文章存档
2012年(16)
相关博文
- ·
- ·
- ·
- ·
- ·
- ·
- ·
- ·
- ·
- ·
分类: linux
2012-10-18 15:29:17
1.包安装
[root@linux2 ~]# yum install vsftpd ftp -y2.系统环境:
[root@linux2 ~]# rpm -q vsftpd
vsftpd-2.2.2-6.el6_0.1.i686
[root@linux2 ~]# cat /etc/issue
centos release 6.2 (final)
[root@linux2 ~]# getconf word_bit
32
[root@linux2 ~]# getenforce
enforcing
[root@linux2 ~]# useradd kevin && echo kevin | passwd --stdin kevin
changing password for user kevin.
passwd: all authentication tokens updated successfully.
[root@linux2 ~]# useradd todd && echo todd | passwd --stdin todd
changing password for user todd.
passwd: all authentication tokens updated successfully.
[root@linux2 ~]# /etc/init.d/vsftpd start
starting vsftpd for vsftpd: [ ok ]
[root@linux2 ~]# ifconfig eth1 | grep 'inet addr' | awk -f'[: ] ' '{print $4}'
10.10.1.19
3.实现功能相应配置
(1)限制匿名用户登录
[root@linux2 ~]# ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): ftp
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
[root@linux2 vsftpd]# cd /etc/vsftpd/
[root@linux2 vsftpd]# sed '/^#/d' vsftpd.conf | sed '/^$/d'
anonymous_enable=yes
local_enable=yes
write_enable=yes
local_umask=022
dirmessage_enable=yes
xferlog_enable=yes
connect_from_port_20=yes
xferlog_std_format=yes
listen=yes
pam_service_name=vsftpd
userlist_enable=yes
tcp_wrappers=yes
[root@linux2 vsftpd]# sed 's;anonymous_enable=yes;anonymous_enable=no;' vsftpd.conf -i
[root@linux2 vsftpd]# /etc/init.d/vsftpd reload
shutting down vsftpd: [ ok ]
starting vsftpd for vsftpd: [ ok ]
[root@linux2 vsftpd]# ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): ftp
331 please specify the password.
password:
530 login incorrect.
login failed.
(2)禁止某用户不能登录
例如:禁止kevin用户不能登录
[root@linux2 vsftpd]# ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): kevin
331 please specify the password.
password:
500 oops: cannot change directory:/home/kevin
login failed.
ftp> quit
221 goodbye.
解决过程:
[root@linux2 vsftpd]# getenforce
enforcing
[root@linux2 vsftpd]# setenforce 0
[root@linux2 vsftpd]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): kevin
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> quit
221 goodbye.
确定是selinux的原因
[root@linux2 vsftpd]# setenforce 1
[root@linux2 vsftpd]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
[root@linux2 vsftpd]# setsebool ftp_home_dir 1
[root@linux2 vsftpd]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): kevin
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> quit
221 goodbye.
到这里,由于selinux的原因而导致用户无法登录的原因解决。下面进行 禁止某用户不能登录 的操作:
[root@linux2 vsftpd]# pwd
/etc/vsftpd
[root@linux2 vsftpd]# ls
ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh
禁止用户登录有两种实现方式:一、把用户加入黑名单ftpusers,永远都无法登录。二、加入user_list中,但动作要由配置文件的参数userlist_deny= 决定。
a。通过ftpusers
[root@linux2 vsftpd]# echo kevin >> ftpusers
[root@linux2 vsftpd]# tail -3 ftpusers
games
nobody
kevin
[root@linux2 vsftpd]# ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): kevin
331 please specify the password.
password: 密码输入是正确的,但就是不能登录,即 禁止 成功。
530 login incorrect.
login failed.
ftp> quit
221 goodbye.
b。通过user_list文件
[root@linux2 vsftpd]# sed '/\/d' ftpusers -i
[root@linux2 vsftpd]# ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): kevin
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> quit
221 goodbye.
[root@linux2 vsftpd]# head -6 user_list
# vsftpd userlist
# if userlist_deny=no, only allow users in this file
# if userlist_deny=yes (default), never allow users in this file, and
# do not even prompt for a password.
# note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
[root@linux2 vsftpd]# echo kevin >> user_list
[root@linux2 vsftpd]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): kevin
530 permission denied.
login failed.
ftp> quit
221 goodbye.
[root@linux2 vsftpd]# sed '/\/d' user_list -i
[root@linux2 vsftpd]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): kevin
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> quit
221 goodbye.
# if userlist_deny=yes (default), never allow users in this file 测试成功。
(3)限制用户跳出用户家目录,即jail 用户
[root@linux2 vsftpd]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): kevin
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> pwd
257 "/home/kevin"
ftp> cd /home
250 directory successfully changed.
ftp> ls
227 entering passive mode (10,10,1,19,215,41).
150 here comes the directory listing.
drwx------ 2 501 501 4096 oct 18 07:37 kevin
drwx------ 2 502 502 4096 oct 18 07:38 todd
226 directory send ok.
ftp> cd /opt
250 directory successfully changed.
ftp> ls
227 entering passive mode (10,10,1,19,89,179).
150 here comes the directory listing.
drwxr-xr-x 11 10292 9901 4096 oct 16 22:41 bind-9.9.2
drwxr-x--- 2 0 0 4096 oct 15 08:37 etc
drwxr-xr-x 2 0 0 4096 aug 21 11:49 mv
drwxr-x--- 4 0 0 4096 oct 15 08:37 named
226 directory send ok.
ftp> quit
221 goodbye. 由于没有禁固用户,用户可切换路径,这有点不安全,下面进行 jail 操作。
[root@linux2 vsftpd]# vim vsftpd.conf (这里只显示部分内容) 更改了第95行。
92 # you may specify an explicit list of local users to chroot() to their home
93 # directory. if chroot_local_user is yes, then this list becomes a list of
94 # users to not chroot().
95 chroot_local_user=yes --》 对所有的用户作 jail ,即禁固操作。这个操作不受 chroot_list 文件的影响。
96 #chroot_list_enable=yes---》一般 96 和 97 行配合使用,在chroot_list 文件中的用户将受限制。
97 # (default follows)
98 #chroot_list_file=/etc/vsftpd/chroot_list
99 #
[root@linux2 vsftpd]# /etc/init.d/vsftpd reload
shutting down vsftpd: [ ok ]
starting vsftpd for vsftpd: [ ok ]
[root@linux2 vsftpd]# ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): kevin
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> cd /home
550 failed to change directory.
ftp> cd /opt
550 failed to change directory.
ftp> quit
221 goodbye.
[root@linux2 vsftpd]# ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): todd
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> cd /etc
550 failed to change directory.
ftp> cd /opt
550 failed to change directory.
ftp> quit
221 goodbye.
kevin 和 todd 用户都被限制了
[root@linux2 vsftpd]# vim vsftpd.conf 注释掉第95行,开启第96 98 行。
95#chroot_local_user=yes
96 chroot_list_enable=yes
97 # (default follows)
98 chroot_list_file=/etc/vsftpd/chroot_list
[root@linux2 vsftpd]# echo kevin > /etc/vsftpd/chroot_list
[root@linux2 vsftpd]# /etc/init.d/vsftpd reload
shutting down vsftpd: [ ok ]
starting vsftpd for vsftpd: [ ok ]
[root@linux2 vsftpd]# cat chroot_list
kevin
[root@linux2 vsftpd]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): kevin
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> cd /etc
550 failed to change directory.
ftp> quit
221 goodbye.
[root@linux2 vsftpd]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): todd
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> pwd
257 "/home/todd"
ftp> cd /opt
250 directory successfully changed.
ftp> ls
227 entering passive mode (10,10,1,19,82,42).
150 here comes the directory listing.
drwxr-xr-x 11 10292 9901 4096 oct 16 22:41 bind-9.9.2
drwxr-x--- 2 0 0 4096 oct 15 08:37 etc
drwxr-xr-x 2 0 0 4096 aug 21 11:49 mv
drwxr-x--- 4 0 0 4096 oct 15 08:37 named
226 directory send ok.
ftp> quit
221 goodbye.
[root@linux2 vsftpd]# echo todd >> chroot_list
[root@linux2 vsftpd]# cat chroot_list
kevin
todd
[root@linux2 vsftpd]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): todd
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> cd /opt
550 failed to change directory.
ftp> quit
221 goodbye. 测试成功。
(4)创建虚拟用户登录
实现目标:为销售部和开发部两个部门创建虚拟用户sales--> sales01,sales02和develops-->develops01,develops02,分别对应系统用户sales和develops,并针对不同虚拟用户给予不同的权限。
实现基本思路:a、配置 vsftpd.conf 文件,实现虚拟用户服务功能。
b、创建用户认证库文件
c、创建虚拟用户配置文件,及创建系统用户。
d、测试。
实现步骤:
a、
[root@linux2 vsftpd]# pwd
/etc/vsftpd
[root@linux2 vsftpd]# ls
chroot_list ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh
[root@linux2 vsftpd]# tail -6 vsftpd.conf
# make sure, that one of the listen options is commented !!
#listen_ipv6=yes
pam_service_name=vsftpd
userlist_enable=yes
tcp_wrappers=yes
[root@linux2 vsftpd]# sed 's;pam_service_name=vsftpd;#pam_service_name=vsftpd;' vsftpd.conf -i
[root@linux2 vsftpd]# !ta
tail -6 vsftpd.conf
# make sure, that one of the listen options is commented !!
#listen_ipv6=yes
#pam_service_name=vsftpd
userlist_enable=yes
tcp_wrappers=yes
[root@linux2 vsftpd]# sed \ '$aguest_enable=yes\npam_service_name=vsftpds\nuser_config_dir=/etc/vsftpd/user_config' vsftpd.conf -i
[root@linux2 vsftpd]# tail -9 vsftpd.conf
# make sure, that one of the listen options is commented !!
#listen_ipv6=yes
#pam_service_name=vsftpd
userlist_enable=yes
tcp_wrappers=yes
guest_enable=yes
pam_service_name=myvsftpd
user_config_dir=/etc/vsftpd/user_config
b、
[root@linux2 vsftpd]# cat >>count.txt<<'eof'
> sales01
> sales01_pass
> sales02
> sales02_pass
> develops01
> develops01_pass
> develops02
> develops02_pass
> eof
[root@linux2 vsftpd]# cat count.txt
sales01
sales01_pass
sales02
sales02_pass
develops01
develops01_pass
develops02
develops02_pass
[root@linux2 ~]# cd /etc/vsftpd/
[root@linux2 vsftpd]# ls
chroot_list count.txt ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh
[root@linux2 vsftpd]# db_load -help
usage: db_load [-ntv] [-c name=value] [-f file]
[-h home] [-p password] [-t btree | hash | recno | queue] db_file
usage: db_load -r lsn | fileid [-h home] [-p password] db_file
[root@linux2 vsftpd]# db_load -t -f count.txt -t hash vuser.db
[root@linux2 vsftpd]# echo $?
0
[root@linux2 vsftpd]# tail -3 vsftpd.conf
guest_enable=yes
pam_service_name=vsftpds
user_config_dir=/etc/vsftpd/user_config
[root@linux2 vsftpd]# mkdir user_config
[root@linux2 vsftpd]# cd user_config/
[root@linux2 user_config]# touch sales01 sales02 develops01 develops02
[root@linux2 user_config]# man vsftpd.conf | col -b > man.vsftpd.conf
[root@linux2 user_config]# egrep '^[[:space:]] (anon_|guest_)' man.vsftpd.conf
anon_mkdir_write_enable
anon_other_write_enable
anon_upload_enable
anon_world_readable_only
guest_enable
guest_username setting.
anon_max_rate
anon_umask
anon_root
guest_username
[root@linux2 user_config]# vim sales01
[root@linux2 user_config]# cat sales01
anon_mkdir_write_enable=yes
anon_other_write_enable=yes
anon_world_readable_only=no
guest_username=sales
anon_upload_enable=yes
[root@linux2 user_config]# vim develops01
[root@linux2 user_config]# cat develops01
anon_mkdir_write_enable=no
anon_other_write_enable=no
anon_world_readable_only=no
guest_username=develops
anon_upload_enable=no
c、
[root@linux2 user_config]# rm man.vsftpd.conf -f
[root@linux2 user_config]# mkdir /shares
[root@linux2 user_config]# useradd -s /sbin/nologin -d /shares/sales sales
[root@linux2 user_config]# useradd -s /sbin/nologin -d /shares/develops develops
[root@linux2 user_config]# ls /shares/ -l
total 8
drwx------. 2 develops develops 4096 oct 19 10:59 develops
drwx------. 2 sales sales 4096 oct 19 10:59 sales
[root@linux2 ~]# tail -2 /etc/vsftpd/vsftpd.conf | head -1
pam_service_name=myvsftpd
[root@linux2 ~]# cd /etc/pam.d/
[root@linux2 pam.d]# vim myvsftpd
[root@linux2 pam.d]# cat myvsftpd
auth requiredpam_userdb.so db=/etc/vsftpd/vuser
accountrequiredpam_userdb.so db=/etc/vsftpd/vuser
[root@linux2 pam.d]# ls /etc/vsftpd/
chroot_list ftpusers user_list vsftpd_conf_migrate.sh
count.txt user_config vsftpd.conf vuser.db
[root@linux2 pam.d]# /etc/init.d/vsftpd reload
shutting down vsftpd: [ ok ]
starting vsftpd for vsftpd: [ ok ]
d、测试
[root@linux2 ~]# cd /shares/sales/
[root@linux2 sales]# echo somethings > testfiles
[root@linux2 sales]# ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): sales01
331 please specify the password.
password: -----------》 密码为count.txt 文件中指定的密码,即为 sales01_pass .
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> ls
227 entering passive mode (10,10,1,19,124,183).
150 here comes the directory listing.
-rw-r--r-- 1 0 0 11 oct 19 03:11 testfiles
226 directory send ok.
ftp> quit
221 goodbye.
[root@linux2 sales]# cd /etc/vsftpd/user_config/
[root@linux2 user_config]# pwd
/etc/vsftpd/user_config
[root@linux2 user_config]# cat sales02 -----------------> 这里 sales02 文件没有任何数据,则采用默认帐户ftp 。
[root@linux2 user_config]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): sales02
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> ls
227 entering passive mode (10,10,1,19,245,39).
150 here comes the directory listing.
drwxr-xr-x 2 0 0 4096 jun 25 2011 pub --------》 pub是ftp家目录/var/ftp/下的数据
226 directory send ok.
ftp> pwd
257 "/"
ftp> quit
221 goodbye.
[root@linux2 user_config]# cd /shares/develops/
[root@linux2 develops]# echo dkfaf > developtest
[root@linux2 develops]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): develops01
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> ls
227 entering passive mode (10,10,1,19,24,116).
150 here comes the directory listing.
-rw-r--r-- 1 0 0 6 oct 19 03:15 developtest
226 directory send ok.
ftp> quit
221 goodbye.
做上传文件测试:
[root@linux2 develops]# cd /opt/
[root@linux2 opt]# ls
bind-9.9.2 etc mv named
[root@linux2 opt]# echo test > upload.txt
[root@linux2 opt]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): sales01
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> ls
227 entering passive mode (10,10,1,19,241,203).
150 here comes the directory listing.
-rw-r--r-- 1 0 0 11 oct 19 03:11 testfiles
226 directory send ok.
ftp> !ls
bind-9.9.2 etc mv named upload.txt
ftp> put upload.txt
local: upload.txt remote: upload.txt
227 entering passive mode (10,10,1,19,233,64).
553 could not create file. -----------》 上传文件失败。
ftp> quit
221 goodbye.
解决过程:
[root@linux2 opt]# getenforce
enforcing
[root@linux2 opt]# setenforce 0
[root@linux2 opt]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): sales01
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> ls
227 entering passive mode (10,10,1,19,111,240).
150 here comes the directory listing.
-rw-r--r-- 1 0 0 11 oct 19 03:11 testfiles
226 directory send ok.
ftp> !ls
bind-9.9.2 etc mv named upload.txt
ftp> put upload.txt
local: upload.txt remote: upload.txt
227 entering passive mode (10,10,1,19,167,196).
150 ok to send data.
226 transfer complete.
5 bytes sent in 7.2e-05 secs (69.44 kbytes/sec) ----》 上传文件成功,由此确定是selinux的原因。
ftp> ls
227 entering passive mode (10,10,1,19,139,105).
150 here comes the directory listing.
-rw-r--r-- 1 0 0 11 oct 19 03:11 testfiles
-rw------- 1 503 503 5 oct 19 03:18 upload.txt
226 directory send ok.
ftp> quit
221 goodbye.
解决过程:
[root@linux2 opt]# setenforce 1 -------》 改回原来的enforcing模式
[root@linux2 opt]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
[root@linux2 opt]# setsebool allow_ftpd_anon_write 1 ----》 开启ftp可写 bool 值
[root@linux2 opt]# !get
getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
[root@linux2 opt]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): sales01
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> ls
227 entering passive mode (10,10,1,19,71,237).
150 here comes the directory listing.
-rw-r--r-- 1 0 0 11 oct 19 03:11 testfiles
-rw------- 1 503 503 5 oct 19 03:18 upload.txt
226 directory send ok.
ftp> delete upload.txt ------》 还是不能进行写的操作,则要查看文件的上下文。
550 delete operation failed.
ftp> quit
221 goodbye.
查看文件的上下文,更改文件的上下文。
[root@linux2 opt]# ls -zd /var/ftp/pub/
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /var/ftp/pub/
[root@linux2 opt]# chcon -r -t public_content_rw_t /shares/sales/ ----》 public_content_rw_t 为可写。
[root@linux2 opt]# ls -zd /shares/sales/
drwx------. sales sales system_u:object_r:public_content_rw_t:s0 /shares/sales/
[root@linux2 opt]# ls -z /shares/sales/
-rw-r--r--. root root unconfined_u:object_r:public_content_rw_t:s0 testfiles
-rw-------. sales sales unconfined_u:object_r:public_content_rw_t:s0 upload.txt
[root@linux2 opt]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): sales01
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> ls
227 entering passive mode (10,10,1,19,234,53).
150 here comes the directory listing.
-rw-r--r-- 1 0 0 11 oct 19 03:11 testfiles
-rw------- 1 503 503 5 oct 19 03:18 upload.txt
226 directory send ok.
ftp> delete upload.txt
250 delete operation successful. ------》 ok,能进行写的操作,这里delete 是删除文件。
ftp> ls
227 entering passive mode (10,10,1,19,31,2).
150 here comes the directory listing.
-rw-r--r-- 1 0 0 11 oct 19 03:11 testfiles
226 directory send ok.
ftp> quit
221 goodbye.
下面测试--- 是不是只改了上下文就可以了,还是 allow_ftpd_anon_write 这个bool值也必须开启,因为前面是有开启了allow_ftpd_anon_write,再设置上下文,现在把个bool值关掉。
[root@linux2 opt]# getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
[root@linux2 opt]# setsebool allow_ftpd_anon_write 0 ----》 关闭bool值。
[root@linux2 opt]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): sales01
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> ls
227 entering passive mode (10,10,1,19,201,240).
150 here comes the directory listing.
-rw-r--r-- 1 0 0 11 oct 19 03:11 testfiles
226 directory send ok.
ftp> lcd /etc ——----》 切换到本地 /etc 目录。
local directory now /etc
ftp> put hosts -----------》 上传hosts这个文件。
local: hosts remote: hosts
227 entering passive mode (10,10,1,19,239,246).
553 could not create file. -----》 不行,则证明这个bool值必须开启(这里同时也要注意文件的权限)
ftp> quit
221 goodbye.
[root@linux2 opt]# setsebool allow_ftpd_anon_write 1
[root@linux2 opt]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): sales01
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> lcd /etc
local directory now /etc
ftp> put hosts
local: hosts remote: hosts
227 entering passive mode (10,10,1,19,155,157).
150 ok to send data.
226 transfer complete.
158 bytes sent in 3.2e-05 secs (4937.50 kbytes/sec)
ftp> ls
227 entering passive mode (10,10,1,19,233,134).
150 here comes the directory listing.
-rw------- 1 503 503 158 oct 19 03:23 hosts
-rw-r--r-- 1 0 0 11 oct 19 03:11 testfiles
226 directory send ok.
ftp> quit
221 goodbye.
下面,做些 针对不同的虚拟用户做简单的权限设置,并测试。
[root@linux2 opt]# cd /etc/vsftpd/user_config/
[root@linux2 user_config]# ls
develops01 develops02 sales01 sales02 #---》 这里每一个文件对应一个虚拟用户,不过这里的用户必须是有在count.txt 文件中做了记录的,记录的格式是第一行是 用户user1,第二行是用户user1的密码,依此类推。
[root@linux2 user_config]# vim sales02
[root@linux2 user_config]# cat sales02 #---》 设置sales02用户只读权限
anon_mkdir_write_enable=no
anon_other_write_enable=no
anon_world_readable_only=no
guest_username=sales
anon_upload_enable=no
[root@linux2 user_config]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): sales02
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> ls
227 entering passive mode (10,10,1,19,244,187).
150 here comes the directory listing.
-rw------- 1 503 503 158 oct 19 03:23 hosts
-rw-r--r-- 1 0 0 11 oct 19 03:11 testfiles
226 directory send ok.
ftp> delete hosts
550 permission denied.
ftp> lcd /opt
local directory now /opt
ftp> !ls
bind-9.9.2 etc mv named upload.txt
ftp> put upload.txt # ------》 只读,不能进行写操作。
local: upload.txt remote: upload.txt
227 entering passive mode (10,10,1,19,32,7).
550 permission denied.
ftp> quit
221 goodbye.
[root@linux2 develops]# cd
[root@linux2 ~]# cd /shares/develops/
[root@linux2 develops]# ls -zd
drwx------. develops develops system_u:object_r:default_t:s0 .
[root@linux2 develops]# chcon -r --reference=/shares/sales/ .
[root@linux2 develops]# ls -zd
drwx------. develops develops system_u:object_r:public_content_rw_t:s0 .
[root@linux2 develops]# ls -z
-rw-r--r--. root root system_u:object_r:public_content_rw_t:s0 developtest
[root@linux2 user_config]# cd /shares/
[root@linux2 shares]# chown -r sales:sales sales/ #---》 更改下目录的权限
[root@linux2 shares]# chown -r develops:develops develops/
[root@linux2 shares]# cd /etc/vsftpd/user_config/
[root@linux2 user_config]# cat develops01
anon_mkdir_write_enable=no # ---> 这个用户只读
anon_other_write_enable=no
anon_world_readable_only=no
guest_username=develops
anon_upload_enable=no
[root@linux2 user_config]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): develops01
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> ls
227 entering passive mode (10,10,1,19,208,58).
150 here comes the directory listing.
-rw-r--r-- 1 504 504 6 oct 19 03:15 developtest
226 directory send ok.
ftp> delete developtest
550 permission denied.
ftp> lcd /opt
local directory now /opt
ftp> !ls
bind-9.9.2 etc mv named upload.txt
ftp> put upload.txt
local: upload.txt remote: upload.txt
227 entering passive mode (10,10,1,19,255,101).
550 permission denied.
ftp> quit
221 goodbye.
[root@linux2 user_config]# vim develops02
[root@linux2 user_config]# cat develops02
anon_mkdir_write_enable=yes
anon_other_write_enable=yes
anon_world_readable_only=no # ----》 测试下anon_world_readable_only 的作用。
guest_username=develops
anon_upload_enable=yes
[root@linux2 user_config]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): develops02
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> ls
227 entering passive mode (10,10,1,19,105,188).
150 here comes the directory listing.
-rw-r--r-- 1 504 504 6 oct 19 03:15 developtest
226 directory send ok.
ftp> lcd /opt
local directory now /opt
ftp> put upload.txt
local: upload.txt remote: upload.txt
227 entering passive mode (10,10,1,19,178,250).
150 ok to send data.
226 transfer complete.
5 bytes sent in 5.9e-05 secs (84.75 kbytes/sec)
ftp> ls
227 entering passive mode (10,10,1,19,22,27).
150 here comes the directory listing.
-rw-r--r-- 1 504 504 6 oct 19 03:15 developtest
-rw------- 1 504 504 5 oct 19 03:39 upload.txt
226 directory send ok.
ftp> quit
221 goodbye.
[root@linux2 user_config]# vim develops02
[root@linux2 user_config]# cat develops02
anon_mkdir_write_enable=yes
anon_other_write_enable=yes
anon_world_readable_only=yes # ----》 更改为yes
guest_username=develops
anon_upload_enable=yes
[root@linux2 user_config]# !ftp
ftp 10.10.1.19
connected to 10.10.1.19 (10.10.1.19).
220 (vsftpd 2.2.2)
name (10.10.1.19:root): develops02
331 please specify the password.
password:
230 login successful.
remote system type is unix.
using binary mode to transfer files.
ftp> ls
227 entering passive mode (10,10,1,19,125,6).
150 here comes the directory listing.
226 transfer done (but failed to open directory). # ----》 连读的权限都不行了。
ftp> pwd
257 "/"
ftp> quit
221 goodbye.
########### 待续 #########
给主人留下些什么吧!~~