lftp localhost
    lftp localhost:~> user virt1
    Password:
    lftp virt1@localhost:~> ls
    lftp virt1@localhost:/> pwd
    ftp://virt1@localhost/
    lftp virt1@localhost:/> put /etc/passwd
    1208 bytes transferred
    lftp virt1@localhost:/> ls
    -rw-------    1 1001     1001         1208 Aug 13 00:37 passwd
    lftp virt1@localhost:/> get passwd
    get: Access failed: 550 Permission denied. (passwd)
    virt2只能下载不能上传
    cat >/etc/vsftpd_user_conf/virt2 <<HERE
    local_root=/ftp_virtual/virt2
    anon_world_readable_only=NO
    anon_upload_enable=NO
    download_enable=YES
    anon_mkdir_write_enable=NO
    anon_other_write_enable=NO

    HERE

    root@localhost:~# touch /ftp_virtual/virt2/do_not_upload.txt
    root@localhost:~# ll /ftp_virtual/virt2/do_not_upload.txt
    -rw-r--r-- 1 root root 0 Aug 13 00:40 /ftp_virtual/virt2/do_not_upload.txt
    root@localhost:~# lftp localhost
    lftp localhost:~> user virt2
    Password:
    lftp virt2@localhost:~> ls
    -rw-r--r--    1 0                     0 Aug 13 00:40 do_not_upload.txt
    lftp virt2@localhost:/> put /etc/passwd
    put: /etc/passwd: Access failed: 550 Permission denied. (passwd)
    lftp virt2@localhost:/> get do_not_upload.txt
    lftp virt2@localhost:/> !ls
    do_not_upload.txt
    virt3既能上传又能下载,创建删除重全名移动目录及文件
    cat >/etc/vsftpd_user_conf/virt3 <<HERE
    local_root=/ftp_virtual/virt3
    write_enable=YES
    anon_world_readable_only=NO
    anon_upload_enable=YES
    download_enable=YES
    anon_mkdir_write_enable=YES
    anon_other_write_enable=YES

    HERE

    root@localhost:~# lftp localhost
    lftp localhost:~> user virt3
    Password:
    lftp virt3@localhost:~> put /etc/shadow
    870 bytes transferred                         
    lftp virt3@localhost:/> ls
    -rw-------    1 1001     1001          870 Aug 13 00:41 shadow
    lftp virt3@localhost:/> get shadow
    870 bytes transferred
    lftp virt3@localhost:/> !ls
    do_not_upload.txt  shadow




    其它辅助参数解释参考
    virtual_use_local_privs参数
    当virtual_use_local_privs=YES时,虚拟用户和本地用户有相同的权限;
    当virtual_use_local_privs=NO时,虚拟用户和匿名用户有相同的权限,默认是NO。
     
    当virtual_use_local_privs=YES,write_enable=YES时,虚拟用户具有写权限(上传、下载、删除、重命名)。
     
    当virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=YES,
    anon_upload_enable=YES时,虚拟用户不能浏览目录,只能上传文件,无其他权限。
     
    当virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO,
    anon_upload_enable=NO时,虚拟用户只能下载文件,无其他权限。
     
    当virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO,
    anon_upload_enable=YES时,虚拟用户只能上传和下载文件,无其他权限。
     
    当virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO,
    anon_mkdir_write_enable=YES时,虚拟用户只能下载文件和创建文件夹,无其他权限。
     
    当virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO,
    anon_other_write_enable=YES时,虚拟用户只能下载、删除和重命名文件,无其他权限。

  • 相关阅读:
    关于xcode4.0调试出现“EXE_BAD_ACCESS”错误的处理
    UITableView 使用2
    mysql 命令行导入大的sql文件
    XCode4.0 内存监控方法
    如何在iphone app中加入google跟踪代码
    JQuery Mobile表单元素样式
    H.265编码视频播放器EasyPlayerProWIN版播放HLS协议视频流显示时间与实际不符如何修复?
    Visual Studio 2017自建WebRTC中peerconnection_client程序编译报错的解决方法
    【开发记录】TSINGSEE青犀视频开发H265播放器时销毁播放器仍不断重连地址如何修复
    TSINGSEE青犀视频云边端架构视频平台HLS视频流内m3u8文件和TS切片是什么关系?
  • 原文地址:https://www.cnblogs.com/lixuebin/p/10814358.html
Copyright © 2011-2022 走看看