CentOS之Vsftp虚拟用户
配置生产
实例
符合生产环境需求,
系统centos5.4_X64
安装:yum -y install vsftpd db*
需求:虚拟三个用户,使用同一个家目录。权限如下
ftpadmin 读写删除(上传、
下载、删除)
ftpuser 读写(上传、下载、不能删除)
ftp 读(只能下载)
复制代码
目录为:/ftpdata
密码统一为:123456
一、创建虚拟用户数据库:
1、创建文件文件loginuser.txt
格式如下:
用户名
密码
vi /etc/vsftpd/loginuser.txt
ftpadmin
123456
ftpuser
123456
ftp
123456
2、生成数据库文件:
db_load -T -t hash -f /etc/vsftpd/loginuser.txt /etc/vsftpd/vsftpd_login.db
chmod 600 /etc/vsftpd/vsftpd_login.db
3、配置pam文件
vi /etc/pam.d/vsftpd.vu
64位换成(lib64)
auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
二、为虚拟用户创建本地系统用户
useradd vsftp -d /ftpdata -s /bin/false
chown vsftp.vsftp /ftpdata
三、vsftpd.conf配置
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.bak
rm -rf /etc/vsftpd/vsftpd.conf
vi /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
listen_port=21
userlist_enable=YES
chroot_local_user=YES
tcp_wrappers=YES
guest_enable=YES
guest_username=vsftp
pam_service_name=vsftpd.vu
user_config_dir=/etc/vsftpd/vsftpd_user_conf
virtual_use_local_privs=YES
pasv_min_port=50000
pasv_max_port=60000
pasv_enable=yes
max_clients=200
max_per_ip=10
idle_session_timeout=600
ftpd_banner=Welcome to FTP service
mkdit -p /ftpdata
mkdir /etc/vsftpd/vsftpd_user_conf
vi /etc/vsftpd/vsftpd_user_conf/ftpadmin 所有权限
write_enable=YES
anonymous_enable=NO
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_umask=022
download_enable=Yes
local_root=/ftpdata
vi /etc/vsftpd/vsftpd_user_conf/ftpuser 能下载、上传但不能删除
write_enable=YES
cmds_allowed=ABOR,CWD,LIST,MDTM,MKD,NLST,PASS,PASV,PORT,PWD,QUIT,RETR,RNFR,RNTO,SIZE,STOR,TYPE,USER,REST,CDUP,HELP,MODE,NOOP,REIN,STAT,STOU,STRU,SYST,FEAT
file_open_mode=0444
local_root=/ftpdata
vi /etc/vsftpd/vsftpd_user_conf/ftp 只能下载
write_enable=NO
anon_world_readable_only=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
local_umask=022
download_enable=yes
local_root=/ftpdata
service vsftpd restart
测试:
ftp -n localhost
Connected to ifidc.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
220 Welcome to tfhudong FTP service
ftp> use ftpadmin
331 Please specify the password.
Password:
230 Login successful.
ftp> quit
221 Goodbye.
如果出现500 oops错误,请执行:setsebool ftpd_disable_trans 1
补充:
如果对上传用户要限制其上传目录(主目录),需要加入
local_root=/ftpdata/ ftpdata是我自己的设置的,可按实际需求来
前将local_root=/ftpdata/给予相应的权限
ps: centos6 need config the seliunx allow ftpd
Quote:
|
Originally Posted by macemoneta
The problem is that ftp, being a completely insecure legacy protocol, should only be used for anonymous login (all userids and passwords are sent in clear text). In order to use ftp with user logins, you'll need to disable the protections that keep it contained to that state.
I'm not sure if these options are available back on FC5, but you can try:
setsebool ftp_home_dir on
and if necessary:
setsebool allow_ftpd_anon_write on
setsebool allow_ftpd_full_access on
If none of those work, go to:
setsebool ftpd_disable_trans on
|
Thanks for this. The problem is that the client needs to offer FTP access to their clients. Security isn't a huge issue as the accounts are created as required and deleted when finished with. I'll give your suggestions a go on Monday (today is a public holiday here 
).
