Vsftp test case :( a local user)
Test version: Linux7.X version
The company now has an internal FTP and WEB server, FTP function is used to maintain the site's content, including uploading files
Pieces, create a directory, update pages and so on. The company has two departments responsible for maintenance tasks, they are applicable team1 and team2
Account management. First ask only allow team1 and team2 account login FTP server, but you can not log on the local system, and
The root directory is limited to these two accounts / var / www / html, you can not enter any directory other than the directory.
ftp and www web server combination.
www web server root directory: / var / www / html
Only allow: team1 and team2 two users can upload. vsftp prohibit anonymous.
analysis:
Will do with FTP and WEB server is a method often used by businesses, so easy to achieve the maintenance of the site, in order to enhance security
Full of, you first need to only allow local users to access, and to prohibit anonymous user login. Secondly, the use of chroot feature team1
And team2 locked in / var / www / html directory . If you need to delete the files you need to pay attention to the local authority
solution:
1 ) the establishment, maintenance ftp site content and disable the account team1 and team2 log on locally, and then set its password
[root@localhost ~]# useradd -s /sbin/nologin team1
[root@localhost ~]# useradd -s /sbin/nologin team2
[root@localhost ~]# echo "123456" | passwd --stdin team1
Changing password for user team1.
passwd: all authentication tokens updated successfully.
[root@localhost ~]# echo "123456" | passwd --stdin team2
Changing password for user team2.
passwd: all authentication tokens updated successfully.
2 ) Configuration vsftpd.conf master profile mutandis
vim /etc/vsftpd/vsftpd.conf
NO = anonymous_enable : prohibit anonymous user login
= YES local_enable : allow local users to log
change:
for:
= local_root / var / www / html : the local user's root directory is / var / www / html
= YES chroot_list_enable : functional bowel chroot
= the chroot_list_file / etc / the vsftpd / chroot_list : lock the user is provided a list of files in the root directory. This file is stored user names to be locked;
= YES allow_writeable_chroot : allow locked user has write permissions
Save and exit;
(3) the establishment of / etc / vsftpd / chroot_list file, add team1 and team2 Account
[root@localhost vsftpd]# touch /etc/vsftpd/chroot_list
[root@localhost ~]# ll !$
-rw-r--r-- 1 root root 0 Nov 10 17:08 /etc/vsftpd/chroot_list
[root @ xuegod63 ~] # vim / etc / vsftpd / chroot_list # writes the following, a line, a user name
team1
team2
(4) modify the local authority
[root@localhost ~]# ll -d /var/www/html/
drwxr-xr-x. 2 root root 4096 Oct 6 2011 /var/www/html/
[root@localhost ~]# chmod -R o+w /var/www/html/
[root@localhost ~]# ll -d /var/www/html/
drwxr-xrwx. 2 root root 4096 Oct 6 2011 /var/www/html/
(5) to restart the vsftpd service to validate the configuration
service vsftpd restart
vsftp experimental Case II :( anonymous user, create a file download upload files ...)
Technology companies ready to build a simple FTP server function that allows all employees to upload and download files, and allows you to create a
Households own directory.
analysis:
Allow all employees to upload and download files needs to be set to allow anonymous logins and the need to allow anonymous users to upload function
Open,
anon_mkdir_write_enable field can control whether to allow anonymous users to create directories.
[root@localhost vsftpd]# cp vsftpd.conf vsftpd.conf.back
vim /etc/vsftpd/vsftpd.conf # modify the following
Allow anonymous user access
anonymous_enable=YES
Allow anonymous users to upload files and create directories
anon_upload_enable=YES
anon_mkdir_write_enable=YES
Vsftp experimental Case II :( anonymous users)
Technology companies ready to build a simple FTP server function that allows all employees to upload and download files, and allows you to create a
Households own directory.
analysis:
Allow all employees to upload and download files needs to be set to allow anonymous logins and the need to allow anonymous users to upload function
Open,
anon_mkdir_write_enable field can control whether to allow anonymous users to create directories.
[root@localhost vsftpd]# cp vsftpd.conf vsftpd.conf.back
vim /etc/vsftpd/vsftpd.conf # modify the following
Allow anonymous user access
anonymous_enable=YES
Allow anonymous users to upload files and create directories
anon_upload_enable=YES
anon_mkdir_write_enable=YES
Start the service:
service vsftpd restart
test:
[root@localhost vsftpd]# chown ftp.ftp /var/ftp/pub/
Then the test, it can create a new folder, but can not be renamed, not deleted!
[root@localhost vsftpd]# vim vsftpd.conf
anon_other_write_enable = YES ## default no need to manually add the next line
Restart the service, you can rename the folder.
Let us step by step to achieve, to modify directory permissions, create a company with the upload directory, called xuegoddata, the owner set to ftp all users, directory permissions are 755
[root@localhost vsftpd]# mkdir /var/ftp/xuegoddata
[root@localhost vsftpd]# chown ftp.ftp /var/ftp/xuegoddata/
[root@localhost vsftpd]# ll -d !$
ll -d /var/ftp/xuegoddata/
drwxr-xr-x 2 ftp root 4096 Mar 9 19:30 /var/ftp/xuegoddata/
Then restart the service
[root@localhost ~]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
Finally found to delete and create files; completion of the experiment!
Vsftp experimental Case III :( virtual users log on ftp)
Experiments show;
First, allow everyone access to / var / ftp / soft directory can create files and directories, does not allow uploading files, devadm virtual users can modify the directory upload, delete, etc. rights.
Two, sales of virtual users can only read / var / market. The rest have no authority, salesadm have to delete the directory changes, upload, create and other privileges.
Third, do not allow local users to log.
1, turn off the firewall
[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# setenforce 0
2, install the software vsftpd
3, create a virtual user account file
[root@localhost ~]# vim /etc/vsftpd/vusers.list
devadm
123456a
sales
123456b
salesadm
123456c
4, create a database file
[root@localhost ~]# cd /etc/vsftpd/
[root@localhost vsftpd]# db_load -T -t hash -f vusers.list vusers.db
[root@localhost vsftpd]# chmod 600 /etc/vsftpd/vusers.*
[root @ localhost vsftpd] # file vusers.db # after viewing the converted file types
vusers.db: Berkeley DB (Hash, version 9, native byte-order) # prompt These are become
5 , add a virtual mapping user accounts, FTP root directory
[root@localhost ~]# useradd -d /var/ftproot -s /sbin/nologin zhangsan
[root@localhost ~]# chmod 755 /var/ftproot
6, the establishment of PAM authentication file for the virtual user
[root@localhost ~]# vim /etc/pam.d/vsftpd.vu
auth required pam_userdb.so db=/etc/vsftpd/vusers
account required pam_userdb.so db=/etc/vsftpd/vusers
7, modify the configuration vsftpd, add a virtual user support
[root@localhost vsftpd]# vim /etc/vsftpd/vsftpd.conf
pam_service_name = vsftpd.vu // modified
userlist_enable=NO //修改
anon_root = / var / ftp / soft // added to the end
guest_enable=yes //添加
guest_username = zhangsan // add
user_config_dir=/etc/vsftpd/vusers_dir //添加
allow_writeable_chroot=YES //添加
8, create a separate virtual user profiles
[root@localhost vsftpd]# mkdir /etc/vsftpd/vusers_dir
[root@localhost vsftpd]# cd /etc/vsftpd/vusers_dir
[root@localhost vusers_dir]# touch devadm
[root@localhost vusers_dir]# vim devadm
local_root=/var/ftp/soft
write_enable=YES
anon_upload_enable=yes
anon_mkdir_write_enable=yes
anon_other_write_enable=yes
root@localhost vusers_dir]# vim sales
local_root=/var/market
[root@localhost vusers_dir]# vim salesadm
local_root=/var/market
write_enable=YES
anon_upload_enable=yes
anon_mkdir_write_enable=yes
anon_other_write_enable=yes
[root@localhost vusers_dir]# systemctl restart vsftpd
9 , create directories and files ready to verify (or not encountered file upload can not be modified, remember to modify permissions or owner)
[root@localhost vsftpd]# mkdir /var/ftp/soft
[root@localhost vusers_dir]# touch /var/ftp/soft/devadm
[root@localhost vusers_dir]# mkdir /var/market
[root@localhost var]# chmod 755 /var/market/
[root@localhost vusers_dir]# touch /var/market/sales
[root@localhost var]# chmod 755 /var/ftp/soft
[root@localhost vusers_dir]# chown zhangsan /var/market
[root@localhost vusers_dir]# chown zhangsan /var/ftp/soft