一、测试平台
Debian 4.0r3
Proftpd 1.3.1 (WITH
SSL)
二、原理简介
1、 继承性
子目录会继承其父目录的属性。
2、 优先级
优先级由大到小的顺序:
原始FTP命令(LIST DELE等) > 命令组(DIRS
READ WRITE) > ALL命令组
3、 访问控制的应用顺序
不论出现顺序如何,先应用拒绝(Deny),后应用允许(Allow)
4、系统权限
Linux系统权限仍然起作用。如果设置了目录test的允许写,但是该用户对test目录只有
读权限,这是该用户就不能向test目录写入。
----------------- 1、继承性
------------------------- 2、优先级
AllowUser
u1 --------------------
3、访问控制的应用顺序
DenyAll
一点解释:根据参考1所述,访问控制的顺序应该是与其出现顺序有关,但是在我的测试中发现出现顺序没有什么影响。也就是说,像上面的访问控制,AllowUser
u1和DenyAll哪个在前面都一样。
三、实例
1、简介
假设proftpd服务器上有5个用户:
manager, manA1, manA2,
manB1, manB2
和2个组:
groupA, groupB
manA1和manA2属于groupA组,manB1和manB2属于groupB组。
并且有如下目录结构:
/根目录
│
├ftproot/
│ ├manager/
│ │
│ ├groupA/
│ │
├A1/
│ │ ├A2/
│ │ └.../
│
│
│ ├groupB/
│ ├B1/
│
├B2/
│ └.../
│
└.../
现在要实现的权限:
1、用户manager可以读写manager、groupA、groupB目录及它们的的子目录。
2、manA1可以读写A1目录,并且可以读写groupB的所有子目录。
3、manA2可以读写A2目录,并且可以读写groupB的所有子目录。
4、manB1可以读写B1目录。
5、manB2可以读写B2目录。
6、如果一个用户没有某个目录的访问权限,那么该用户就不能看到此目录。
7、只允许manger用户和groupA、groupB组成员访问FTP服务器。
8、不允许任何人破坏主干目录结构
2、实现
(1)添加用户和组
useradd
manager
passwd manager
groupadd groupA
groupadd
groupB
useradd manA1
passwd manA1
usermod -G groupA manA1
useradd manA2
passwd manA2
usermod -G groupA manA2
useradd manB1
passwd manB1
usermod -G groupB manB1
useradd manB2
passwd manB2
usermod -G groupB manB2
(2)配置文件
# This is a basic ProFTPD configuration file (rename it
to
# 'proftpd.conf' for actual use. It establishes a single server
# and
a single anonymous login. It assumes that you have a user/group
# "nobody"
and "ftp" for normal operation and anon.
ServerName "Formax BPO FTP Server"
ServerType standalone
DefaultServer on
# Port 21 is the
standard FTP port.
Port 21
UseReverseDNS off
IdentLookups off# Umask 022 is a good
standard umask to prevent new dirs and files
# from being group and world
writable.
Umask 000
# To
prevent DoS attacks, set the maximum number of child processes
# to 30. If
you need to allow more than 30 concurrent connections
# at once, simply
increase this value. Note that this ONLY works
# in standalone mode, in
inetd mode you should use an inetd server
# that allows you to limit maximum
number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group
under which the server will run.
User nobody
Group nogroup
# To cause every FTP user
to be "jailed" (chrooted) into their home
# directory, uncomment this
line.
# DefaultRoot ~
DefaultRoot
/ftproot
# Normally, we want files to be overwriteable.
AllowOverwrite on
AllowStoreRestart on
ServerIdent off
mod_tls.c>
TLSEngine
on
TLSLog /var/ftpd/tls.log
TLSProtocol SSLv23
# Are clients required to use FTP over TLS when
talking to this server?
TLSRequired on
# Server's certificate
TLSRSACertificateFile /etc/proftpd.cert
TLSRSACertificateKeyFile
/etc/proftpd.key
# CA the server trusts
TLSCACertificateFile /etc/proftpd.cert
# Authenticate clients that want to use FTP over
TLS?
TLSVerifyClient off
TLSOptions NoCertRequest
#
Allow SSL/TLS renegotiations when the client requests them, but
# do
not force the renegotations. Some clients do not support
# SSL/TLS
renegotiations; when mod_tls forces a renegotiation, these
# clients
will close the data connection, or there will be a timeout
# on an idle
data connection.
TLSRenegotiate required
off
# Bar use of SITE CHMOD by default
SITE_CHMOD>
DenyAll
LOGIN>
AllowUser
manager
AllowGroup groupA
DenyAll
AllowGroup
groupB
/ftproot/*>
DenyAll
/ftproot/manager>
AllowUser
manager
/ftproot/groupA>
AllowUser manager
AllowGroup
groupA
/ftproot/groupA/*>
DenyAll
/ftproot/groupA/A2>
AllowUser manager
AllowUser
manA2
DenyAll
/ftproot/groupA/A1>
AllowUser manager
AllowUser
manA1
DenyAll
/ftproot/groupB>
AllowUser manager
AllowGroup
groupA
AllowGroup
groupB
/ftproot/groupB/*>
DenyAll
/ftproot/groupB/B1>
AllowUser manager
AllowUser
manB1
AllowGroup
groupA
DenyAll
/ftproot/groupB/B2>
AllowUser manager
AllowUser
manB2
AllowGroup
groupA
参考:
1、
2、
3、
本文出自 “GONE WITH THE WIND”
博客,请务必保留此出处http://h2appy.blog.51cto.com/609721/123997
阅读(1041) | 评论(0) | 转发(0) |