注册 登录  
 加关注
查看详情
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

Tenhlf的博客

 
 
 

日志

 
 

VSFTPD 配置虚拟用户  

2009-08-27 16:31:19|  分类: Linux |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
测试环境:vmware server 1.09    CentOS 5.3

vsftpd.conf 官方文档                http://vsftpd.beasts.org/vsftpd_conf.html

#yum install vsftpd

#locate vsftpd

找到vsftpd的文档路径为/usr/share/doc/vsftpd-2.0.5/EXAMPLE/

INTERNET_SITE        配置vsftpd为xinetd mode服务方式
INTERNET_SITE_NOINETD    配置vsftpd为Standalone mode服务方式
VIRTUAL_HOSTS        虚拟站点配置
VIRTUAL_USERS        虚拟用户的配置
VIRTUAL_USERS_2        虚拟用户的高级配置

我这里喜欢用Standalone mode,就直接用INTERNET_SITE_NOINETD里面的配置就好了

# cp /usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE_NOINETD/vsftpd.conf /etc/vsftpd/
cp:是否覆盖“/etc/vsftpd/vsftpd.conf”? y

具体配置内容如下:
-------------------------------------
# Standalone mode
listen=YES
max_clients=200
max_per_ip=4
# Access rights
anonymous_enable=YES
local_enable=NO
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
# Security
anon_world_readable_only=YES
connect_from_port_20=YES
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
# Performance
one_process_model=YES
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
anon_max_rate=50000

------------------------------------


# /etc/init.d/vsftpd start
为 vsftpd 启动 vsftpd:                                    [确定]

# netstat -tnlp |grep :21
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      2243/vsftpd

现在只允许匿名用户访问只能下载的ftp就搭建好了。

下面就增加虚拟账户登录的配置
# cd /usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS
# ls
logins.txt  README  README.dir  vsftpd.conf  vsftpd.pam  vsftpd.pam.dir

# cat README |more    看说明一步一步照着做就好了

Step 1) Create the virtual users database.
编辑logins.txt 添加你的用户和密码,文档中第一行为用户名,第二行为该用户的密码
# cat logins.txt
tom
foo
fred
bar

生成数据文件
# db_load -T -t hash -f logins.txt /etc/vsftpd/login.db

如果提示找不到db_load,请安装相应的工具包 yum install db4-utils

修改数据的权限
# chmod 600 /etc/vsftpd/login.db

Step 2) Create a PAM file which uses your new database.

在 vi /etc/pam.d/vsftpd里面加入下面两行
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/login
account required /lib/security/pam_userdb.so db=/etc/vsftpd/login
# vi /etc/pam.d/vsftpd

屏蔽下面的行
    #auth       required    pam_shells.so
    #auth       include      system-auth
    #account    include     system-auth

或者直接把vsftpd.pam复制成/etc/pam.d/vsftpd


Step 3) Set up the location of the files for the virtual users.
# useradd -d /home/ftpsite virtual
ls -ld /home/ftpsite
(which should give):
drwx------    3 virtual  virtual      4096 Jul 30 00:39 /home/ftpsite

We have created a user called "virtual" with a home directory "/home/ftpsite".
Let's add some content to this download area:

cp /etc/hosts /home/ftpsite
chown virtual.virtual /home/ftpsite/hosts

不过这样的权限还是会有点问题,就是登陆ftp后不能看到内容,所以你可能需要修改一下目录权限
drwx---r--    3 virtual  virtual      4096 Jul 30 00:39 /home/ftpsite
让other的用户能读
或者用设置anon_umask=073的办法来保证ftp上传的文件权限.

Step 4) Create your vsftpd.conf config file.

See the example in this directory. Let's go through it line by line:

anonymous_enable=NO
local_enable=YES

This disables anonymous FTP for security, and enables non-anonymous FTP (which
is what virtual users use).

write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO

These ensure that for security purposes, no write commands are allowed.

chroot_local_user=YES

This makes sure that the virtual user is restricted to the virtual FTP area
/home/ftpsite we set up above.

guest_enable=YES
guest_username=virtual

The guest_enable is very important - it activates virtual users! And
guest_username says that all virtual users are mapped to the real user
"virtual" that we set up above. This will also determine where on the
filesystem the virtual users end up - the home directory of the user
"virtual", /home/ftpsite.


关于pam_service_name的部分
    This string is the name of the PAM service vsftpd will use.
    Default: ftp
因为我的pam.d的文件名是vsftpd,所以必须加上下面的设置:
pam_service_name=vsftpd
当然你也可以把/etc/pam.d/vsftpd改为/etc/pam.d/ftp,这样你就不需要定义pam_service的名称了。

屏蔽掉one_process_model=YES,这个值默认为NO.否则会报500 OOPS: vsftpd: security: 'one_process_model' is anonymous only


重启ftp服务进行测试
# /etc/init.d/vsftpd restart
关闭 vsftpd:                                              [确定]
为 vsftpd 启动 vsftpd:                                    [确定]

虚拟用户的认证部分就完成了,如果想让不同虚拟用户拥有不同的使用权限喃.下面我们接着继续看看
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS_2/README

Step 1) Activate per-user configurability.

To activate this powerful vsftpd feature, add the following to
/etc/vsftpd.conf:
user_config_dir=/etc/vsftpd_user_conf

And, create this directory:

# mkdir /etc/vsftpd_user_conf


Step 2) Give tom the ability to read all files / directories.

在vsftpd.conf已有的权限如下:
write_enable=NO                               允许用户上传数据

anon_upload_enable=NO                   上传
anon_mkdir_write_enable=NO             新建目录
anon_other_write_enable=NO              写入(删除)

anon_world_readable_only=YES     允许下载

At the end of the last example, we noted that the virtual users can only
see world-readable files and directories. We could make the /home/ftpsite
directory world readable, and upload files with world-read permission. But
another way of doing this is giving tom the ability to download files which
are not world-readable.

配置tom账号只有浏览ftp的权限,不能下载

For the tom user, supply a config setting override for
anon_world_readable_only:

echo "anon_world_readable_only=NO" > /etc/vsftpd_user_conf/tom



Step 3) Give fred the ability to read all files / directories and create
new ones but not interfere with existing files.

赋予fred用户浏览、下载、上传权限,但不能建立目录和删除。

echo "anon_world_readable_only=NO" > /etc/vsftpd_user_conf/fred
echo "write_enable=YES" >> /etc/vsftpd_user_conf/fred
echo "anon_upload_enable=YES" >> /etc/vsftpd_user_conf/fred

Check it out - login as tom and you can't upload. Log in as fred and you can!
Try and delete a file as both tom and fred - you can't.

如果希望fred能建立目录和删除的话,请加上一下的配置
anon_other_write_enbale=YES
anon_mkdir_write_enable=YES


如何让虚拟用户拥有自己的目录?

user_sub_token
This option is useful is conjunction with virtual users. It is used to automatically generate a home directory for each virtual user, based on a template. For example, if the home directory of the real user specified via guest_username is /home/virtual/$USER, and user_sub_token is set to $USER, then when virtual user fred logs in, he will end up (usually chroot()'ed) in the directory /home/virtual/fred. This option also takes affect if local_root contains user_sub_token.
首先修改virtual用户的家目录
# vi /etc/passwd
virtual:x:501:501::/home/ftpsite/$USER:/bin/bash
然后在/etc/vsftpd.conf 加入user_sub_token=$USER
/home/virtual目录下建立与用户名相同的目录。重启服务后,虚拟用户就会进入自己的家目录了。


如何限制用户上传文件的类型?

deny_file=*.mp3,*.avi
  评论这张
 
阅读(1739)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2018