proftpd复杂权限的设置

一、测试平台

Debian 4.0r3
Proftpd 1.3.1 (WITH SSL)


二、原理简介

1、 继承性
    子目录会继承其父目录的属性。

2、 优先级
    优先级由大到小的顺序:
    原始FTP命令(LIST  DELE等)  >  命令组(DIRS  READ  WRITE)  >  ALL命令组

3、 访问控制的应用顺序
    不论出现顺序如何,先应用拒绝(Deny),后应用允许(Allow)

4、系统权限
    Linux系统权限仍然起作用。如果设置了目录test的<Limit>允许写,但是该用户对test目录只有
    读权限,这是该用户就不能向test目录写入。


<Directory  /ftproot/test>      ----------------- 1、继承性
     <Limit DIRS>        ------------------------- 2、优先级
          AllowUser  u1          -------------------- 3、访问控制的应用顺序
          DenyAll
     </Limit>
</Directory>


    一点解释:根据参考1所述,访问控制的顺序应该是与其出现顺序有关,但是在我的测试中发现出现顺序没有什么影响。也就是说,像上面的访问控制,AllowUser u1和DenyAll哪个在前面都一样。

 

三、实例

1、简介

假设proftpd服务器上有5个用户:
        manager, manA1, manA2, manB1, manB2
和2个组:
        groupA, groupB

manA1和manA2属于groupA组,manB1和manB2属于groupB组。

并且有如下目录结构:

    /根目录
    │
    ├ftproot/      
    │       ├manager/
    │       │
    │       ├groupA/
    │       │      ├A1/
    │       │      ├A2/
    │       │      └.../
    │       │
    │       ├groupB/
    │              ├B1/
    │              ├B2/
    │              └.../
    │
    └.../

现在要实现的权限:
1、用户manager可以读写manager、groupA、groupB目录及它们的的子目录。
2、manA1可以读写A1目录,并且可以读写groupB的所有子目录。
3、manA2可以读写A2目录,并且可以读写groupB的所有子目录。
4、manB1可以读写B1目录。
5、manB2可以读写B2目录。
6、如果一个用户没有某个目录的访问权限,那么该用户就不能看到此目录。
7、只允许manger用户和groupA、groupB组成员访问FTP服务器。
8、不允许任何人破坏主干目录结构


2、实现

(1)添加用户和组        

        useradd manager
        passwd manager

        groupadd groupA
        groupadd groupB

        useradd manA1
        passwd manA1
        usermod -G groupA manA1

        useradd manA2
        passwd manA2
        usermod -G groupA manA2

        useradd manB1
        passwd manB1
        usermod -G groupB manB1

        useradd manB2
        passwd manB2
        usermod -G groupB manB2


(2)配置文件

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName   "Formax BPO FTP Server"
ServerType   standalone
DefaultServer   on
# Port 21 is the standard FTP port.
Port    21
UseReverseDNS off
IdentLookups off# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask    000
# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances   30
# Set the user and group under which the server will run.
User    nobody
Group    nogroup
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
# DefaultRoot ~
DefaultRoot /ftproot
# Normally, we want files to be overwriteable.
AllowOverwrite  on
AllowStoreRestart on
ServerIdent off

<IfModule mod_tls.c>
      TLSEngine on
      TLSLog /var/ftpd/tls.log
      TLSProtocol SSLv23

      # Are clients required to use FTP over TLS when talking to this server?
      TLSRequired on

      # Server's certificate
      TLSRSACertificateFile /etc/proftpd.cert
      TLSRSACertificateKeyFile /etc/proftpd.key

      # CA the server trusts
      TLSCACertificateFile /etc/proftpd.cert

      # Authenticate clients that want to use FTP over TLS?
      TLSVerifyClient off
      TLSOptions NoCertRequest
      # Allow SSL/TLS renegotiations when the client requests them, but
      # do not force the renegotations.  Some clients do not support
      # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
      # clients will close the data connection, or there will be a timeout
      # on an idle data connection.
      TLSRenegotiate required off
</IfModule>

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
      DenyAll
</Limit>

<Limit LOGIN>
      AllowUser manager
      AllowGroup groupA
      DenyAll
      AllowGroup groupB
</Limit>

<Directory /ftproot/*>
     <Limit ALL>
          DenyAll
     </Limit>
</Directory>
<Directory /ftproot/manager>
     <Limit ALL>
          AllowUser manager
     </Limit>
</Directory>
<Directory /ftproot/groupA>
     <Limit DIRS>
          AllowUser manager
          AllowGroup groupA
     </Limit>
</Directory>
<Directory /ftproot/groupA/*>
     <Limit DIRS>
          DenyAll
     </Limit>
</Directory>
<Directory /ftproot/groupA/A2>
     <Limit DIRS READ WRITE>
          AllowUser manager
          AllowUser manA2
          DenyAll
     </Limit>
</Directory>
<Directory /ftproot/groupA/A1>
     <Limit DIRS READ WRITE>
          AllowUser manager
          AllowUser manA1
          DenyAll
     </Limit>
</Directory>
<Directory /ftproot/groupB>
     <Limit DIRS>
          AllowUser manager
          AllowGroup groupA
          AllowGroup groupB
     </Limit>
</Directory>
<Directory /ftproot/groupB/*>
     <Limit DIRS>
          DenyAll
     </Limit>
</Directory>
<Directory /ftproot/groupB/B1>
     <Limit DIRS READ WRITE>
          AllowUser manager
          AllowUser manB1
          AllowGroup groupA
          DenyAll
     </Limit>
</Directory>
<Directory /ftproot/groupB/B2>
     <Limit DIRS READ WRITE>
          AllowUser manager
          AllowUser manB2
          AllowGroup groupA
     </Limit>
</Directory>


参考:
1、http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Limit.html
2、http://www.castaglia.org/proftpd/
3、http://www.proftpd.org/

posted @ 2008-04-16 17:47  h2appy  阅读(1989)  评论(0编辑  收藏  举报