Ubuntu14.04 vsftpd

時間 2019-11-19

標籤 ubuntu14.04 ubuntu vsftpd 欄目 Ubuntu 简体版

原文原文鏈接

Ubuntu14.04 vsftpd

參考文檔：
http://www.cnblogs.com/acpp/archive/2010/02/08/1666054.html
http://segmentfault.com/a/1190000000438443
Vsftpd虛擬用戶設置

一.安裝
apt-get -y install vsftpd
root@localhost:~# lsb_release -a 2>/dev/null
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty
root@localhost:~# vsftpd -v
vsftpd: version 3.0.2
root@localhost:/usr/share/doc/vsftpd/examples# pwd
/usr/share/doc/vsftpd/examples
root@localhost:/usr/share/doc/vsftpd/examples# ls
INTERNET_SITE INTERNET_SITE_NOINETD PER_IP_CONFIG README VIRTUAL_HOSTS VIRTUAL_USERS VIRTUAL_USERS_2
提示：發行版的安裝包中自帶了不少幫助文檔和配置範例，很是有情懷

二.匿名用戶
cp /etc/vsftpd.conf{,.default}
養成修改前作備份的習慣
1.開啓匿名訪問
anonymous_enable=YES #匿名訪問只須要對默認的配置文件修改上面一行便可,但只能讀
root@localhost:~# touch /srv/ftp/Test2015
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Aug 02 03:51 Test2015
226 Directory send OK.
默認的匿名用戶爲ftp或者anonymous，密碼爲空
2.修改匿名用戶的根目錄
#默認的匿名根是/srv/ftp
root@localhost:~# mkdir /ftp_guest
root@localhost:~# touch /ftp_guest/ftp
root@localhost:~# vim /etc/vsftpd.conf
anon_root=/ftp_guest

root@localhost:~# service vsftpd restart
vsftpd stop/waiting
vsftpd start/running, process 4823
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Aug 02 03:49 ftp
226 Directory send OK.

三.本地用戶
1.本地用戶全局FTP根目錄
root@localhost:~# mkdir -p /ftp_admin/{leader,foo}
root@localhost:~# vim /etc/vsftpd.conf
root@localhost:~# useradd -M -s /bin/false leader
root@localhost:~# echo leader:leader|chpasswd
問題1：密碼輸入正確了仍然提示密碼不對
注意：ubuntu登陸shell設置爲/bin/false或/usr/sbin/nologin都會提示incorrect,按照rhel的模式來配置會有問題
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): leader
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> 221 Goodbye.
問題2：提示不能切換到家目錄
root@localhost:~# chsh -s /bin/bash leader
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): leader
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/home/leader
Login failed.
421 Service not available, remote server has closed connection
解決辦法1：修改/etc/passwd把對應家目錄的欄位補全爲合法的目錄(實際存在的目錄便可)
root@localhost:~# usermod leader -d /ftp_admin/leader
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): leader
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/ftp_admin"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Aug 02 04:03 foo
drwxr-xr-x 2 0 0 4096 Aug 02 04:03 leader
226 Directory send OK.
這裏顯示的根在/ftp_admin是由於全局配置文件中定義的根在/ftp_admin
解決辦法2：刪除該用戶後從新建
root@localhost:~# userdel -r leader
userdel: leader mail spool (/var/mail/leader) not found
userdel: /ftp_admin/leader not owned by leader, not removing
root@localhost:~# useradd -m -s /bin/bash leader
root@localhost:~# echo leader:leader|chpasswd
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): leader
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/ftp_admin"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Aug 02 04:03 foo
drwxr-xr-x 2 0 0 4096 Aug 02 04:03 leader
226 Directory send OK.

2.鎖定全部本地用戶的FTP根目錄
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): leader
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/ftp_admin"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Aug 02 04:03 foo
drwxr-xr-x 2 0 0 4096 Aug 02 04:24 leader
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Aug 02 01:58 bin
drwxr-xr-x 4 0 0 1024 Aug 01 19:09 boot
drwxr-xr-x 2 0 0 4096 Aug 02 01:44 ccc
drwxr-xr-x 3 0 0 4096 Aug 02 03:33 data
drwxr-xr-x 15 0 0 4020 Aug 01 20:58 dev
drwxr-xr-x 82 0 0 4096 Aug 02 04:29 etc
drwxr-xr-x 5 0 0 4096 Aug 02 04:03 ftp_admin
drwxr-xr-x 2 0 0 4096 Aug 02 03:49 ftp_guest
drwxr-xr-x 8 0 0 4096 Aug 02 04:21 home
lrwxrwxrwx 1 0 0 33 Aug 01 18:59 initrd.img -> boot/initrd.img-3.13.0-32-generic
drwxr-xr-x 21 0 0 4096 Aug 01 19:08 lib
drwxr-xr-x 2 0 0 4096 Aug 01 18:57 lib64
drwx------ 2 0 0 16384 Aug 01 18:56 lost+found
drwxr-xr-x 2 0 0 4096 Jul 23 2014 media
drwxr-xr-x 2 0 0 4096 Apr 11 2014 mnt
drwxr-xr-x 2 0 0 4096 Jul 23 2014 opt
dr-xr-xr-x 100 0 0 0 Aug 01 20:58 proc
drwx------ 5 0 0 4096 Aug 02 04:29 root
drwxr-xr-x 19 0 0 600 Aug 01 21:05 run
drwxr-xr-x 2 0 0 4096 Aug 01 19:10 sbin
drwxr-xr-x 3 0 0 4096 Aug 01 21:05 srv
dr-xr-xr-x 13 0 0 0 Aug 01 20:58 sys
drwxrwxrwt 2 0 0 4096 Aug 02 04:24 tmp
drwxr-xr-x 10 0 0 4096 Aug 01 18:57 usr
drwxr-xr-x 11 0 0 4096 Aug 01 18:57 var
lrwxrwxrwx 1 0 0 30 Aug 01 18:59 vmlinuz -> boot/vmlinuz-3.13.0-32-generic
226 Directory send OK.
注意：默認配置是容許本地合法用戶切換目錄的，如上，該用戶直接能夠看到服務器真實的根/，實在太危險。能夠經過
chroot_local_user=YES來禁用根目錄跳轉
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): leader
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Aug 02 04:03 foo
drwxr-xr-x 2 0 0 4096 Aug 02 04:24 leader
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Aug 02 04:03 foo
drwxr-xr-x 2 0 0 4096 Aug 02 04:24 leader
226 Directory send OK.

3.FTP根禁錮白名單(只有指定的用戶才能跳出FTP根目錄)
經過搭配能實現如下幾種效果：
①當chroot_list_enable=YES，chroot_local_user=YES時，在/etc/vsftpd.chroot_list文件中列出的用戶，能夠切換到其餘目錄；未在文件中列出的用戶，不能切換到其餘目錄。
②當chroot_list_enable=YES，chroot_local_user=NO時，在/etc/vsftpd.chroot_list文件中列出的用戶，不能切換到其餘目錄；未在文件中列出的用戶，能夠切換到其餘目錄。
③當chroot_list_enable=NO，chroot_local_user=YES時，全部的用戶均不能切換到其餘目錄。
④當chroot_list_enable=NO，chroot_local_user=NO時，全部的用戶都可以切換到其餘目錄。
這裏設置以下：
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

root@localhost:~# echo leader >>/etc/vsftpd.chroot_list
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): leader
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 " /ftp_admin"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Aug 02 04:03 foo
drwxr-xr-x 2 0 0 4096 Aug 02 04:24 leader
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> pwd
257 " /"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Aug 02 01:58 bin
drwxr-xr-x 4 0 0 1024 Aug 01 19:09 boot
... ...

4.容許本地用戶寫權限
a.配置文件加上 write_enable=YES
b.本地文件系統有寫權限
注意：(Warning! chroot'ing can be very dangerous. If using chroot, make sure that the user does not have write access to the top level directory within the chroot)
只要本地FTP用戶對配置文件中的FTP根目錄有寫權限，就會報500，oops錯誤
因此FTP根對FTP用戶來講是不能有寫權限的，這樣就出現了不少問題
問題1：用戶對本身的根目錄沒有寫權限才能登陸，那麼就只能下載不能上傳，功能缺陷，必須解決
問題2：根目錄的子目錄對用戶能夠有寫權限，可行
配置文件的根定義爲/ftp_admin
root@localhost:~# setfacl -R -b /ftp_admin/
root@localhost:~# useradd -m -s /bin/bash foo
root@localhost:~# echo foo:foo|chpasswd
root@localhost:~# chown -R foo:foo /ftp_admin/foo/
root@localhost:~# ll -d /ftp_admin/ /ftp_admin/foo/
drwxr-xr-x 4 root root 4096 Aug 2 04:43 /ftp_admin/
drwxr-xr-x 2 foo foo 4096 Aug 2 04:47 /ftp_admin/foo/
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): foo
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 1006 1006 4096 Aug 02 04:47 foo
drwxr-xr-x 2 0 0 4096 Aug 02 04:24 leader
226 Directory send OK.
ftp> cd foo
250 Directory successfully changed.
ftp> put /etc/passwd
local: /etc/passwd remote: /etc/passwd
200 PORT command successful. Consider using PASV.
553 Could not create file.
注意:foo用戶對/ftp_admin/foo是有寫入權限的，但上面上傳出錯

多番測試，發現是 ftp命令的問題，換成lftp就能夠正常上傳，這個現象不知道你們有什麼見解，期待你們的交流與回覆
root@localhost:~# lftp localhost
lftp localhost:~> user foo
Password:
lftp foo@localhost:~> ls
drwxr-xr-x 2 1006 1006 4096 Aug 02 04:47 foo
drwxr-xr-x 2 0 0 4096 Aug 02 04:24 leader
lftp foo@localhost:/> put /etc/passwd
put: /etc/passwd: Access failed: 553 Could not create file. (passwd)
lftp foo@localhost:/> cd foo
cd ok, cwd=/foo
lftp foo@localhost:/foo> ls
-rw-r--r-- 1 1006 1006 0 Aug 02 04:47 my_name_is_foo
lftp foo@localhost:/foo> put /etc/passwd
1390 bytes transferred
lftp foo@localhost:/foo> ls
-rw-r--r-- 1 1006 1006 0 Aug 02 04:47 my_name_is_foo
-rw------- 1 1006 1006 1390 Aug 02 05:04 passwd
如上，已經成功傳輸文件到/ftp_admin/foo目錄，對其它沒有寫權限的目錄是不能上傳的，但能查看和下載，因此這還不夠完美
有沒有一種完美解決方案，如：各用戶有不一樣的根，能本身的根目錄有全權限，但對其它人根目錄沒有任何權限，或者說根本看不到其它人的根目錄，答案就是子配置文件加 allow_writeable_chroot=YES

5.chroot()權限問題
root@localhost:~# ll -d /ftp_admin/
drwxr-xr-x 5 root root 4096 Aug 2 04:03 /ftp_admin//
root@localhost:~# setfacl -m u:leader:rwx /ftp_admin/
root@localhost:~# getfacl /ftp_admin/
getfacl: Removing leading '/' from absolute path names
# file: ftp_admin/
# owner: root
# group: root
user::rwx
user:leader:rwx
group::r-x
mask::rwx
other::r-x
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): leader
331 Please specify the password.
Password:
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
Login failed.
421 Service not available, remote server has closed connection
注意：
Ubuntu14.04/CentOS7這些比較新的發行版提供的vsftpd版本都是3.x，而 從vsftpd-2.3.5以後，vsftpd加強了安全檢查，若是用戶被限定在local_root下，則該用戶不能對本身的家目錄再具備寫權限！若是檢查發現還有寫權限，就會報該錯誤。
我就納悶了大半天，以前CentOS6相同的配置沒有任何問題，到Ubuntu上就出現這個錯，在網上查了很久，和selinux無辦毛錢關係，就是vsftp新版本的更高安全性所致

解決方案1：chmod a-w /home/user去除用戶主目錄的寫權限，用戶對本身的FTP根無寫權限，但對根下的其它目錄有全權限，對網站或共享沒有實質影響，只是多進一層目錄而己。
解決方案2：在vsftpd的配置文件中增長一行 allow_writeable_chroot=YES，這樣對FTP根也具備寫權限，實測有效，完美解決

6.子配置文件
user_config_dir=/etc/vsftpd_user_conf

root@localhost:~# mkdir /etc/vsftpd_user_conf
root@localhost:~#cat >/etc/vsftpd_user_conf/foo <<HERE
local_root=/ftp_admin/foo
HERE
root@localhost:~#cat >/etc/vsftpd_user_conf/leader <<HERE
local_root=/ftp_admin/leader
HERE
root@localhost:~# touch /ftp_admin/foo/my_name_is_foo
root@localhost:~# touch /ftp_admin/foo/leader_is_me
root@localhost:~# chown -R foo:foo /ftp_admin/foo/
root@localhost:~# chown -R leader:leader /ftp_admin/leader/
root@localhost:~# ll -d /ftp_admin/ /ftp_admin/foo/ /ftp_admin/leader/
drwxr-xr-x 4 root root 4096 Aug 2 14:53 /ftp_admin/
drwxr-xr-x 2 foo foo 4096 Aug 2 14:54 /ftp_admin/foo/
drwxr-xr-x 2 leader leader 4096 Aug 2 14:54 /ftp_admin/leader/
root@localhost:~# service vsftpd restart
vsftpd stop/waiting
vsftpd start/running, process 5479
root@localhost:~# lftp localhost
lftp localhost:~> user leader
Password:
lftp leader@localhost:~> put /etc/passwd
1433 bytes transferred
lftp leader@localhost:~> ls
-rw-r--r-- 1 1005 1005 0 Aug 02 14:54 leader_is_me
-rw------- 1 1005 1005 1433 Aug 02 15:01 passwd
lftp leader@localhost:~> cd ..
cd ok, cwd=/ftp_admin
lftp leader@localhost:/ftp_admin> ls
drwxr-xr-x 2 1008 1008 4096 Aug 02 14:54 foo
drwxr-xr-x 2 1005 1005 4096 Aug 02 15:01 leader
lftp leader@localhost:/ftp_admin> user foo
Password:
lftp foo@localhost:~> put /etc/shadow
1699 bytes transferred
lftp foo@localhost:/> ls
-rw-r--r-- 1 1008 1008 0 Aug 02 14:54 my_name_is_foo
-rw------- 1 1008 1008 1699 Aug 02 15:01 shadow
lftp foo@localhost:/> cd ..
lftp foo@localhost:/> ls
-rw-r--r-- 1 1008 1008 0 Aug 02 14:54 my_name_is_foo
-rw------- 1 1008 1008 1699 Aug 02 15:01 shadow

7.全局白名單，黑名單
a.白名單userlist
root@localhost:~# cat /etc/vsftpd.user_list
foo
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): foo
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 221 Goodbye.
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): leader
530 Permission denied.
Login failed.
只有寫入usrlist_file中的用戶才能登陸，不在列表裏的用戶還不等輸入密碼就報permission denied
b.黑名單ftpusers
注意：這是由PAM控制和定義的/etc/pam.d/vsftpd
root@localhost:~# echo foo >>/etc/ftpusers
root@localhost:~# cat /etc/ftpusers
# /etc/ftpusers: list of users disallowed FTP access. See ftpusers(5).

root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
nobody
foo
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): foo
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
如上，foo用戶既在白名單又在黑名單中，此時，黑名單優先，最終foo用戶沒法登陸

8.隱藏特定文件
root@localhost:~# touch /ftp_admin/foo/{1..3}.{txt,mp3,png}
root@localhost:~# ls /ftp_admin/foo/
1.mp3 1.png 1.txt 2.mp3 2.png 2.txt 3.mp3 3.png 3.txt my_name_is_foo shadow
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:liujun): foo
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Aug 02 15:14 1.mp3
-rw-r--r-- 1 0 0 0 Aug 02 15:14 1.png
-rw-r--r-- 1 0 0 0 Aug 02 15:14 1.txt
-rw-r--r-- 1 0 0 0 Aug 02 15:14 2.mp3
-rw-r--r-- 1 0 0 0 Aug 02 15:14 2.png
-rw-r--r-- 1 0 0 0 Aug 02 15:14 2.txt
-rw-r--r-- 1 0 0 0 Aug 02 15:14 3.mp3
-rw-r--r-- 1 0 0 0 Aug 02 15:14 3.png
-rw-r--r-- 1 0 0 0 Aug 02 15:14 3.txt
-rw-r--r-- 1 1008 1008 0 Aug 02 14:54 my_name_is_foo
-rw------- 1 1008 1008 1699 Aug 02 15:01 shadow
226 Directory send OK.
修改配置增長一行， hide_file={*.mp3,*.mp4}
root@localhost:~# echo 'hide_file={*.mp3,*.mp4}' >>/etc/vsftpd_user_conf/foo
root@localhost:~# service vsftpd restart
vsftpd stop/waiting
vsftpd start/running, process 2245
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:liujun): foo
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Aug 02 15:14 1.png
-rw-r--r-- 1 0 0 0 Aug 02 15:14 1.txt
-rw-r--r-- 1 0 0 0 Aug 02 15:14 2.png
-rw-r--r-- 1 0 0 0 Aug 02 15:14 2.txt
-rw-r--r-- 1 0 0 0 Aug 02 15:14 3.png
-rw-r--r-- 1 0 0 0 Aug 02 15:14 3.txt
-rw-r--r-- 1 1008 1008 0 Aug 02 14:54 my_name_is_foo
-rw------- 1 1008 1008 1699 Aug 02 15:01 shadow
226 Directory send OK.

四.虛擬用戶
1.新建虛擬用戶列表
格式：一行用戶名，一行口令
cat >>/tmp/vsftpd.virtual_user.txt <<HERE
virt1
123
virt2
123
virt3
123
HERE

注意：奇數行爲帳戶名，偶數行爲密碼。也就是1.3.5.等行爲用戶名，2.4.6行爲密碼；
最後一行須要回車（不然創建數據庫文件時沒法識別最後一行，致使報奇數行錯誤）。

這裏建了3個虛擬用戶(virt1,virt2,virt3)密碼統一爲123，存放在/tmp/vsftpd.virtual_user.txt中
2.生成虛擬用戶數據庫
root@localhost:~# apt-get -y install db5.3-util
root@localhost:~# db5.3_load -T -t hash -f /tmp/vsftpd.virtual_user.txt /etc/vsftpd.virtual_user.db
root@localhost:~# file /etc/vsftpd.virtual_user.db
/etc/vsftpd.virtual_user.db: Berkeley DB (Hash, version 9, native byte-order)
root@localhost:~# chmod 600 /etc/vsftpd.virtual_user.db
3.配置PAM認證
root@localhost:~# cp -fv /etc/pam.d/vsftpd{,default}
‘/etc/pam.d/vsftpd’ -> ‘/etc/pam.d/vsftpddefault’
root@localhost:~# vim /etc/pam.d/vsftpd
最上方添加以下兩行，PAM認證順序很重要，放末尾會報Login Failed
auth sufficient pam_userdb.so db=/etc/vsftpd.virtual_user
account sufficient pam_userdb.so db=/etc/vsftpd.virtual_user
注意：db=/etc/vsftpd.virtual_user，沒有.db,認證時會自動補全.db，所以前面生成的db文件必定要以.db結尾. pam_userdb.so可參照原生樣例寫，建議寫相對路徑
centos6/7 64bit: /lib64/security/pam_userdb.so
ubuntu14.04 64bit: /lib/x86_64-linux-gnu/security/pam_userdb.so

4.定義虛擬用戶配置文件
a.建立虛擬用戶及修改相關權限
root@localhost:~# mkdir -p /ftp_virtual/virt{1,2,3}
root@localhost:~# useradd -d /ftp_virtual/ -s /bin/false ftp_virtual
提示：指定的目錄即爲虛擬用戶將要訪問的目錄，宿主用戶不要設定密碼。不用來登錄，只用來讓虛擬用戶訪問ftp
root@localhost:~# chown -R ftp_virtual:ftp_virtual /ftp_virtual/
root@localhost:~# ll -d /ftp_virtual/*
drwxr-xr-x 2 ftp_virtual ftp_virtual 4096 Aug 2 15:49 /ftp_virtual/virt1/
drwxr-xr-x 2 ftp_virtual ftp_virtual 4096 Aug 2 15:49 /ftp_virtual/virt2/
drwxr-xr-x 2 ftp_virtual ftp_virtual 4096 Aug 2 15:49 /ftp_virtual/virt3/
b.啓用虛擬用戶
修改全局主配置文件，添加以下2行
guest_enable=YES
guest_username=ftp_virtual
root@localhost:~# echo ftp_virtual >>/etc/vsftpd.user_list
注意： 一旦啓用了虛擬用戶，則原來的本地用戶權限會受到影響，如原來能夠寫的如今會沒有寫權限
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:root): virt2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 1001 1001 4096 Aug 13 00:26 virt1
drwxr-xr-x 2 1001 1001 4096 Aug 13 00:26 virt2
drwxr-xr-x 2 1001 1001 4096 Aug 13 00:26 virt3
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 1001 1001 4096 Aug 13 00:26 virt1
drwxr-xr-x 2 1001 1001 4096 Aug 13 00:26 virt2
drwxr-xr-x 2 1001 1001 4096 Aug 13 00:26 virt3
226 Directory send OK.
ftp> 221 Goodbye.
c.定義虛擬用戶各自配置文件
write_enable=YES #寫權限總開關
anon_world_readable_only=NO #開放列出文件權限
anon_upload_enable=YES #開放上傳權限
download_enable=YES ＃開放下載權限
anon_mkdir_write_enable=YES #開放建立目錄的權限
anon_other_write_enable=YES #開放刪除和重命名的權限

virt1只能上傳不能下載
cat >/etc/vsftpd_user_conf/virt1 <<HERE
local_root=/ftp_virtual/virt1
write_enable=YES
anon_world_readable_only=NO
anon_upload_enable=YES
download_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
HERE

root@localhost:~# lftp localhost
lftp localhost:~> user virt1
Password:
lftp virt1@localhost:~> ls
lftp virt1@localhost:/> pwd
ftp://virt1@localhost/
lftp virt1@localhost:/> put /etc/passwd
1208 bytes transferred
lftp virt1@localhost:/> ls
-rw------- 1 1001 1001 1208 Aug 13 00:37 passwd
lftp virt1@localhost:/> get passwd
get: Access failed: 550 Permission denied. (passwd)
virt2只能下載不能上傳
cat >/etc/vsftpd_user_conf/virt2 <<HERE
local_root=/ftp_virtual/virt2
anon_world_readable_only=NO
anon_upload_enable=NO
download_enable=YES
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
HERE

root@localhost:~# touch /ftp_virtual/virt2/do_not_upload.txt
root@localhost:~# ll /ftp_virtual/virt2/do_not_upload.txt
-rw-r--r-- 1 root root 0 Aug 13 00:40 /ftp_virtual/virt2/do_not_upload.txt
root@localhost:~# lftp localhost
lftp localhost:~> user virt2
Password:
lftp virt2@localhost:~> ls
-rw-r--r-- 1 0 0 0 Aug 13 00:40 do_not_upload.txt
lftp virt2@localhost:/> put /etc/passwd
put: /etc/passwd: Access failed: 550 Permission denied. (passwd)
lftp virt2@localhost:/> get do_not_upload.txt
lftp virt2@localhost:/> !ls
do_not_upload.txt
virt3既能上傳又能下載,建立刪除 重全名移動 目錄及文件
cat >/etc/vsftpd_user_conf/virt3 <<HERE
local_root=/ftp_virtual/virt3
write_enable=YES
anon_world_readable_only=NO
anon_upload_enable=YES
download_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
HERE

root@localhost:~# lftp localhost
lftp localhost:~> user virt3
Password:
lftp virt3@localhost:~> put /etc/shadow
870 bytes transferred
lftp virt3@localhost:/> ls
-rw------- 1 1001 1001 870 Aug 13 00:41 shadow
lftp virt3@localhost:/> get shadow
870 bytes transferred
lftp virt3@localhost:/> !ls
do_not_upload.txt shadow

其它輔助參數解釋參考 virtual_use_local_privs參數當virtual_use_local_privs=YES時，虛擬用戶和本地用戶有相同的權限；當virtual_use_local_privs=NO時，虛擬用戶和匿名用戶有相同的權限，默認是NO。當virtual_use_local_privs=YES，write_enable=YES時，虛擬用戶具備寫權限（上傳、下載、刪除、重命名）。當virtual_use_local_privs=NO，write_enable=YES，anon_world_readable_only=YES， anon_upload_enable=YES時，虛擬用戶不能瀏覽目錄，只能上傳文件，無其餘權限。當virtual_use_local_privs=NO，write_enable=YES，anon_world_readable_only=NO， anon_upload_enable=NO時，虛擬用戶只能下載文件，無其餘權限。當virtual_use_local_privs=NO，write_enable=YES，anon_world_readable_only=NO， anon_upload_enable=YES時，虛擬用戶只能上傳和下載文件，無其餘權限。當virtual_use_local_privs=NO，write_enable=YES，anon_world_readable_only=NO， anon_mkdir_write_enable=YES時，虛擬用戶只能下載文件和建立文件夾，無其餘權限。當virtual_use_local_privs=NO，write_enable=YES，anon_world_readable_only=NO， anon_other_write_enable=YES時，虛擬用戶只能下載、刪除和重命名文件，無其餘權限。

相關標籤/搜索

ubuntu14.04+openwrt17.01

FTP

Ubuntu

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。