通过个性化的设置,给特定的用户设置不同权限访问FTP服务器

一、vsftp服务器部署平台

操作系通版本:redhat5.8 64位)

内核版本:Linux gctest1 2.6.18-308.el5 #1 SMP Fri Jan 27 17:17:51 EST 2012x86_64 x86_64 x86_64 GNU/Linux  uname –a  命令执行结果)

二、vsftp服务器部署步骤

1)安装软件后查看系统是否有相应软件包(yum 安装)

[root@gctest1 ~]#yum -y install  vsftpd  db4 db4-devel  db4-utils

[root@gctest1 ~]# rpm -qa |grep vsftpd  

vsftpd-2.0.5-24.el5

[root@gctest1 ~]# rpm -qa |grep db4

db4-4.3.29-10.el5_5.2

db4-devel-4.3.29-10.el5_5.2

db4-utils-4.3.29-10.el5_5.2

db4-devel-4.3.29-10.el5_5.2

2)建立一个ftplogins.txt的文件,单行为用户名,双行为密码,即为登录ftp服务器的用户。例如

vi /home/ftplogins.txt

zhouhongli

zhl***

vsftpd

123456

3)建立数据库文件并设置文件属性

[root@gctest1 ~]# db_load -T -t hash -f/home/ftplogins.txt /etc/vsftpd_login.db  每次添加一个用户都需要执行一次这个命令

[root@ gctest1~]# chmod 600/etc/vsftpd_login.db

4)建立认证文件

[root@gctest1 ~]# vi /etc/pam.d/vsftpd   注释所有内容并修改为如下两行

auth required pam_userdb.sodb=/etc/vsftpd_login

account required pam_userdb.sodb=/etc/vsftpd_login

5)建立一个虚拟用户,指定登录shell为空;该用户不能在本地登录系统,仅限于登录ftp服务器使用。

[root@gctest1 ~]#useradd -d /home/vsftpd -s/sbin/nologin vsftpd

[root@gctest1 ~]# ls -ld /home/vsftpd/

drwx------ 2 vsftpd vsftpd 4096 May 2011:38 /home/vsftpd

三、vsftp服务器配置说明

全局配置:

 

anonymous_enable=NO       禁止匿名用户访问

 

local_enable=YES           允许本地用户访问

 

write_enable=NO            禁止本地用户上传

 

local_umask=022           设置本地用户的文件生成掩码为022,默认值为077;本地用户文件上传后的权限是-rw-r-r

 

dirmessage_enable=YES     设置切换到目录时显示.message隐含文件的内容

 

xferlog_enable=YES        激活上传和下载日志

 

connect_from_port_20=YES  启用FTP数据端口连接

 

xferlog_file=/var/log/vsftpd.log   上传和下载日志文件

 

xferlog_std_format=YES    使用标准格式

 

idle_session_timeout=60   限制远程的客户机连接后,所建立的控制连接,在多长时间没有做任何的操作就会中断()

 

data_connection_timeout=120  设置客户机在进行数据传输时,设置空闲的数据中断时间

 

connect_timeout=60        设置数据连接的最大激活时间,多长时间断开,为别人所使用

 

max_clients=100           指明服务器总的客户并发连接数为200

 

max_per_ip=3              指明每个客户机的最大连接数为3

 

ftpd_banner=Welcome to WXXR FTPservice.   设置连接服务器后的欢迎信息

 

listen=YES                使用独占启动方式

 

listen_port=21            设置FTP工作的端口号,默认的为21

 

anon_upload_enable=NO     禁止匿名用户上传

 

anon_mkdir_write_enable=NO  禁止匿名用户创建目录

 

anon_other_write_enable=NO  禁止匿名用户修改、重命名、删除文件夹及文件

 

chroot_local_user=YES     锁定本地系统帐号用户主目录(所有);锁定后,用户只能访问用户的主目录,不能利用cd命令向上转;只能向下;

 

guest_enable=YES          允许虚拟用户

 

guest_username=vsftpd     把虚拟用户映射成本地用户

 

user_config_dir=/etc/vsftpd_user_conf  虚拟用户的权限设置目录,这个目录也需要自己创建,目录下对应每个用户名。

 

pam_service_name=vsftpd   设置PAM认证服务的配置文件名称, 该文件存放在/etc/pam.d目录下

 

tcp_wrappers=YES          使用tcp_wrappers作为主机访问控制方式

 

#listen_address=192.168.0.2   绑定到某个IP,其他IP不能访问

 

#listen_port=2121         绑定到某个端口

 

#ftp_data_port=2020       数据传输端口

 

#anon_max_rate=51200      匿名用户的传输比率(b/s)

 

#local_max_rate=5120000   本地用户的传输比率(b/s)

 

用户配置:

 

local_root=/vsftpdir/zhouhongli   指定虚拟用户的工作目录,如果没有需要自己创建目录并将属主和属组设为vsftpd

 

write_enable=YES              允许本地用户上传下载

 

anon_world_readable_only=NO   允许虚拟用户下载

 

anon_upload_enable=YES        允许虚拟用户上传

 

anon_mkdir_write_enable=YES   允许虚拟用户创建目录,并在创建的目录中上传文件

 

anon_other_write_enable=YES   允许虚拟用户修改、删除、重命名文件及文件夹

四、附:vsftpd.conf配置文件

[root@gctest1 ~]# vi/etc/vsftpd/vsftpd.conf

# Example config file/etc/vsftpd/vsftpd.conf

 

#

 

# The default compiled in settings arefairly paranoid. This sample file

 

# loosens things up a bit, to make the ftpdaemon more usable.

 

# Please see vsftpd.conf.5 for all compiledin defaults.

 

#

 

# READ THIS: This example file is NOT anexhaustive list of vsftpd options.

 

# Please read the vsftpd.conf.5 manual pageto get a full idea of vsftpd's

 

# capabilities.

 

#

 

# Allow anonymous FTP? (Beware - allowed bydefault if you comment this out).

 

anonymous_enable=NO

 

#

 

# Uncomment this to allow local users tolog in.

 

local_enable=YES

 

#

 

# Uncomment this to enable any form of FTPwrite command.

 

write_enable=NO

 

#

 

# Default umask for local users is 077. Youmay wish to change this to 022,

 

# if your users expect that (022 is used bymost other ftpd's)

 

local_umask=022

 

#

 

# Uncomment this to allow the anonymous FTPuser to upload files. This only

 

# has an effect if the above global writeenable is activated. Also, you will

 

# obviously need to create a directorywritable by the FTP user.

 

#anon_upload_enable=YES

 

#

 

# Uncomment this if you want the anonymousFTP user to be able to create

 

# new directories.

 

#anon_mkdir_write_enable=YES

 

#

 

# Activate directory messages - messagesgiven to remote users when they

 

# go into a certain directory.

 

dirmessage_enable=YES

 

#

 

# Activate logging of uploads/downloads.

 

xferlog_enable=YES

 

#

 

# Make sure PORT transfer connections originatefrom port 20 (ftp-data).

 

connect_from_port_20=YES

 

#

 

# If you want, you can arrange for uploadedanonymous files to be owned by

 

# a different user. Note! Using"root" for uploaded files is not

 

# recommended!

 

#chown_uploads=YES

 

#chown_username=whoever

 

#

 

# You may override where the log file goesif you like. The default is shown

 

# below.

 

xferlog_file=/var/log/vsftpd.log

 

#

 

# If you want, you can have your log filein standard ftpd xferlog format

 

xferlog_std_format=YES

 

#

 

# You may change the default value fortiming out an idle session.

 

idle_session_timeout=60

 

#

 

# You may change the default value fortiming out a data connection.

 

data_connection_timeout=120

 

connect_timeout=60

 

max_clients=100

 

max_per_ip=3

 

anon_max_rate=30000

 

local_max_rate=30000

 

#listen_address=192.168.2.11

 

#

 

# It is recommended that you define on yoursystem a unique user which the

 

# ftp server can use as a totally isolatedand unprivileged user.

 

#nopriv_user=ftpsecure

 

#

 

# Enable this and the server will recogniseasynchronous ABOR requests. Not

 

# recommended for security (the code isnon-trivial). Not enabling it,

 

# however, may confuse older FTP clients.

 

#async_abor_enable=YES

 

#

 

# By default the server will pretend toallow ASCII mode but in fact ignore

 

# the request. Turn on the below options tohave the server actually do ASCII

 

# mangling on files when in ASCII mode.

 

# Beware that on some FTP servers, ASCIIsupport allows a denial of service

 

# attack (DoS) via the command "SIZE/big/file" in ASCII mode. vsftpd

 

# predicted this attack and has always beensafe, reporting the size of the

 

# raw file.

 

# ASCII mangling is a horrible feature ofthe protocol.

 

#ascii_upload_enable=YES

 

#ascii_download_enable=YES

 

#

 

# You may fully customise the login bannerstring:

 

ftpd_banner=Welcome to WXXR FTP service.

 

#

 

# You may specify a file of disallowedanonymous e-mail addresses. Apparently

 

# useful for combatting certain DoSattacks.

 

#deny_email_enable=YES

 

# (default follows)

 

#banned_email_file=/etc/vsftpd/banned_emails

 

#

 

# You may specify an explicit list of localusers to chroot() to their home

 

# directory. If chroot_local_user is YES,then this list becomes a list of

 

# users to NOT chroot().

 

#chroot_list_enable=YES

 

# (default follows)

 

#chroot_list_file=/etc/vsftpd/chroot_list

 

#

 

# You may activate the "-R"option to the builtin ls. This is disabled by

 

# default to avoid remote users being ableto cause excessive I/O on large

 

# sites. However, some broken FTP clientssuch as "ncftp" and "mirror" assume

 

# the presence of the "-R"option, so there is a strong case for enabling it.

 

#ls_recurse_enable=YES

 

#

 

# When "listen" directive isenabled, vsftpd runs in standalone mode and

 

# listens on IPv4 sockets. This directivecannot be used in conjunction

 

# with the listen_ipv6 directive.

 

listen=YES

 

listen_port=21

 

#

 

# This directive enables listening on IPv6sockets. To listen on IPv4 and IPv6

 

# sockets, you must run two copies ofvsftpd whith two configuration files.

 

# Make sure, that one of the listen optionsis commented !!

 

#listen_ipv6=YES

 

anon_upload_enable=NO

 

anon_mkdir_write_enable=NO

 

anon_other_write_enable=NO

 

chroot_local_user=YES

 

guest_enable=YES

 

guest_username=vsftpd

 

#virtual_use_local_privs=YES

 

 

pam_service_name=vsftpd

 

#userlist_enable=YES

 

tcp_wrappers=YES

 

#pasv_enable=YES

 

#pasv_min_port=30000

 

#pasv_max_port=30999

 

 

#user can upload and download

 

user_config_dir=/etc/vsftpd_user_conf

 

用户zhouhongli 权限设置

[root@gctest1 ~]# vi/etc/vsftpd_user_conf/zhouhongli

local_root=/vsftpdir/zhouhongli 用户家目录

write_enable=YES

anon_world_readable_only=NO

anon_upload_enable=YES

anon_mkdir_write_enable=YES

anon_other_write_enable=YES

五、启动服务,并设为开机自启动

[root@gctest1 ~]# service vsftpd start

[root@gctest1 ~]# chkconfig vsftpd on

[root@gctest1 ~]# chkconfig --list vsftpd

vsftpd          0:off   1:off  2:on    3:on    4:on   5:on    6:off

六:附注

db_load 命令的参数

db_load -T -t hash -f /home/ftplogins.txt/etc/vsftpd_login.db

参数:

usage: db_load [-nTV] [-c name=value] [-ffile]

       [-h home] [-P password] [-t btree | hash | recno | queue] db_file

usage: db_load -r lsn | fileid [-h home][-P password] db_file

db_load命令需要安装 db4-utils这个软件包,RHEL4.5,这个软件包在第三个VCD光盘中.

db_load命令几个相关选项:

-T

The -T option allows non-Berkeley DBapplications to easily load text files into databases.

If the database to be created is of typeBtree or Hash, or the keyword keys is specified as set, the input must bepaired

lines of text, where the first line of thepair is the key item, and the second line of the pair is its corresponding data

item. If the database to be created is oftype Queue or Recno and the keywork keys is not set, the input must be lines oftext, where each line is a new data item for the database.

选项-T允许应用程序能够将文本文件转译载入进数据库。由于我们之后是将虚拟用户的信息以文件方式存储在文件里的,为了让Vsftpd这个应用程序能够通过文本来载入用户数据,必须要使用这个选项。

If the -T option is specified, theunderlying access method type must be specified using the -t option.

如果指定了选项-T,那么一定要追跟子选项-t

-t

Specify the underlying access method. If no-t option is specified, the database will be loaded into a database of the sametype as was dumped; for example, a Hash database will be created if a Hashdatabase was dumped.

Btree and Hash databases may be convertedfrom one to the other. Queue and Recno databases may be converted from one tothe other. If the -k option was specified on the call to db_dump then Queue andRecno databases may be converted to Btree or Hash, with the key being theinteger record number.

子选项-t,追加在在-T选项后,用来指定转译载入的数据库类型。扩展介绍下,-t可以指定的数据类型有BtreeHashQueueRecon数据库。

-f

参数后面接包含用户名和密码的文本文件,文件的内容是:奇数行用户名、偶数行密码,例如:

zhouhongli

zhl***

vsftpd

123456