小小寒舍—vsftpd服务攻略之小试牛刀
案例1
公司需求:
公司准备架设FTP服务器,要求所有员工上传和下载文件,并允许创建用户自己的目录。
分析:
可以开启匿名登录并给予相应的权限就可以满足公司要求
解决方案:
1,修改配文 vsftpd.conf
#允许匿名用户登录
anonymous_enable=YES
#允许匿名用户上传文件并可以创建目录
anon_upload_enable=YES
anon_mkdir_write_enable=YES
12 anonymous_enable=YES
 13 #
 14 # Uncomment this to allow local users to log in.
 15 local_enable=YES
 16 #
 17 # Uncomment this to enable any form of FTP write command.
 18 write_enable=YES
 19 #
 20 # Default umask for local users is 077. You may wish to change this to 022,
 21 # if your users expect that (022 is used by most other ftpd's)
 22 local_umask=022
 23 #
 24 # Uncomment this to allow the anonymous FTP user to upload files. This only
 25 # has an effect if the above global write enable is activated. Also, you will
 26 # obviously need to create a directory writable by the FTP user.
 27 anon_upload_enable=YES
 28 #
 29 # Uncomment this if you want the anonymous FTP user to be able to create
 30 # new directories.
 31 anon_mkdir_write_enable=YES
~~~/var/ftp 默认是匿名用户的根目录~~~
2,创建一个公司上传目录comd并分配到ftp用户所有
[root@station18 ~]# mkdir /var/ftp/comd
[root@station18 ~]# chown ftp  /var/ftp/comd/
[root@station18 ~]# ls -ld  /var/ftp/comd/
drwxr-xr-x 2 ftp root 4096 Nov 10 11:19 /var/ftp/comd/
3,修改selinuxselinux支持上传)
[root@station18 ~]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off
[root@station18 ~]# setsebool -P allow_ftpd_anon_write  on
[root@station18 ~]# getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off
[root@station18 ~]#
4,修改上下文
[root@station18 ~]# ls -Zd  /var/ftp/comd/
drwxr-xr-x  ftp root root:object_r:public_content_t   /var/ftp/comd/
[root@station18 ~]# chcon -t  public_content_rw_t  /var/ftp/comd/
[root@station18 ~]# ls -Zd  /var/ftp/comd/
drwxr-xr-x  ftp root root:object_r:public_content_rw_t /var/ftp/comd/
5,重启服务
[root@station18 ~]# service  vsftpd restart
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]
[root@station18 ~]#
案例2
公司需求:
公司内部现在有一台FTPWEB服务器,FTP的功能主要用于维护公司的网站内容,公司现有两个部门负责维护任务,他们分别用team1team2帐号进行管理。先要求仅允许team1team2帐号登录FTP服务器,但不能登录本地系统,由于网页默认存放目录为/var/www/html,所以我们将这两个帐号的根目录限制为/var/www/html,不能进入该目录以外的任何目录。
分析:
首先我们仅允许本地用户访问,其次开启chroot功能并将team1team2锁定在/var/www/html目录下。
解决方案:
1,添加用户
#创建team1team2两个用户并禁止本地登录且给其添加密码
[root@station18 ~]# useradd -s /sbin/nologin  team1
[root@station18 ~]# useradd -s /sbin/nologin  team2
[root@station18 ~]# passwd team1
Changing password for user team1.
New UNIX password:
BAD PASSWORD: it is WAY too short
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@station18 ~]# passwd team2
Changing password for user team2.
New UNIX password:
BAD PASSWORD: it is WAY too short
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
2, 修改配文 vsftpd.conf
vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO:禁止匿名用户登录
local_enable=YES:允许本地用户登录
local_root=/var/www/html:设置本地用户的根目录为/var/www/html
 12 anonymous_enable=NO
 13 #
 14 # Uncomment this to allow local users to log in.
 15 local_enable=YES
 16 #
 17 # Uncomment this to enable any form of FTP write command.
 18 write_enable=YES
 19 #
 20 # Default umask for local users is 077. You may wish to change this to 022,
 21 # if your users expect that (022 is used by most other ftpd's)
 22 local_umask=022
 23 local_root=/var/www/html
chroot_list_enable=YES:激chroot功能
chroot_list_file=/etc/vsftpd/chroot_list:设置锁定用户在根目录中的列表文件
94 chroot_list_enable=YES
 95 # (default follows)
 96 chroot_list_file=/etc/vsftpd/chroot_list
3,/etc/vsftpd下创建chroot_list文件并把team1,team2用户加进去
[root@station18 ~]# touch  /etc/vsftpd/chroot_list
[root@station18 ~]# echo  team1  > /etc/vsftpd/chroot_list
[root@station18 ~]# echo  team2 >> /etc/vsftpd/chroot_list
4, 修改selinux
[root@station18 ~]# getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off
[root@station18 ~]# setsebool -P allow_ftpd_anon_write  off
[root@station18 ~]# setsebool -P ftp_home_dir  on
[root@station18 ~]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off
[root@station18 ~]#
5,重启服务
[root@station18 ~]# service  vsftpd restart
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]
[root@station18 ~]#