Article directory
System environment
OS version: Galaxy Kirin Server Operating System V10SP2 (x86_64)
FTP server: vsftpd-3.0.3-31
target scenario
①Set the FTP root directory to /data/vsftpd/, and prohibit anonymous users from accessing the FTP server;
②FTP access account:
Administrator user: admin password 111, own the entire FTP root directory /data/vsftpd/ and upload of subdirectories, Full permissions for downloading, modifying and deleting;
Ordinary user one: test1, password 222, only has upload and download permissions for the working directory /data/vsftpd/test1/ (cannot modify existing files and cannot delete files); Ordinary user two:
test2 Password 333, only has download permission for the FTP root directory /data/vsftpd/ and subdirectories (cannot upload, modify or delete);
Building steps
- Install vsftpd service;
[root@localhost ~]# yum install -y vsftpd
2. Set the vsftpd service to start automatically at boot and start immediately;
[root@localhost ~]# systemctl enable --now vsftpd
3. The system firewall allows the vsftpd service;
[root@localhost ~]# firewall-cmd --zone=public --add-service=ftp --permanent
[root@localhost ~]# firewall-cmd --reload
4. Modify the FTP server configuration file /etc/vsftpd/vsftpd.conf and append the following content to the end of the configuration file:
#禁止用户访问除主目录以外的目录
chroot_local_user=YES
#FTP根目录
local_root=/data/vsftpd
#设置支持ASCII模式上传
ascii_upload_enable=YES
#设置支持ASCII模式下载
ascii_download_enable=YES
#启用虚拟用户登录FTP
guest_enable=YES
#设置虚拟用户使用的系统用户名
guest_username=vsftpd
#设置虚拟用户的配置文件目录
user_config_dir=/etc/vsftpd/vsftpd_user_conf
#设置虚拟用户与本地用户拥有相同的权限
virtual_use_local_privs=YES
#设置仅能访问当前登录用户的根目录
allow_writeable_chroot=YES
- Create the system account vsftpd, set the home directory to /data/vsftpd, and prohibit using this account to log in to the operating system;
[root@localhost ~]# useradd vsftpd -d /data/vsftpd -s /sbin/nologin
- Create three new virtual users (admin, test1, test2) and generate database files;
Note: The "odd-numbered lines" in the /etc/vsftpd/ftp_user file content are the virtual user names, and the "even-numbered lines" are the passwords corresponding to the virtual users.
[root@localhost ~]# cat /etc/vsftpd/ftp_user
admin
111
test1
222
test2
333
[root@localhost ~]# db_load -T -t hash -f /etc/vsftpd/ftp_user /etc/vsftpd/vsftpd_login.db
7. Modify the PAM authentication module configuration of the vsftpd service;
before modification: after
modification:
8. Configure FTP permissions for three virtual users;
first create the configuration file directory of the virtual user:
[root@localhost ~]# mkdir -p /etc/vsftpd/vsftpd_user_conf
(1) Administrator account: admin
(2) Ordinary user one: test1
(3) Ordinary user two: test2
9. Create the FTP root directory and FTP user working directory, and modify the directory permissions;
[root@localhost ~]# mkdir -p /data/vsftpd/test1
[root@localhost ~]# chown -R vsftpd:vsftpd /data/vsftpd
- Restart the vsftpd service.
[root@localhost ~]# systemctl restart vsftpd
access test
When the client system is the Galaxy Kirin desktop operating system, we can use the system "File Manager" or "FTP Client" tool software to access the FTP server; when the client system is a Windows system, we can use open source tools" MobaXterm" or "Windows Explorer" to access the FTP server.
① Administrator user admin accesses the FTP server, creates an empty folder "test" in the root directory, creates empty files "admin.txt" and "test.txt" in the "test1" directory, and tests to delete the admin.txt file .
Test results : All operations such as uploading, downloading, modifying and deleting can be performed on the FTP root directory and all subdirectories.
② Ordinary user test1 accesses the FTP server, confirms that the default working directory is test1, and cannot switch to the upper-level directory; creates an empty file test1.txt, and attempts to modify the file name, file content, and delete the file.
Test results : The default working directory is test1, and only files/folders can be uploaded and downloaded, and files cannot be modified or deleted.
③ Ordinary user test2 accesses the server and tries to upload, download, create, delete and modify files/folders;
test results : the test2 account can only download the download permissions of the FTP root directory /data/vsftpd/ and all its subdirectories, others include All operations of uploading, creating, deleting, and modifying will prompt "550 Permission denied" (insufficient permissions).