小小寒舍―
vsftpd
服务攻略之小试牛刀
案例
1
公司需求:
公司准备架设
FTP
服务器,要求所有员工上传和下载文件,并允许创建用户自己的目录。
分析:
可以开启匿名登录并给予相应的权限就可以满足公司要求
解决方案:
1,
修改配文
vsftpd.conf
#
允许匿名用户登录
anonymous_enable=YES
#
允许匿名用户上传文件并可以创建目录
anon_upload_enable=YES
anon_mkdir_write_enable=YES
12 anonymous_enable=YES
13 #
14 # Uncomment this to allow local users to log in.
15 local_enable=YES
16 #
17 # Uncomment this to enable any form of FTP write command.
18 write_enable=YES
19 #
20 # Default umask for local users is 077. You may wish to change this to 022,
21 # if your users expect that (022 is used by most other ftpd's)
22 local_umask=022
23 #
24 # Uncomment this to allow the anonymous FTP user to upload files. This only
25 # has an effect if the above global write enable is activated. Also, you will
26 # obviously need to create a directory writable by the FTP user.
27 anon_upload_enable=YES
28 #
29 # Uncomment this if you want the anonymous FTP user to be able to create
30 # new directories.
31 anon_mkdir_write_enable=YES
~~~/var/ftp
默认是匿名用户的根目录
~~~
2,
创建一个公司上传目录
comd
并分配到
ftp
用户所有
[root@station18 ~]# mkdir /var/ftp/comd
[root@station18 ~]# chown ftp /var/ftp/comd/
[root@station18 ~]# ls -ld /var/ftp/comd/
drwxr-xr-x 2 ftp root 4096 Nov 10 11:19 /var/ftp/comd/
3,
修改
selinux
(
selinux
支持上传)
[root@station18 ~]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off
[root@station18 ~]# setsebool -P allow_ftpd_anon_write on
[root@station18 ~]# getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off
[root@station18 ~]#
4,
修改上下文
[root@station18 ~]# ls -Zd /var/ftp/comd/
drwxr-xr-x ftp root root:object_r:public_content_t /var/ftp/comd/
[root@station18 ~]# chcon -t public_content_rw_t /var/ftp/comd/
[root@station18 ~]# ls -Zd /var/ftp/comd/
drwxr-xr-x ftp root root:object_r:public_content_rw_t /var/ftp/comd/
5,
重启服务
[root@station18 ~]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@station18 ~]#
案例
2
公司需求:
公司内部现在有一台
FTP
和
WEB
服务器,
FTP
的功能主要用于维护公司的网站内容,公司现有两个部门负责维护任务,他们分别用
team1
和
team2
帐号进行管理。先要求仅允许
team1
和
team2
帐号登录
FTP
服务器,但不能登录本地系统,由于网页默认存放目录为
/var/www/html
,所以我们将这两个帐号的根目录限制为
/var/www/html
,不能进入该目录以外的任何目录。
分析:
首先我们仅允许本地用户访问,其次开启
chroot
功能并将
team1
和
team2
锁定在
/var/www/html
目录下。
解决方案:
1,
添加用户
#
创建
team1
和
team2
两个用户并禁止本地登录且给其添加密码
[root@station18 ~]# useradd -s /sbin/nologin team1
[root@station18 ~]# useradd -s /sbin/nologin team2
[root@station18 ~]# passwd team1
Changing password for user team1.
New UNIX password:
BAD PASSWORD: it is WAY too short
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@station18 ~]# passwd team2
Changing password for user team2.
New UNIX password:
BAD PASSWORD: it is WAY too short
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
2,
修改配文
vsftpd.conf
vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
:禁止匿名用户登录
local_enable=YES
:允许本地用户登录
local_root=/var/www/html
:设置本地用户的根目录为
/var/www/html
12 anonymous_enable=NO
13 #
14 # Uncomment this to allow local users to log in.
15 local_enable=YES
16 #
17 # Uncomment this to enable any form of FTP write command.
18 write_enable=YES
19 #
20 # Default umask for local users is 077. You may wish to change this to 022,
21 # if your users expect that (022 is used by most other ftpd's)
22 local_umask=022
23 local_root=/var/www/html
chroot_list_enable=YES
:激
chroot
功能
chroot_list_file=/etc/vsftpd/chroot_list
:设置锁定用户在根目录中的列表文件
94 chroot_list_enable=YES
95 # (default follows)
96 chroot_list_file=/etc/vsftpd/chroot_list
3,
在
/etc/vsftpd
下创建
chroot_list
文件并把
team1,team2
用户加进去
[root@station18 ~]# touch /etc/vsftpd/chroot_list
[root@station18 ~]# echo team1 > /etc/vsftpd/chroot_list
[root@station18 ~]# echo team2 >> /etc/vsftpd/chroot_list
4,
修改
selinux
[root@station18 ~]# getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off
[root@station18 ~]# setsebool -P allow_ftpd_anon_write off
[root@station18 ~]# setsebool -P ftp_home_dir on
[root@station18 ~]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off
[root@station18 ~]#
5,
重启服务
[root@station18 ~]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@station18 ~]#
本文出自 “小小寒舍” 博客,谢绝转载!