UOS服务器(免费版)或Linux搭建vsftpd实现虚拟用户访问控制
- 场景实例:
- 创建admin虚拟用户,允许上传下载删除重命名任何文件
- user1虚拟用户,允许上传下载不允许删除和重命名文件
- 匿名用户可以看到pub空间,但不能上传下载删除任何文件
5.指定存储目录为/home/ftproot
6.指定日志目录为/home/vsftplog/下,vsftpd.log每天更新,以日期命名,存放三年的日志,xferlog日志存放一年,也是每日更新生成新文件以日期命名,超过存储日期后回滚删除最开始的日志。
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# setenforce 0
[root@localhost ~]# vim /etc/selinux/config
[root@localhost vsftpd]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@localhost ~]# yum -y install vsftpd
[root@localhost ~]# mkdir /home/vsftplog/vsftpd_log
[root@localhost ~]# mkdir /home/vsftplog/xferlog
[root@localhost ~]# cd /etc/logrotate.d/
[root@localhost logrotate.d]# cat vsftpd
/home/vsftplog/vsftpd_log/vsftpd.log {
nocompress
missingok
create 0640 vftp vftp
daily
dateext
rotate 1095
}
/home/vsftplog/xferlog/xferlog {
nocompress
missingok
create 0640 vftp vftp
daily
dateext
rotate 365
}
[root@localhost ~]# cd /etc/vsftpd/
[root@localhost vsftpd]# ls
ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh
[root@localhost vsftpd]# vim vu.list
[root@localhost vsftpd]# cat vu.list
admin
Qwer123.
user1
swdx123.
[root@localhost vsftpd]# db_load -T -t hash -f /etc/vsftpd/vu.list /etc/vsftpd/vu.db
[root@localhost vsftpd]# chmod 600 /etc/vsftpd/vu.*
[root@localhost vsftpd]# useradd -d /home/ftproot -s /sbin/nologin vftp
[root@localhost var]# chmod -R 755 /var/ftp/
[root@localhost var]# chmod -R 755 /home/ftproot/
[root@localhost var]# cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.bak
[root@localhost var]# vim /etc/pam.d/vsftpd
[root@localhost vsftpd]# cat /etc/pam.d/vsftpd
#%PAM-1.0
auth required pam_userdb.so db=/etc/vsftpd/vu
account required pam_userdb.so db=/etc/vsftpd/vu
[root@localhost var]# cd /etc/vsftpd/
[root@localhost vsftpd]# vim vsftpd.conf
注意以下参数和我一样就行
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
banner_file=/etc/vsftpd/banner
dual_log_enable=YES
vsftpd_log_file=/home/vsftplog/vsftpd_log/vsftpd.log
xferlog_enable=YES
xferlog_std_format=YES
xferlog_file=/home/vsftplog/xferlog/xferlog
connect_from_port_20=YES
chroot_local_user=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
guest_enable=YES
guest_username=vftp
user_config_dir=/etc/vsftpd/vusers_dir
dirlist_enable=YES
pasv_enable=YES
allow_writeable_chroot=YES
pasv_min_port=40000
pasv_max_port=50000
allow_writeable_chroot=YES
pasv_min_port=40000
pasv_max_port=50000
reverse_lookup_enable=NO
[root@localhost vsftpd]# ls
ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh vu.db vu.list
[root@localhost vsftpd]# mkdir /etc/vsftpd/vusers_dir
[root@localhost vsftpd]# cd vusers_dir/
[root@localhost vusers_dir]# ls
[root@localhost vusers_dir]#
[root@localhost vusers_dir]# vim admin
[root@localhost vusers_dir]# cat admin
local_root=/home/ftproot/
write_enable=YES
anon_umask=022
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
[root@localhost vusers_dir]# vim user1
[root@localhost vusers_dir]# cat user1
local_root=/home/ftproot/
write_enable=YES
anon_umask=022
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
[root@localhost vsftpd]# systemctl restart vsftpd.service
[root@localhost vsftpd]# cd /home/
[root@localhost home]# ls
ftproot
如果您在生产环境中想使用USB上传文件到ftproot存储目录您可以参考我以下的bash文件改权限和属主
[root@localhost home]# touch USB上传.sh
[root@localhost home]# ls
ftproot USB上传.sh user vsftplog
[root@localhost home]# cat USB上传.sh
#!/bin/bash
chmod -R 755 /home/ftproot/*
chown -R vftp:vftp /home/ftproot/*
然后[root@localhost home]# chmod +x USB上传.sh
[root@localhost home]# ./USB上传.sh
即可
