一、测试平台
Debian 4.0r3
Proftpd 1.3.1 (WITH SSL)
Proftpd 1.3.1 (WITH SSL)
二、原理简介
1、 继承性
子目录会继承其父目录的属性。
子目录会继承其父目录的属性。
2、 优先级
优先级由大到小的顺序:
原始FTP命令(LIST DELE等) > 命令组(DIRS READ WRITE) > ALL命令组
优先级由大到小的顺序:
原始FTP命令(LIST DELE等) > 命令组(DIRS READ WRITE) > ALL命令组
3、 访问控制的应用顺序
不论出现顺序如何,先应用拒绝(Deny),后应用允许(Allow)
不论出现顺序如何,先应用拒绝(Deny),后应用允许(Allow)
4、系统权限
Linux系统权限仍然起作用。如果设置了目录test的允许写,但是该用户对test目录只有
读权限,这是该用户就不能向test目录写入。
----------------- 1、继承性
------------------------- 2、优先级
AllowUser u1 -------------------- 3、访问控制的应用顺序
DenyAll
Linux系统权限仍然起作用。如果设置了目录test的
读权限,这是该用户就不能向test目录写入。
AllowUser u1 -------------------- 3、访问控制的应用顺序
DenyAll
一点解释:根据参考1所述,访问控制的顺序应该是与其出现顺序有关,但是在我的测试中发现出现顺序没有什么影响。也就是说,像上面的访问控制,AllowUser u1和DenyAll哪个在前面都一样。
三、实例
1、简介
假设proftpd服务器上有5个用户:
manager, manA1, manA2, manB1, manB2
和2个组:
groupA, groupB
manager, manA1, manA2, manB1, manB2
和2个组:
groupA, groupB
manA1和manA2属于groupA组,manB1和manB2属于groupB组。
并且有如下目录结构:
/根目录
│
├ftproot/
│ ├manager/
│ │
│ ├groupA/
│ │ ├A1/
│ │ ├A2/
│ │ └.../
│ │
│ ├groupB/
│ ├B1/
│ ├B2/
│ └.../
│
└.../
│
├ftproot/
│ ├manager/
│ │
│ ├groupA/
│ │ ├A1/
│ │ ├A2/
│ │ └.../
│ │
│ ├groupB/
│ ├B1/
│ ├B2/
│ └.../
│
└.../
现在要实现的权限:
1、用户manager可以读写manager、groupA、groupB目录及它们的的子目录。
2、manA1可以读写A1目录,并且可以读写groupB的所有子目录。
3、manA2可以读写A2目录,并且可以读写groupB的所有子目录。
4、manB1可以读写B1目录。
5、manB2可以读写B2目录。
6、如果一个用户没有某个目录的访问权限,那么该用户就不能看到此目录。
7、只允许manger用户和groupA、groupB组成员访问FTP服务器。
8、不允许任何人破坏主干目录结构
1、用户manager可以读写manager、groupA、groupB目录及它们的的子目录。
2、manA1可以读写A1目录,并且可以读写groupB的所有子目录。
3、manA2可以读写A2目录,并且可以读写groupB的所有子目录。
4、manB1可以读写B1目录。
5、manB2可以读写B2目录。
6、如果一个用户没有某个目录的访问权限,那么该用户就不能看到此目录。
7、只允许manger用户和groupA、groupB组成员访问FTP服务器。
8、不允许任何人破坏主干目录结构
2、实现
(1)添加用户和组
useradd manager
passwd manager
groupadd groupA
groupadd groupB
groupadd groupB
useradd manA1
passwd manA1
usermod -G groupA manA1
passwd manA1
usermod -G groupA manA1
useradd manA2
passwd manA2
usermod -G groupA manA2
passwd manA2
usermod -G groupA manA2
useradd manB1
passwd manB1
usermod -G groupB manB1
passwd manB1
usermod -G groupB manB1
useradd manB2
passwd manB2
usermod -G groupB manB2
passwd manB2
usermod -G groupB manB2
(2)配置文件
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "Formax BPO FTP Server"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
UseReverseDNS off
IdentLookups off# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 000
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group under which the server will run.
User nobody
Group nogroup
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
# DefaultRoot ~
DefaultRoot /ftproot
# Normally, we want files to be overwriteable.
AllowOverwrite on
AllowStoreRestart on
ServerIdent off
mod_tls.c>
TLSEngine on
TLSLog /var/ftpd/tls.log
TLSProtocol SSLv23
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "Formax BPO FTP Server"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
UseReverseDNS off
IdentLookups off# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 000
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group under which the server will run.
User nobody
Group nogroup
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
# DefaultRoot ~
DefaultRoot /ftproot
# Normally, we want files to be overwriteable.
AllowOverwrite on
AllowStoreRestart on
ServerIdent off
TLSEngine on
TLSLog /var/ftpd/tls.log
TLSProtocol SSLv23
# Are clients required to use FTP over TLS when talking to this server?
TLSRequired on
TLSRequired on
# Server's certificate
TLSRSACertificateFile /etc/proftpd.cert
TLSRSACertificateKeyFile /etc/proftpd.key
TLSRSACertificateFile /etc/proftpd.cert
TLSRSACertificateKeyFile /etc/proftpd.key
# CA the server trusts
TLSCACertificateFile /etc/proftpd.cert
TLSCACertificateFile /etc/proftpd.cert
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
TLSOptions NoCertRequest
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
TLSRenegotiate required off
TLSVerifyClient off
TLSOptions NoCertRequest
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
TLSRenegotiate required off
# Bar use of SITE CHMOD by default
SITE_CHMOD>
DenyAll
DenyAll
AllowUser manager
AllowGroup groupA
DenyAll
AllowGroup groupB
DenyAll
AllowUser manager
AllowUser manager
AllowGroup groupA
DenyAll
AllowUser manager
AllowUser manA2
DenyAll
AllowUser manager
AllowUser manA1
DenyAll
AllowUser manager
AllowGroup groupA
AllowGroup groupB
DenyAll
AllowUser manager
AllowUser manB1
AllowGroup groupA
DenyAll
AllowUser manager
AllowUser manB2
AllowGroup groupA
参考:
1、[url]http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Limit.html[/url]
2、[url]http://www.castaglia.org/proftpd/[/url]
3、[url]http://www.proftpd.org/[/url]