一个vsftpd可用配置以及umask参数说明

规划

(1)使用虚拟用户
(2)一个读写账号, 一个只读账号

一个可用的配置

(1)安装vsftpd

# yum -y install vsftpd pam pam-devel

(2)配置文件

# vim /etc/pam.d/vsftpd 
#%PAM-1.0
auth required /lib64/security/pam_userdb.so  db=/etc/vsftpd/vsftpd_login
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login

# vim /etc/vsftpd/vsftpd.conf 
listen=YES
connect_from_port_20=YES
ftpd_banner=Don't transfer the file on FTP
idle_session_timeout=300
data_connection_timeout=300
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
anonymous_enable=NO
local_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
chroot_local_user=YES
allow_writeable_chroot=YES
local_umask=022
guest_enable=YES
guest_username=gphone
virtual_use_local_privs=YES
max_per_ip=50
use_localtime=YES
chroot_list_enable=YES
pam_service_name=vsftpd
user_config_dir=/etc/vsftpd/vsftpd_user_conf
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
reverse_lookup_enable=NO
use_localtime=YES

#### 两个用户的配置,一个只读,一个读写
# mkdir /etc/vsftpd/vsftpd_user_conf
# vim downloader 
local_root=/opt/www/images
# vim  xa_upload
write_enable=YES
local_root=/opt/www/images

#### 账号密码文件
#### 一行账号,一行密码(这里是测试,所以设置的简单密码)
# vim /etc/vsftpd/login.pass
downloader
12345678
xa_upload
12345678

# db_load -T -t hash -f /etc/vsftpd/login.pass /etc/vsftpd/vsftpd_login.db

(3) 直接systemctl restart vsftpd 重启,用downloader或者xa_upload账号即可登录FTP。

配置注意项

(1)chroot_list_enable与chroot_local_user
先看一下两个选项的解释

chroot_list_enable
  If  activated,  you  may provide a list of local users who are placed in a chroot() jail in their home directory upon login. The meaning is slightly different if chroot_local_user is set to YES. In this case, the list
  becomes a list of users which are NOT to be placed in a chroot() jail.  By default, the file containing this list is /etc/vsftpd/chroot_list, but you may override this with the chroot_list_file setting.

  Default: NO

chroot_local_user
  If set to YES, local users will be (by default) placed in a chroot() jail in their home directory after login.  Warning: This option has security implications, especially if the users have upload permission, or  shell
  access. Only enable if you know what you are doing.  Note that these security implications are not vsftpd specific. They apply to all FTP daemons which offer to put local users in chroot() jails.

  Default: NO

这里写的很清楚,如果chroot_local_userchroot_list_enable都设置为YES的话。/etc/vsftpd/chroot_list 里面的用户不再是受chroot限制的了。 需要重点注意!!
比如我这里downloader用户在/etc/vsftpd/chroot_list

# cat /etc/vsftpd/chroot_list
downloader

downloader登录看看

# ftp localhost
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 Don't transfer the file on FTP
Name (localhost:root): downloader      
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,130,118).
150 Here comes the directory listing.
drwxr-xr-x   40 1000     1000         8192 Apr 26 11:02 images
lrwxrwxrwx    1 1000     1000            6 Jun 06 16:00 vivo_software -> images
226 Directory send OK.
ftp> cd /       ## 直接切换到/目录,切换成功了
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (127,0,0,1,75,155).
150 Here comes the directory listing.
lrwxrwxrwx    1 0        0               7 Apr 30  2020 bin -> usr/bin
dr-xr-xr-x    5 0        0            4096 Sep 29  2023 boot
...... 省略输出

可以看到,可以直接切换到/ , 存在很大的安全隐患,需要重点注意!!!(按上述的配置的话,把downloader用户从/etc/vsftpd/chroot_list删除即可)

(2)umask问题
与umask相关的几个配置

anon_umask
  The value that the umask for file creation is set to for anonymous users. NOTE! If you want to specify octal values, remember the "0" prefix otherwise the value will be treated as a base 10 integer!

  Default: 077
 
local_umask
  The value that the umask for file creation is set to for local users. NOTE! If you want to specify octal values, remember the "0" prefix otherwise the value will be treated as a base 10 integer!

  Default: 077

除此此外,还有一个参数需要注意

virtual_use_local_privs
  If enabled, virtual users will use the same privileges as local users. By default, virtual users will use the same privileges as anonymous users, which tends to be more restrictive (especially in terms of write access).

  Default: NO

之前碰到有人配置好vsftpd之后,发现上传文件的权限为600, 目录为700 ,反馈已经设置了local_umask=022, 为何权限不是预期的644, 755 ? 这就很大可能性跟虚拟用户配置有关,很可能virtual_use_local_privs没有正确配置为YES。

总结

使用vsftpd的时候,如果发现与预期不一致的情况,建议 man vsftpd.conf查看文档,看一下相关的配置是否正确, 系统文件目录的属组,权限是否正确等等。

posted @ 2024-07-30 10:43  xuege  阅读(34)  评论(0编辑  收藏  举报