1.包安装
[root@Linux2 ~]# yum install vsftpd ftp -y
2.系统环境:
[root@Linux2 ~]# rpm -q vsftpd
vsftpd-2.2.2-6.el6_0.1.i686
[root@Linux2 ~]# cat /etc/issue
CentOS release 6.2 (Final)
[root@Linux2 ~]# getconf WORD_BIT
32
[root@Linux2 ~]# getenforce
Enforcing
[root@Linux2 ~]# useradd kevin && echo kevin | passwd --stdin kevin
Changing password for user kevin.
passwd: all authentication tokens updated successfully.
[root@Linux2 ~]# useradd todd && echo todd | passwd --stdin todd
Changing password for user todd.
passwd: all authentication tokens updated successfully.
[root@Linux2 ~]# /etc/init.d/vsftpd start
Starting vsftpd for vsftpd: [ OK ]
[root@Linux2 ~]# ifconfig eth1 | grep 'inet addr' | awk -F'[: ]+' '{print $4}'
10.10.1.19
3.实现功能相应配置
(1)限制匿名用户登录
[root@Linux2 ~]# ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
[root@Linux2 vsftpd]# cd /etc/vsftpd/
[root@Linux2 vsftpd]# sed '/^#/d' vsftpd.conf | sed '/^$/d'
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
[root@Linux2 vsftpd]# sed 's;anonymous_enable=YES;anonymous_enable=NO;' vsftpd.conf -i
[root@Linux2 vsftpd]# /etc/init.d/vsftpd reload
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@Linux2 vsftpd]# ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): ftp
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
(2)禁止某用户不能登录
例如:禁止kevin用户不能登录
[root@Linux2 vsftpd]# ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): kevin
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/home/kevin
Login failed.
解决过程:
[root@Linux2 vsftpd]# getenforce
Enforcing
[root@Linux2 vsftpd]# setenforce 0
[root@Linux2 vsftpd]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): kevin
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
确定是selinux的原因
[root@Linux2 vsftpd]# setenforce 1
[root@Linux2 vsftpd]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
[root@Linux2 vsftpd]# setsebool ftp_home_dir 1
[root@Linux2 vsftpd]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): kevin
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
到这里,由于selinux的原因而导致用户无法登录的原因解决。下面进行 禁止某用户不能登录 的操作:
[root@Linux2 vsftpd]# pwd
/etc/vsftpd
[root@Linux2 vsftpd]# ls
ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh
禁止用户登录有两种实现方式:一、把用户加入黑名单ftpusers,永远都无法登录。二、加入user_list中,但动作要由配置文件的参数userlist_deny= 决定。
a。通过ftpusers
[root@Linux2 vsftpd]# echo kevin >> ftpusers
[root@Linux2 vsftpd]# tail -3 ftpusers
games
nobody
kevin
[root@Linux2 vsftpd]# ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): kevin
331 Please specify the password.
Password: 密码输入是正确的,但就是不能登录,即 禁止 成功。
530 Login incorrect.
Login failed.
ftp> quit
221 Goodbye.
b。通过user_list文件
[root@Linux2 vsftpd]# sed '/\/d' ftpusers -i
[root@Linux2 vsftpd]# ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): kevin
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
[root@Linux2 vsftpd]# head -6 user_list
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
[root@Linux2 vsftpd]# echo kevin >> user_list
[root@Linux2 vsftpd]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): kevin
530 Permission denied.
Login failed.
ftp> quit
221 Goodbye.
[root@Linux2 vsftpd]# sed '/\/d' user_list -i
[root@Linux2 vsftpd]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): kevin
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
# If userlist_deny=YES (default), never allow users in this file 测试成功。
(3)限制用户跳出用户家目录,即jail 用户
[root@Linux2 vsftpd]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): kevin
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/kevin"
ftp> cd /home
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (10,10,1,19,215,41).
150 Here comes the directory listing.
drwx------ 2 501 501 4096 Oct 18 07:37 kevin
drwx------ 2 502 502 4096 Oct 18 07:38 todd
226 Directory send OK.
ftp> cd /opt
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (10,10,1,19,89,179).
150 Here comes the directory listing.
drwxr-xr-x 11 10292 9901 4096 Oct 16 22:41 bind-9.9.2
drwxr-x--- 2 0 0 4096 Oct 15 08:37 etc
drwxr-xr-x 2 0 0 4096 Aug 21 11:49 mv
drwxr-x--- 4 0 0 4096 Oct 15 08:37 named
226 Directory send OK.
ftp> quit
221 Goodbye. 由于没有禁固用户,用户可切换路径,这有点不安全,下面进行 jail 操作。
[root@Linux2 vsftpd]# vim vsftpd.conf (这里只显示部分内容) 更改了第95行。
92 # You may specify an explicit list of local users to chroot() to their home
93 # directory. If chroot_local_user is YES, then this list becomes a list of
94 # users to NOT chroot().
95 chroot_local_user=YES --》 对所有的用户作 jail ,即禁固操作。这个操作不受 chroot_list 文件的影响。
96 #chroot_list_enable=YES---》一般 96 和 97 行配合使用,在chroot_list 文件中的用户将受限制。
97 # (default follows)
98 #chroot_list_file=/etc/vsftpd/chroot_list
99 #
[root@Linux2 vsftpd]# /etc/init.d/vsftpd reload
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@Linux2 vsftpd]# ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): kevin
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> cd /home
550 Failed to change directory.
ftp> cd /opt
550 Failed to change directory.
ftp> quit
221 Goodbye.
[root@Linux2 vsftpd]# ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): todd
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> cd /etc
550 Failed to change directory.
ftp> cd /opt
550 Failed to change directory.
ftp> quit
221 Goodbye.
kevin 和 todd 用户都被限制了
[root@Linux2 vsftpd]# vim vsftpd.conf 注释掉第95行,开启第96 98 行。
95#chroot_local_user=YES
96 chroot_list_enable=YES
97 # (default follows)
98 chroot_list_file=/etc/vsftpd/chroot_list
[root@Linux2 vsftpd]# echo kevin > /etc/vsftpd/chroot_list
[root@Linux2 vsftpd]# /etc/init.d/vsftpd reload
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@Linux2 vsftpd]# cat chroot_list
kevin
[root@Linux2 vsftpd]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): kevin
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> cd /etc
550 Failed to change directory.
ftp> quit
221 Goodbye.
[root@Linux2 vsftpd]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): todd
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/todd"
ftp> cd /opt
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (10,10,1,19,82,42).
150 Here comes the directory listing.
drwxr-xr-x 11 10292 9901 4096 Oct 16 22:41 bind-9.9.2
drwxr-x--- 2 0 0 4096 Oct 15 08:37 etc
drwxr-xr-x 2 0 0 4096 Aug 21 11:49 mv
drwxr-x--- 4 0 0 4096 Oct 15 08:37 named
226 Directory send OK.
ftp> quit
221 Goodbye.
[root@Linux2 vsftpd]# echo todd >> chroot_list
[root@Linux2 vsftpd]# cat chroot_list
kevin
todd
[root@Linux2 vsftpd]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): todd
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> cd /opt
550 Failed to change directory.
ftp> quit
221 Goodbye. 测试成功。
(4)创建虚拟用户登录
实现目标:为销售部和开发部两个部门创建虚拟用户sales--> sales01,sales02和develops-->develops01,develops02,分别对应系统用户sales和develops,并针对不同虚拟用户给予不同的权限。
实现基本思路:a、配置 vsftpd.conf 文件,实现虚拟用户服务功能。
b、创建用户认证库文件
c、创建虚拟用户配置文件,及创建系统用户。
d、测试。
实现步骤:
a、
[root@Linux2 vsftpd]# pwd
/etc/vsftpd
[root@Linux2 vsftpd]# ls
chroot_list ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh
[root@Linux2 vsftpd]# tail -6 vsftpd.conf
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
[root@Linux2 vsftpd]# sed 's;pam_service_name=vsftpd;#pam_service_name=vsftpd;' vsftpd.conf -i
[root@Linux2 vsftpd]# !ta
tail -6 vsftpd.conf
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
#pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
[root@Linux2 vsftpd]# sed \ '$aguest_enable=YES\npam_service_name=vsftpds\nuser_config_dir=/etc/vsftpd/user_config' vsftpd.conf -i
[root@Linux2 vsftpd]# tail -9 vsftpd.conf
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
#pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
guest_enable=YES
pam_service_name=myvsftpd
user_config_dir=/etc/vsftpd/user_config
b、
[root@Linux2 vsftpd]# cat >>count.txt<<'EOF'
> sales01
> sales01_pass
> sales02
> sales02_pass
> develops01
> develops01_pass
> develops02
> develops02_pass
> EOF
[root@Linux2 vsftpd]# cat count.txt
sales01
sales01_pass
sales02
sales02_pass
develops01
develops01_pass
develops02
develops02_pass
[root@Linux2 ~]# cd /etc/vsftpd/
[root@Linux2 vsftpd]# ls
chroot_list count.txt ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh
[root@Linux2 vsftpd]# db_load -help
usage: db_load [-nTV] [-c name=value] [-f file]
[-h home] [-P password] [-t btree | hash | recno | queue] db_file
usage: db_load -r lsn | fileid [-h home] [-P password] db_file
[root@Linux2 vsftpd]# db_load -T -f count.txt -t hash vuser.db
[root@Linux2 vsftpd]# echo $?
0
[root@Linux2 vsftpd]# tail -3 vsftpd.conf
guest_enable=YES
pam_service_name=vsftpds
user_config_dir=/etc/vsftpd/user_config
[root@Linux2 vsftpd]# mkdir user_config
[root@Linux2 vsftpd]# cd user_config/
[root@Linux2 user_config]# touch sales01 sales02 develops01 develops02
[root@Linux2 user_config]# man vsftpd.conf | col -b > man.vsftpd.conf
[root@Linux2 user_config]# egrep '^[[:space:]]+(anon_|guest_)' man.vsftpd.conf
anon_mkdir_write_enable
anon_other_write_enable
anon_upload_enable
anon_world_readable_only
guest_enable
guest_username setting.
anon_max_rate
anon_umask
anon_root
guest_username
[root@Linux2 user_config]# vim sales01
[root@Linux2 user_config]# cat sales01
anon_mkdir_write_enable=yes
anon_other_write_enable=yes
anon_world_readable_only=no
guest_username=sales
anon_upload_enable=yes
[root@Linux2 user_config]# vim develops01
[root@Linux2 user_config]# cat develops01
anon_mkdir_write_enable=no
anon_other_write_enable=no
anon_world_readable_only=no
guest_username=develops
anon_upload_enable=no
c、
[root@Linux2 user_config]# rm man.vsftpd.conf -f
[root@Linux2 user_config]# mkdir /shares
[root@Linux2 user_config]# useradd -s /sbin/nologin -d /shares/sales sales
[root@Linux2 user_config]# useradd -s /sbin/nologin -d /shares/develops develops
[root@Linux2 user_config]# ls /shares/ -l
total 8
drwx------. 2 develops develops 4096 Oct 19 10:59 develops
drwx------. 2 sales sales 4096 Oct 19 10:59 sales
[root@Linux2 ~]# tail -2 /etc/vsftpd/vsftpd.conf | head -1
pam_service_name=myvsftpd
[root@Linux2 ~]# cd /etc/pam.d/
[root@Linux2 pam.d]# vim myvsftpd
[root@Linux2 pam.d]# cat myvsftpd
auth required pam_userdb.so db=/etc/vsftpd/vuser
account required pam_userdb.so db=/etc/vsftpd/vuser
[root@Linux2 pam.d]# ls /etc/vsftpd/
chroot_list ftpusers user_list vsftpd_conf_migrate.sh
count.txt user_config vsftpd.conf vuser.db
[root@Linux2 pam.d]# /etc/init.d/vsftpd reload
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
d、测试
[root@Linux2 ~]# cd /shares/sales/
[root@Linux2 sales]# echo somethings > testfiles
[root@Linux2 sales]# ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): sales01
331 Please specify the password.
Password: -----------》 密码为count.txt 文件中指定的密码,即为 sales01_pass .
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,10,1,19,124,183).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 11 Oct 19 03:11 testfiles
226 Directory send OK.
ftp> quit
221 Goodbye.
[root@Linux2 sales]# cd /etc/vsftpd/user_config/
[root@Linux2 user_config]# pwd
/etc/vsftpd/user_config
[root@Linux2 user_config]# cat sales02 -----------------> 这里 sales02 文件没有任何数据,则采用默认帐户ftp 。
[root@Linux2 user_config]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): sales02
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,10,1,19,245,39).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Jun 25 2011 pub --------》 pub是ftp家目录/var/ftp/下的数据
226 Directory send OK.
ftp> pwd
257 "/"
ftp> quit
221 Goodbye.
[root@Linux2 user_config]# cd /shares/develops/
[root@Linux2 develops]# echo dkfaf > developtest
[root@Linux2 develops]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): develops01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,10,1,19,24,116).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 6 Oct 19 03:15 developtest
226 Directory send OK.
ftp> quit
221 Goodbye.
做上传文件测试:
[root@Linux2 develops]# cd /opt/
[root@Linux2 opt]# ls
bind-9.9.2 etc mv named
[root@Linux2 opt]# echo test > upload.txt
[root@Linux2 opt]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): sales01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,10,1,19,241,203).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 11 Oct 19 03:11 testfiles
226 Directory send OK.
ftp> !ls
bind-9.9.2 etc mv named upload.txt
ftp> put upload.txt
local: upload.txt remote: upload.txt
227 Entering Passive Mode (10,10,1,19,233,64).
553 Could not create file. -----------》 上传文件失败。
ftp> quit
221 Goodbye.
解决过程:
[root@Linux2 opt]# getenforce
Enforcing
[root@Linux2 opt]# setenforce 0
[root@Linux2 opt]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): sales01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,10,1,19,111,240).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 11 Oct 19 03:11 testfiles
226 Directory send OK.
ftp> !ls
bind-9.9.2 etc mv named upload.txt
ftp> put upload.txt
local: upload.txt remote: upload.txt
227 Entering Passive Mode (10,10,1,19,167,196).
150 Ok to send data.
226 Transfer complete.
5 bytes sent in 7.2e-05 secs (69.44 Kbytes/sec) ----》 上传文件成功,由此确定是selinux的原因。
ftp> ls
227 Entering Passive Mode (10,10,1,19,139,105).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 11 Oct 19 03:11 testfiles
-rw------- 1 503 503 5 Oct 19 03:18 upload.txt
226 Directory send OK.
ftp> quit
221 Goodbye.
解决过程:
[root@Linux2 opt]# setenforce 1 -------》 改回原来的enforcing模式
[root@Linux2 opt]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
[root@Linux2 opt]# setsebool allow_ftpd_anon_write 1 ----》 开启ftp可写 bool 值
[root@Linux2 opt]# !get
getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
[root@Linux2 opt]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): sales01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,10,1,19,71,237).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 11 Oct 19 03:11 testfiles
-rw------- 1 503 503 5 Oct 19 03:18 upload.txt
226 Directory send OK.
ftp> delete upload.txt ------》 还是不能进行写的操作,则要查看文件的上下文。
550 Delete operation failed.
ftp> quit
221 Goodbye.
查看文件的上下文,更改文件的上下文。
[root@Linux2 opt]# ls -Zd /var/ftp/pub/
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /var/ftp/pub/
[root@Linux2 opt]# chcon -R -t public_content_rw_t /shares/sales/ ----》 public_content_rw_t 为可写。
[root@Linux2 opt]# ls -Zd /shares/sales/
drwx------. sales sales system_u:object_r:public_content_rw_t:s0 /shares/sales/
[root@Linux2 opt]# ls -Z /shares/sales/
-rw-r--r--. root root unconfined_u:object_r:public_content_rw_t:s0 testfiles
-rw-------. sales sales unconfined_u:object_r:public_content_rw_t:s0 upload.txt
[root@Linux2 opt]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): sales01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,10,1,19,234,53).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 11 Oct 19 03:11 testfiles
-rw------- 1 503 503 5 Oct 19 03:18 upload.txt
226 Directory send OK.
ftp> delete upload.txt
250 Delete operation successful. ------》 ok,能进行写的操作,这里delete 是删除文件。
ftp> ls
227 Entering Passive Mode (10,10,1,19,31,2).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 11 Oct 19 03:11 testfiles
226 Directory send OK.
ftp> quit
221 Goodbye.
下面测试--- 是不是只改了上下文就可以了,还是 allow_ftpd_anon_write 这个bool值也必须开启,因为前面是有开启了allow_ftpd_anon_write,再设置上下文,现在把个bool值关掉。
[root@Linux2 opt]# getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
[root@Linux2 opt]# setsebool allow_ftpd_anon_write 0 ----》 关闭bool值。
[root@Linux2 opt]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): sales01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,10,1,19,201,240).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 11 Oct 19 03:11 testfiles
226 Directory send OK.
ftp> lcd /etc ——----》 切换到本地 /etc 目录。
Local directory now /etc
ftp> put hosts -----------》 上传hosts这个文件。
local: hosts remote: hosts
227 Entering Passive Mode (10,10,1,19,239,246).
553 Could not create file. -----》 不行,则证明这个bool值必须开启(这里同时也要注意文件的权限)
ftp> quit
221 Goodbye.
[root@Linux2 opt]# setsebool allow_ftpd_anon_write 1
[root@Linux2 opt]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): sales01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /etc
Local directory now /etc
ftp> put hosts
local: hosts remote: hosts
227 Entering Passive Mode (10,10,1,19,155,157).
150 Ok to send data.
226 Transfer complete.
158 bytes sent in 3.2e-05 secs (4937.50 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (10,10,1,19,233,134).
150 Here comes the directory listing.
-rw------- 1 503 503 158 Oct 19 03:23 hosts
-rw-r--r-- 1 0 0 11 Oct 19 03:11 testfiles
226 Directory send OK.
ftp> quit
221 Goodbye.
下面,做些 针对不同的虚拟用户做简单的权限设置,并测试。
[root@Linux2 opt]# cd /etc/vsftpd/user_config/
[root@Linux2 user_config]# ls
develops01 develops02 sales01 sales02 #---》 这里每一个文件对应一个虚拟用户,不过这里的用户必须是有在count.txt 文件中做了记录的,记录的格式是第一行是 用户user1,第二行是用户user1的密码,依此类推。
[root@Linux2 user_config]# vim sales02
[root@Linux2 user_config]# cat sales02 #---》 设置sales02用户只读权限
anon_mkdir_write_enable=no
anon_other_write_enable=no
anon_world_readable_only=no
guest_username=sales
anon_upload_enable=no
[root@Linux2 user_config]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): sales02
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,10,1,19,244,187).
150 Here comes the directory listing.
-rw------- 1 503 503 158 Oct 19 03:23 hosts
-rw-r--r-- 1 0 0 11 Oct 19 03:11 testfiles
226 Directory send OK.
ftp> delete hosts
550 Permission denied.
ftp> lcd /opt
Local directory now /opt
ftp> !ls
bind-9.9.2 etc mv named upload.txt
ftp> put upload.txt # ------》 只读,不能进行写操作。
local: upload.txt remote: upload.txt
227 Entering Passive Mode (10,10,1,19,32,7).
550 Permission denied.
ftp> quit
221 Goodbye.
[root@Linux2 develops]# cd
[root@Linux2 ~]# cd /shares/develops/
[root@Linux2 develops]# ls -Zd
drwx------. develops develops system_u:object_r:default_t:s0 .
[root@Linux2 develops]# chcon -R --reference=/shares/sales/ .
[root@Linux2 develops]# ls -Zd
drwx------. develops develops system_u:object_r:public_content_rw_t:s0 .
[root@Linux2 develops]# ls -Z
-rw-r--r--. root root system_u:object_r:public_content_rw_t:s0 developtest
[root@Linux2 user_config]# cd /shares/
[root@Linux2 shares]# chown -R sales:sales sales/ #---》 更改下目录的权限
[root@Linux2 shares]# chown -R develops:develops develops/
[root@Linux2 shares]# cd /etc/vsftpd/user_config/
[root@Linux2 user_config]# cat develops01
anon_mkdir_write_enable=no # ---> 这个用户只读
anon_other_write_enable=no
anon_world_readable_only=no
guest_username=develops
anon_upload_enable=no
[root@Linux2 user_config]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): develops01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,10,1,19,208,58).
150 Here comes the directory listing.
-rw-r--r-- 1 504 504 6 Oct 19 03:15 developtest
226 Directory send OK.
ftp> delete developtest
550 Permission denied.
ftp> lcd /opt
Local directory now /opt
ftp> !ls
bind-9.9.2 etc mv named upload.txt
ftp> put upload.txt
local: upload.txt remote: upload.txt
227 Entering Passive Mode (10,10,1,19,255,101).
550 Permission denied.
ftp> quit
221 Goodbye.
[root@Linux2 user_config]# vim develops02
[root@Linux2 user_config]# cat develops02
anon_mkdir_write_enable=yes
anon_other_write_enable=yes
anon_world_readable_only=no # ----》 测试下anon_world_readable_only 的作用。
guest_username=develops
anon_upload_enable=yes
[root@Linux2 user_config]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): develops02
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,10,1,19,105,188).
150 Here comes the directory listing.
-rw-r--r-- 1 504 504 6 Oct 19 03:15 developtest
226 Directory send OK.
ftp> lcd /opt
Local directory now /opt
ftp> put upload.txt
local: upload.txt remote: upload.txt
227 Entering Passive Mode (10,10,1,19,178,250).
150 Ok to send data.
226 Transfer complete.
5 bytes sent in 5.9e-05 secs (84.75 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (10,10,1,19,22,27).
150 Here comes the directory listing.
-rw-r--r-- 1 504 504 6 Oct 19 03:15 developtest
-rw------- 1 504 504 5 Oct 19 03:39 upload.txt
226 Directory send OK.
ftp> quit
221 Goodbye.
[root@Linux2 user_config]# vim develops02
[root@Linux2 user_config]# cat develops02
anon_mkdir_write_enable=yes
anon_other_write_enable=yes
anon_world_readable_only=yes # ----》 更改为yes
guest_username=develops
anon_upload_enable=yes
[root@Linux2 user_config]# !ftp
ftp 10.10.1.19
Connected to 10.10.1.19 (10.10.1.19).
220 (vsFTPd 2.2.2)
Name (10.10.1.19:root): develops02
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,10,1,19,125,6).
150 Here comes the directory listing.
226 Transfer done (but failed to open directory). # ----》 连读的权限都不行了。
ftp> pwd
257 "/"
ftp> quit
221 Goodbye.
########### 待续 #########
