centos7 vsftpd虚拟用户 单用户多目录 (案例)

一、要求

搭建技术部FTP服务器，要求：

1、每位员工有自己的独立根目录
2、在自己目录下可见技术部公共目录jsb_public（可写）、公司公共目录public（只读）
3、在自己目录下有独立的日志（工作日报）目录，可写、可删除权限，但目录本身员工不可删除
4、禁锢虚拟用户的主目录，同时禁止访问除主目录之外的目录
5、开启日志，记录登录、上传、下载、删除信息

二、目录规划：

公司公共目录: /data/ftp/public
技术部公共目录： /data/ftp/jsb/jsb_public
员工个人独立目录： /data/ftp/jsb/xiaoliu、 /data/ftp/jsb/xiaowang
员工日志目录： /data/ftp/jsb/rz/xiaoliu、 /data/ftp/jsb/rz/xiaowang
注：
以上所有目录都授权给ftpuser系统用户，此用户不可登录操作系统

三、安装VSFTP服务器

1、安装VSFTPD虚拟用户需要用到的软件及认证模块：

[root@localhost ~]# yum install pam* libdb-utils vsftpd* --skip-broken -y
[root@localhost ~]# rpm -qa |grep vsftpd
vsftpd-sysvinit-3.0.2-27.el7.x86_64
vsftpd-3.0.2-27.el7.x86_64

2、创建虚拟用户临时文件vfuser.txt

配置虚拟用户和密码，其中xiaoliu、xiaowang为虚拟用户名，123456为密码，如果有多个用户，依次格式填写即可：
[root@localhost ~]# vim /etc/vsftpd/vfuser.txt

[root@localhost ~]# vim /etc/vsftpd/vfuser.txt
xiaoliu
123456
xiaowang
123456

3、生成vsftpd虚拟用户数据库认证文件，设置权限700

[root@localhost ~]# db_load -T -t hash -f /etc/vsftpd/vfuser.txt /etc/vsftpd/vsftpd_login.db  
[root@localhost ~]# chmod 700 /etc/vsftpd/vsftpd_login.db 

4、配置PAM认证文件

配置PAM认证文件（实现权限的访问），vim /etc/pam.d/vsftpd（需要读取DB数据库）,删除默认，加入如下两行

[root@localhost ~]# vim /etc/pam.d/vsftpd
auth    required        pam_userdb.so   db=/etc/vsftpd/vsftpd_login
account required        pam_userdb.so   db=/etc/vsftpd/vsftpd_login
~                                                                                                                                                                                                                                                                                                                               

5、创建vsftpd系统用户

所有vsftpd虚拟用户需要映射到一个系统用户，该系统用户不需要密码，也不需要登录，主要用于虚拟用户映射使用，创建命令见下：

[root@localhost ~]# useradd -s /sbin/nologin ftpuser

6、修改主配置文件vsftpd.conf,完整配置见下：

#关闭匿名
anonymous_enable=NO
#用户不可出根目录
chroot_local_user=YES
#出根目录白名单
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
allow_writeable_chroot=YES
pasv_enable=YES
#使用被动模式4000至5000端口
pasv_min_port=4000
pasv_max_port=5000
local_enable=YES
write_enable=YES
local_umask=022
#使用本地时间
use_localtime=YES
dirmessage_enable=YES
#日志文件配置，并开启xferlog与vsftp.log双日志，xferlog记录上传与下载信息，vsftpd.log记录登录、上传、下载、删除等详细信息
dual_log_enable=YES
xferlog_enable=YES
log_ftp_protocol=YES
xferlog_std_format=YES
reverse_lookup_enable=NO

connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
userlist_enable=YES
tcp_wrappers=YES

#虚拟用户配置-----------
#开启pam模块登录认证
pam_service_name=vsftpd
guest_enable=YES
#映射虚拟用户至系统用户（指定系统用户）
guest_username=ftpuser
#虚拟用户配置目录
user_config_dir=/etc/vsftpd/vsftpd_user_conf
#禁锢虚拟用户的主目录，同时禁止访问除主目录之外的目录
virtual_use_local_privs=YES

7、创建虚拟用户配置文件主目录/etc/vsftpd/vsftpd_user_conf

[root@localhost ~]# mkdir -p /etc/vsftpd/vsftpd_user_conf
[root@localhost ~]# cd /etc/vsftpd/vsftpd_user_conf
[root@localhost vsftpd_user_conf]# 

8、如下分别为虚拟用户xiaoliu xiaowang用户创建配置文件

[root@localhost vsftpd_user_conf]# vim /etc/vsftpd/vsftpd_user_conf/xiaoliu

#xiaoliu虚拟用户配置文件目录，即家目录
local_root=/data/ftp/jsb/xiaoliu
#允许登录用户有可写权限
write_enable=YES
#允许匿名用户下载，然后读取文件
anon_world_readable_only=YES
#允许匿名用户上传文件权限，只在write_enable=YES时生效
anon_upload_enable=YES
#允许匿名用户创建目录，只有在write_enable=YES时生效
anon_mkdir_write_enable=YES
#允许匿名用户其他权限，例如删除、重命名等		 
anon_other_write_enable=YES

[root@localhost vsftpd_user_conf]# vim /etc/vsftpd/vsftpd_user_conf/xiaowang

#xiaowang虚拟用户配置文件目录，即家目录
local_root=/data/ftp/jsb/xiaowang
#允许登录用户有可写权限
write_enable=YES
#允许匿名用户下载，然后读取文件
anon_world_readable_only=YES
#允许匿名用户上传文件权限，只在write_enable=YES时生效
anon_upload_enable=YES
#允许匿名用户创建目录，只有在write_enable=YES时生效
anon_mkdir_write_enable=YES
#允许匿名用户其他权限，例如删除、重命名等		 
anon_other_write_enable=YES

9、创建虚拟用户各自虚拟目录及jsb_public、public等目录

[root@localhost ~]# mkdir -p /data/ftp/public				公司共共目录
[root@localhost ~]# mkdir -p /data/ftp/jsb/jsb_public		技术部公共目录
[root@localhost ~]# mkdir -p /data/ftp/jsb/xiaoliu			个人目录
[root@localhost ~]# mkdir -p /data/ftp/jsb/xiaowang			个人目录
[root@localhost ~]# mkdir -p /data/ftp/jsb/rz/xiaoliu		日志目录
[root@localhost ~]# mkdir -p /data/ftp/jsb/rz/xiaowang		日志目录
[root@localhost ~]# chown -R ftpuser:ftpuser /data/ftp/		目录授权

10、配置单用户多目录

先在个人根目录下创建public、jsb_public、xiaoliu、xiaowang、目录

[root@localhost ~]# mkdir -p /data/ftp/jsb/xiaoliu/public
[root@localhost ~]# mkdir -p /data/ftp/jsb/xiaoliu/jsb_public
[root@localhost ~]# mkdir -p /data/ftp/jsb/xiaoliu/xiaoliu
[root@localhost ~]# 
[root@localhost ~]# mkdir -p /data/ftp/jsb/xiaowang/public
[root@localhost ~]# mkdir -p /data/ftp/jsb/xiaowang/jsb_public
[root@localhost ~]# mkdir -p /data/ftp/jsb/xiaowang/xiaowang

使用mount -B -o rw,ro来将公共目录、日志目录添加至个人根目录
因为1个虚拟用户只可以配置1个目录，故需要通过mount -B来实现目录共享

[root@localhost ~]# mount -B -o ro /data/ftp/public /data/ftp/jsb/xiaoliu/public/
[root@localhost ~]# mount -B -o ro /data/ftp/public /data/ftp/jsb/xiaowang/public/
[root@localhost ~]# mount -B -o rw /data/ftp/jsb/jsb_public /data/ftp/jsb/xiaoliu/jsb_public/
[root@localhost ~]# mount -B -o rw /data/ftp/jsb/jsb_public /data/ftp/jsb/xiaowang/jsb_public/
[root@localhost ~]# mount -B -o rw /data/ftp/jsb/rz/xiaoliu /data/ftp/jsb/xiaoliu/xiaoliu/
[root@localhost ~]# mount -B -o rw /data/ftp/jsb/rz/xiaowang /data/ftp/jsb/xiaowang/xiaowang/

11、服务重启

[root@localhost ~]# /etc/init.d/vsftpd restart
Restarting vsftpd (via systemctl):                         [  OK  ]

12、登录验证

xiaoliu根目录下有3个目录

13、查看操作日志 tailf /var/log/vsftpd.log

上传日志

Thu Jul 23 17:43:48 2020 [pid 11173] [xiaoliu] FTP command: Client "::ffff:192.168.1.103", "TYPE I"
Thu Jul 23 17:43:48 2020 [pid 11173] [xiaoliu] FTP response: Client "::ffff:192.168.1.103", "200 Switching to Binary mode."
Thu Jul 23 17:43:48 2020 [pid 11173] [xiaoliu] FTP command: Client "::ffff:192.168.1.103", "SIZE TRC01.xls"
Thu Jul 23 17:43:48 2020 [pid 11173] [xiaoliu] FTP response: Client "::ffff:192.168.1.103", "550 Could not get file size."
Thu Jul 23 17:43:48 2020 [pid 11173] [xiaoliu] FTP command: Client "::ffff:192.168.1.103", "PASV"
Thu Jul 23 17:43:48 2020 [pid 11173] [xiaoliu] FTP response: Client "::ffff:192.168.1.103", "227 Entering Passive Mode (192,168,1,112,15,167)."
Thu Jul 23 17:43:48 2020 [pid 11173] [xiaoliu] FTP command: Client "::ffff:192.168.1.103", "STOR TRC01.xls"
Thu Jul 23 17:43:48 2020 [pid 11173] [xiaoliu] FTP response: Client "::ffff:192.168.1.103", "150 Ok to send data."
Thu Jul 23 17:43:48 2020 [pid 11173] [xiaoliu] OK UPLOAD: Client "::ffff:192.168.1.103", "/jsb_public/TRC01.xls", 24576 bytes, 1594.68Kbyte/sec
Thu Jul 23 17:43:48 2020 [pid 11173] [xiaoliu] FTP response: Client "::ffff:192.168.1.103", "226 Transfer complete."
Thu Jul 23 17:43:48 2020 [pid 11173] [xiaoliu] FTP command: Client "::ffff:192.168.1.103", "MDTM 20191208063908 TRC01.xls"
Thu Jul 23 17:43:48 2020 [pid 11173] [xiaoliu] FTP response: Client "::ffff:192.168.1.103", "213 File modification time set."
Thu Jul 23 17:43:48 2020 [pid 11173] [xiaoliu] FTP command: Client "::ffff:192.168.1.103", "TYPE A"
Thu Jul 23 17:43:48 2020 [pid 11173] [xiaoliu] FTP response: Client "::ffff:192.168.1.103", "200 Switching to ASCII mode."
Thu Jul 23 17:43:48 2020 [pid 11173] [xiaoliu] FTP command: Client "::ffff:192.168.1.103", "PASV"
Thu Jul 23 17:43:48 2020 [pid 11173] [xiaoliu] FTP response: Client "::ffff:192.168.1.103", "227 Entering Passive Mode (192,168,1,112,16,91)."
Thu Jul 23 17:43:48 2020 [pid 11173] [xiaoliu] FTP command: Client "::ffff:192.168.1.103", "LIST -al"
Thu Jul 23 17:43:48 2020 [pid 11173] [xiaoliu] FTP response: Client "::ffff:192.168.1.103", "150 Here comes the directory listing."
Thu Jul 23 17:43:48 2020 [pid 11173] [xiaoliu] FTP response: Client "::ffff:192.168.1.103", "226 Directory send OK."

下载文件日志记录

Thu Jul 23 17:44:23 2020 [pid 11173] [xiaoliu] FTP command: Client "::ffff:192.168.1.103", "TYPE I"
Thu Jul 23 17:44:23 2020 [pid 11173] [xiaoliu] FTP response: Client "::ffff:192.168.1.103", "200 Switching to Binary mode."
Thu Jul 23 17:44:23 2020 [pid 11173] [xiaoliu] FTP command: Client "::ffff:192.168.1.103", "SIZE TRC01.xls"
Thu Jul 23 17:44:23 2020 [pid 11173] [xiaoliu] FTP response: Client "::ffff:192.168.1.103", "213 24576"
Thu Jul 23 17:44:23 2020 [pid 11173] [xiaoliu] FTP command: Client "::ffff:192.168.1.103", "MDTM TRC01.xls"
Thu Jul 23 17:44:23 2020 [pid 11173] [xiaoliu] FTP response: Client "::ffff:192.168.1.103", "213 20191208063908"
Thu Jul 23 17:44:25 2020 [pid 11173] [xiaoliu] FTP command: Client "::ffff:192.168.1.103", "PASV"
Thu Jul 23 17:44:25 2020 [pid 11173] [xiaoliu] FTP response: Client "::ffff:192.168.1.103", "227 Entering Passive Mode (192,168,1,112,18,129)."
Thu Jul 23 17:44:25 2020 [pid 11173] [xiaoliu] FTP command: Client "::ffff:192.168.1.103", "RETR TRC01.xls"
Thu Jul 23 17:44:25 2020 [pid 11173] [xiaoliu] FTP response: Client "::ffff:192.168.1.103", "150 Opening BINARY mode data connection for TRC01.xls (24576 bytes)."
Thu Jul 23 17:44:25 2020 [pid 11173] [xiaoliu] OK DOWNLOAD: Client "::ffff:192.168.1.103", "/jsb_public/TRC01.xls", 24576 bytes, 5619.29Kbyte/sec
Thu Jul 23 17:44:25 2020 [pid 11173] [xiaoliu] FTP response: Client "::ffff:192.168.1.103", "226 Transfer complete."

删除文件日志记录

Thu Jul 23 17:42:56 2020 [pid 11173] [xiaoliu] FTP command: Client "::ffff:192.168.1.103", "DELE TRC02.doc"
Thu Jul 23 17:42:56 2020 [pid 11173] [xiaoliu] OK DELETE: Client "::ffff:192.168.1.103", "/jsb_public/TRC02.doc"
Thu Jul 23 17:42:56 2020 [pid 11173] [xiaoliu] FTP response: Client "::ffff:192.168.1.103", "250 Delete operation successful."

注：

mount -B 是保存在内存中，重启服务器失效，故需要将配置放入/etc/rc.local中

[root@localhost public]# vim /etc/rc.local 
#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.

touch /var/lock/subsys/local
mount -B -o ro /data/ftp/public /data/ftp/jsb/xiaoliu/public/
mount -B -o ro /data/ftp/public /data/ftp/jsb/xiaowang/public/
mount -B -o rw /data/ftp/jsb/jsb_public /data/ftp/jsb/xiaoliu/jsb_public/
mount -B -o rw /data/ftp/jsb/jsb_public /data/ftp/jsb/xiaowang/jsb_public/
mount -B -o rw /data/ftp/jsb/rz/xiaoliu /data/ftp/jsb/xiaoliu/xiaoliu/
mount -B -o rw /data/ftp/jsb/rz/xiaowang /data/ftp/jsb/xiaowang/xiaowang/

也可以放在脚本，开机启动执行

[root@localhost ~]# vim /etc/init.d/mountVSFTPD 
#!/bin/bash
# chkconfig: 35 10 90 
mount -B -o ro /data/ftp/public /data/ftp/jsb/xiaoliu/public/
mount -B -o ro /data/ftp/public /data/ftp/jsb/xiaowang/public/
mount -B -o rw /data/ftp/jsb/jsb_public /data/ftp/jsb/xiaoliu/jsb_public/
mount -B -o rw /data/ftp/jsb/jsb_public /data/ftp/jsb/xiaowang/jsb_public/
mount -B -o rw /data/ftp/jsb/rz/xiaoliu /data/ftp/jsb/xiaoliu/xiaoliu/
mount -B -o rw /data/ftp/jsb/rz/xiaowang /data/ftp/jsb/xiaowang/xiaowang/

[root@localhost ~]# chkconfig --add mountVSFTPD
[root@localhost ~]# chkconfig --level 35 mountVSFTPD on
[root@localhost ~]# chkconfig --list

Note: This output shows SysV services only and does not include native
      systemd services. SysV configuration data might be overridden by native
      systemd configuration.

      If you want to list systemd services use 'systemctl list-unit-files'.
      To see services enabled on particular target use
      'systemctl list-dependencies [target]'.

mountVSFTPD     0:off   1:off   2:off   3:on    4:off   5:on    6:off
netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off

#35为启动级别，10为关闭的优先级，90为启动的优先级

如发现连接测试时，连接不上，需要关闭selinux及开启防火墙端口
[root@localhost /]# setenforce 0
[root@localhost /]# sed -i ‘s/SELINUX=enforcing/SELINUX=disabled/g’ /etc/selinux/config
[root@localhost /]# firewall-cmd --zone=public --add-port=4000-5000/tcp --permanent
[root@localhost /]# firewall-cmd --zone=public --add-port=21/tcp --permanent
[root@localhost /]# firewall-cmd --reload

---------------------------end