分类: LINUX

前提条件:
      必须安装包:vsftpd-2.0.1-5

      利用虚拟用户可实现不同用户拥有不同权限的要求
第一步:建立本地虚拟用户(Create the local virtual user)
      useradd -d /opt/ftp-server  virtual
      新建virtual用户,指定主目录为/opt/ftp-server(该目录实际存在)
 
第二步:建立虚拟用户数据库(Create the virtual users database)
                
      用户手工建立文本文件logins.txt  (存放/tmp)
      logins.txt文件内容
      ==================
      download
      123
      upload
      234
      admin
      345
 
      注:奇数行为用户名,偶数行为密码.
 
      db3_load -T -t hash -f /tmp/logins.txt /etc/vsftpd_login.db
 
      chmod 600 /etc/vsftpd_login.db
     
第三步:建立基于vsftpd_login的PAM授权文件(Create a PAM file which uses your new database)[
此处也可用mysql建立用户信息]
      ftp(存放在/etc/pam.d/)内容如下
      ==================================
      auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login

      account required /lib/security/pam_userdb.so db=/etc/vsftpd_login
 
第四步: 建立vsftpd.conf文件(Create your vsftpd.conf config file)
      anonymous_enable=NO

      local_enable=YES

      write_enable=NO

      anon_upload_enable=NO

      anon_mkdir_write_enable=NO

      anon_other_write_enable=NO

      chroot_local_user=YES

      guest_enable=YES

      guest_username=virtual

      user_config_dir=/etc/vsftpd/(虚拟用户库中不同用户的权限文件)

      listen=YES

      listen_port=10021

      pasv_min_port=30000

      pasv_max_port=30999

第五步: 建立针对虚拟用户库中不同用户的权限文件(第四步中已指定存放位置)
      (virtual主目录下有三个文件夹:download,upload,admin)

      download文件内容(只能下载权限)
      =====================
      local_root=/opt/ftp-server/download      
      anon_world_readable_only=NO
 
      upload文件内容(可上传权限)

      =====================
      local_root=/opt/ftp-server/upload

      anon_world_readable_only=NO

      write_enable=YES

      anon_upload_enable=YES

      anon_mkdir_write_enable=YES
      admin文件内容(管理权限)

      =====================
      local_root=/opt/ftp-server/admin

      anon_world_readable_only=NO

      write_enable=YES

      anon_upload_enable=YES

      anon_mkdir_write_enable=YES

      anno_other_writer_enable=YES

第六步: 启动vsftpd(Start up vsftpd)

      service vsftpd restart

 
第七步: 测试(Test)
 
[root@test vsftpd]# ftp 192.168.1.2 10021

Connected to 192.168.1.2.

220 (vsFTPd 2.0.1)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.2:root): admin

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (192,168,1,2,119,247)

150 Here comes the directory listing.

226 Directory send OK.

ftp> pwd

257 "/"

ftp> cd /home

550 Failed to change directory.

ftp>

 
 
vsftpd.conf中的参数cmds_allowed=XXXXX
===================================================
此用户可以使用的指令
# ABOR - abort a file transfer
# CWD - change working directory
# DELE - delete a remote file
# LIST - list remote files
# MDTM - return the modification time of a file
# MKD - make a remote directory
# NLST - name list of remote directory
# PASS - send password
# PASV - enter passive mode
# PORT - open a data port
# PWD - print working directory
# QUIT - terminate the connection
# RETR - retrieve a remote file
# RMD - remove a remote directory
# RNFR - rename from
# RNTO - rename to
# SITE - site-specific commands
# SIZE - return the size of a file
# STOR - store a file on the remote host
# TYPE - set transfer type
# USER - send username
#
# less common commands:
# ACCT* - send account information
# APPE - append to a remote file
# CDUP - CWD to the parent of the current directory
# HELP - return help on using the server
# MODE - set transfer mode
# NOOP - do nothing
# REIN* - reinitialize the connection
# STAT - return server status
# STOU - store a file uniquely
# STRU - set file transfer structure
# SYST - return system type

===================================================
 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[
mysql建立用户信息]
配置虚拟用户(mysql) 



  VSFTPD的本地用户本身是系统的用户,除了可以登录FTP服务器外,还可以登录系统使用其他系统资源,而 



VSFTPD的虚拟用户则是FTP服务的专用用户,虚拟用户只能访问FTP服务器资源。对于只需要通过FTP对系统有读 



写权限,而不需要其他系统资源的用户或情况来说,采用虚拟用户方式是很适合的。 



  VSFTPD的虚拟用户采用单独的用户名/口令保存方式,与系统账号(passwd/shadow)分离,这大大增强了 



系统的安全性。VSFTPD可以采用数据库文件来保存用户/口令,如hash;也可以将用户/口令保存在数据库服务器 



中,如MySQL等。VSFTPD验证虚拟用户,则采用PAM方式。由于虚拟用户的用户名/口令被单独保存,因此在验证 



时,VSFTPD需要用一个系统用户的身份来读取数据库文件或数据库服务器以完成验证,这就是guest用户,这正 



如同匿名用户也需要有一个系统用户ftp一样。当然,guest用户也可以被认为是用于映射虚拟用户。 



  配置虚拟用户分为几部分:guest用户的创建、用户/口令的保存、PAM认证配置、vsftpd.conf文件设置等 



。在后面的例子中,假定存在虚拟用户win和wingger. 







1、在系统中添加vsftpdvirtual用户,作为虚拟用户在系统中的代表。 

代码:
[root@Linux_win vsftpd]# useradd vsftpdvirtual

  当虚拟用户登录后,所在的位置为vsftpdvirtual的自家目录/home/vsftpdvirtual。 



2、配置文件vsftpd.conf: 加入以下内容 

guest_enable=YES 

guest_username=vsftpdvirtual 

virtual_use_local_privs=YES|NO 



3、虚拟用户的权限配置。 

virtual_use_local_privs参数, 

当该参数激活(YES)时,虚拟用户使用与本地用户相同的权限。所有虚拟用户的权限使用local参数。 

当此参数关闭(NO)时,虚拟用户使用与匿名用户相同的权限,所有虚拟用户的权限使用anon参数。 

这两者种做法相比,后者更加严格一些,特别是在有写访问的情形下。默认情况下此参数是关闭的(NO)。 



由于本人的vsftpd为1.1.3,只好用virtual_use_local_privs=NO了: 

因此匿名用户的设置即是虚拟用户的设置,在改参数权限时,同时也要修改目录权限 

如:让用户不能浏览目录,但仍可以对文件操作且虚拟用户目录的权限改为只能由vsftpdvirtual操作: 



代码:
[root@Linux_win vsftpd]# chown vsftpdvirtual.vsftpdvirtual /home/vsftpdvirtual 
[root@Linux_win vsftpd]# chmod 700 /home/vsftpdvirtual

由于这些设置对匿名用户生效。最好是禁止匿名用户登录。 





在VSFTPD-1.2.0以上版本,当virtual_use_local_privs=YES时,只需write_enable=YES,虚拟用户就可以就拥 



有写权限。应该与本地用户使用相同,有兴趣的可以去验证。 



如果不同用户使用不同的目录,须加入权限 

代码:
chown vsftpdvirtual.vsftpdvirtual /home/win 
chown vsftpdvirtual.vsftpdvirtual /home/wingger



4、用MySQL保存虚拟用户 



  1、虚拟用户的用户名/口令的保存。这部分在MySQL数据库中完成。 

首先,创建数据库vsftpdvirtual以及表users,并插入虚拟用户win、wingger。执行以下命令: 

代码:
[root@Linux_win vsftpd]# #mysql -uroot -p 
mysql>create database vsftpdvirtual; 
mysql>use vsftpdvirtual; 
mysql>create table users(name char(16) binary,passwd char(16) binary); 
mysql>insert into users (name,passwd) values ('win',password('123456')); 
mysql>insert into users (name,passwd) values ('wingger',password('123456')); 
mysql>quit



然后,授权vsftpdvirtual只能读vsftpdvirtual数据库的users表。执行以下命令: 

代码:
[root@Linux_win vsftpd]# mysql -u root mysql -p 
mysql>grant select on vsftpdvirtual.users to vsftpdvirtual@localhost identified by '123456'; 
mysql>quit



验证刚才的操作是否成功可以执行下面命令: 

代码:
[root@Linux_win vsftpd]# mysql -u vsftpdvirtual -p123456 ftpdvirtual 
mysql>select * from users;

如果成功,将会列出wing、wingger和加密后的密码。 

如下所示: 

引用:
mysql> select * from users; 
+---------+------------------+ 
| name | passwd | 
+---------+------------------+ 
| win | 23932fe477657768 | 
| wingger | 23932fe477657768 | 
+---------+------------------+ 
2 rows in set (0.00 sec)





  2、设置PAM认证。这里我们要用到一个利用mysql进行pam验证的开源项目(http://sourceforge.net/proj 



ects/pam-mysql/)。首先从网站下载它的程序包pam_myql-0.5.tar.gz。在编译安装之前,要确保mysql-devel 



的RPM包已经安装在你的机器上,如果没有请从RHL安装光盘中安装该包。然后,执行以下命令: 

代码:
[root@Linux_win vsftpd]# tar xvzf pam_mysql-0.5.tar.gz 
[root@Linux_win vsftpd]# cd pam_mysql 
[root@Linux_win vsftpd]# make 
[root@Linux_win vsftpd]# cp pam_mysql.so /bli/security 



接下来,我们要设置vsftpd的PAM验证文件。打开/etc/pam.d/vsftpd文件,加入以下内容: 

引用:
auth required pam_mysql.so user=vsftpdvirtual passwd=123456 host=localhost db=vsftpdvirtual 

table=users usercolumn=name passwdcolumn=passwd crypt=2 
  account required pam_mysql.so user=vsftpdvirtual passwd=123456 host=localhost 

db=vsftpdvirtual table=users usercolumn=name passwdcolumn=passwd crypt=2



具体可查看vsftpd源包里的EXAMPLE中的例子。 







附:虚拟用户文档 

1、vsftpd.conf配置文件 

代码:

[root@Linux_win vsftpd]# cat vsftpd.conf 
listen=YES 
listen_address=192.168.1.2 

anonymous_enable=NO 
local_enable=YES 

write_enable=YES 
#anon_root= 
anon_upload_enable=YES 
anon_other_write_enable=YES 
anon_mkdir_write_enable=YES 
#anon_world_readable_only=YES 
#anon_umask=777 

#dirmessage_enable=YES 
ftpd_banner=welcome to this FTP server 

xferlog_enable=YES 
#xferlog_file=/var/log/vsftpd.log 

connect_from_port_20=YES 
#pasv_mix_port=50000 
#pasv_max_port=60000 
#xferlog_std_format=YES 

max_clients=10 
max_per_ip=10 

hide_ids=YES 

#limit all users in it's owner dir 
#chroot_local_user=YES 

#or limit some 
chroot_local_user=NO 
chroot_list_enable=YES 
chroot_list_file=/etc/vsftpd/chroot_list 

#use ownwer conf file 
user_config_dir=/etc/vsftpd/vsftpd_user_conf 

pam_service_name=/etc/pam.d/vsftpd 

guest_enable=YES 
guest_username=vsftpdvirtual 
#virtual_use_local_privs=NO





代码:
2、[root@Linux_win vsftpd]# cat /etc/pam.d/vsftpd 
#%PAM-1.0 
#auth       required    pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers 

onerr=succeed 
#auth       required    pam_stack.so service=system-auth 
#auth       required    pam_shells.so 
#account    required    pam_stack.so service=system-auth 
#session    required    pam_stack.so service=system-auth 
auth       required     /lib/security/pam_mysql.so user=vsftpdvirtual    passwd=123456  

host=localhost   db=vsftpdvirtual table=users  usercolumn=name  passwdcolumn=passwd  crypt=2 
account    required     /lib/security/pam_mysql.so user=vsftpdvirtual     passwd=123456    

host=localhost   db=vsftpdvirtual table=users  usercolumn=name  passwdcolumn=passwd  crypt=2



代码:
3、[root@Linux_win vsftpd]# cat /etc/vsftpd/chroot_list 
win 
wingger



代码:
4、[root@Linux_win vsftpd]# ls -l /etc/vsftpd/vsftpd_user_conf 
总用量 8 
-rw-r--r--    1 root     root           21  1月  8 00:25 win 
-rw-r--r--    1 root     root           25  1月  8 00:17 wingger



代码:
5、[root@Linux_win vsftpd]# cat /etc/vsftpd/vsftpd_user_conf/win 
local_root=/home/win 
[root@Linux_win vsftpd]# cat /etc/vsftpd/vsftpd_user_conf/wingger 
local_root=/home/wingger



代码:
6、drwx------    6 vsftpdvirtual vsftpdvirtual    4096  1月  8 00:16 vsftpdvirtual 
drwxrwxrwx    5 vsftpdvirtual vsftpdvirtual     4096  1月  8 01:47 win 
drwxrwxrwx    3 vsftpdvirtual vsftpdvirtual     4096  1月  8 20:19 wingger



7、版本:(vsFTPd 1.1.3)、pam_mysql-0.5.tar.gz、mysql3.23.54 



8、[root@Linux_win vsftpd]# mysql -u vsftpdvirtual -pchenwy vsftpdvirtual 



mysql> select * from users; 

+---------+------------------+ 

| name | passwd | 

+---------+------------------+ 

| win | 23932fe477657768 | 

| wingger | 23932fe477657768 | 

+---------+------------------+ 

2 rows in set (0.00 sec)
 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 
 
官方文档

 
http://www.vsftpdrocks.org/faq/  (常见问题解决办法)
 
参考文档(各种形式的设置)

 
 
[vsftpd的man手册信息]
$man 5 vsftpd.conf |col -b >vsftpd

VSFTPD.CONF(5)             VSFTPD.CONF(5)
 
NAME

       vsftpd.conf - config file for vsftpd
DESCRIPTION

       vsftpd.conf  may  be  used  to  control various  aspects  of vsftpd’s

       behaviour. By default, vsftpd looks for this  file  at the  location

       /etc/vsftpd/vsftpd.conf.  However, you may override this by specifying

       a command line argument to vsftpd. The command line  argument  is  the

       pathname  of the configuration file for vsftpd. This behaviour is use-

       ful because you may wish to use an advanced inetd such  as  xinetd  to

       launch vsftpd with different configuration files on a per virtual host

       basis.

FORMAT

       The format of vsftpd.conf is very simple. Each line is either  a  com-

       ment  or  a directive. Comment lines start with a # and are ignored. A

       directive line has the format:
       option=value
       It is important to note that it is an error to put any  space  between

       the option, = and value.
       Each  setting  has  a compiled in default which may be modified in the

       configuration file.

BOOLEAN OPTIONS

       Below is a list of boolean options. The value for a boolean option may

       be set to YES or NO.

       allow_anon_ssl

       Only  applies if ssl_enable is active. If set to YES, anonymous

       users will be allowed to use secured SSL connections.
       Default: NO
       anon_mkdir_write_enable

       If set to YES, anonymous users will be permitted to create  new

       directories  under  certain  conditions. For this to work, the

       option write_enable must be activated, and  the  anonymous  ftp

       user must have write permission on the parent directory.
       Default: NO
       anon_other_write_enable

       If  set  to  YES,  anonymous users will be permitted to perform

       write operations other than upload and create  directory,  such

       as deletion and renaming. This is generally not recommended but

       included for completeness.
       Default: NO
       anon_upload_enable

       If set to YES, anonymous users  will  be permitted  to  upload

       files  under  certain  conditions. For this to work, the option

       write_enable must be activated, and the anonymous ftp user must

       have write permission on desired upload locations.
       Default: NO
       anon_world_readable_only

       When  enabled, anonymous users will only be allowed to download

       files which are world readable. This is  recognising  that  the

       ftp  user may own files, especially in the presence of uploads.
       Default: YES
       anonymous_enable

       Controls whether anonymous logins  are  permitted  or  not.  If

       enabled, both the usernames ftp and anonymous are recognised as

       anonymous logins.
       Default: YES
       ascii_download_enable

       When enabled, ASCII mode data transfers  will  be  honoured  on

       downloads.
       Default: NO
       ascii_upload_enable

       When  enabled,  ASCII  mode  data transfers will be honoured on

       uploads.
       Default: NO
       async_abor_enable

       When enabled, a special FTP command known as "async ABOR"  will

       be  enabled.   Only  ill advised FTP clients will use this fea-

       ture. Additionally, this feature is awkward to handle, so it is

       disabled by default. Unfortunately, some FTP clients will hang

       when cancelling a transfer unless this feature is available, so

       you may wish to enable it.
       Default: NO
       background

       When  enabled,  and  vsftpd is started in "listen" mode, vsftpd

       will background the listener process. i.e. control will immedi-

       ately be returned to the shell which launched vsftpd.
       Default: NO
       check_shell

       Note!  This  option  only  has  an effect for non-PAM builds of

       vsftpd. If disabled, vsftpd will not check  /etc/shells  for  a

       valid user shell for local logins.
       Default: YES
       chmod_enable

       When  enables, allows use of the SITE CHMOD command. NOTE! This

       only applies to local users. Anonymous users never get  to  use

       SITE CHMOD.
       Default: YES
       chown_uploads

       If enabled, all anonymously uploaded files will have the owner-

       ship changed to the user specified in the  setting  chown_user-

       name.  This is useful from an administrative, and perhaps secu-

       rity, standpoint.
       Default: NO
       chroot_list_enable

       If activated, you may provide a list of  local  users  who  are

       placed  in  a chroot() jail in their home directory upon login.

       The meaning is slightly different if chroot_local_user  is  set

       to  YES. In  this case, the list becomes a list of users which

       are NOT to be placed in a chroot() jail. By default, the  file

       containing  this list  is /etc/vsftpd.chroot_list, but you may

       override this with the chroot_list_file setting.
       Default: NO
       chroot_local_user

       If set to YES, local users will be (by  default) placed in  a

       chroot() jail  in  their home directory after login.  Warning:

       This option has security implications, especially if the users

       have  upload  permission,  or  shell access. Only enable if you

       know what you are doing. Note that these security implications

       are  not vsftpd specific. They apply to all FTP daemons which

       offer to put local users in chroot() jails.
       Default: NO
       connect_from_port_20

       This controls whether PORT style data connections use  port  20

       (ftp-data)  on  the  server machine. For security reasons, some

       clients may insist that this is the case. Conversely, disabling

       this option enables vsftpd to run with slightly less privilege.
       Default: NO (but the sample config file enables it)
       deny_email_enable

       If activated, you may provide a list of anonymous  password  e-

       mail  responses which cause login to be denied. By default, the

       file containing this list is /etc/vsftpd.banned_emails, but you

       may override this with the banned_email_file setting.
       Default: NO
       dirlist_enable

       If  set to NO, all directory list commands will give permission

       denied.
       Default: YES
       dirmessage_enable

       If enabled, users of the FTP server can be shown messages  when

       they  first  enter  a new directory. By default, a directory is

       scanned for the file .message, but that may be overridden  with

       the configuration setting message_file.
       Default: NO (but the sample config file enables it)
       download_enable

       If  set  to  NO, all  download  requests  will give permission

       denied.
       Default: YES
       dual_log_enable

       If enabled, two log files are generated in parallel,  going  by

       default  to /var/log/xferlog and /var/log/vsftpd.log.  The for-

       mer is a wu-ftpd style  transfer log,  parseable  by  standard

       tools. The latter is vsftpd’s own style log.
       Default: NO
       force_dot_files

       If  activated,  files  and  directories starting with . will be

       shown in directory listings even if the "a" flag was  not  used

       by the client. This override excludes the "." and ".." entries.
       Default: NO
       force_local_data_ssl

       Only applies if ssl_enable is activated. If activated, all non-

       anonymous  logins  are forced to use a secure SSL connection in

       order to send and receive data on data connections.
       Default: YES
       force_local_logins_ssl

       Only applies if ssl_enable is activated. If activated, all non-

       anonymous  logins  are forced to use a secure SSL connection in

       order to send the password.
       Default: YES
       guest_enable

       If enabled, all non-anonymous logins  are  classed  as  "guest"

       logins.  A guest login is remapped to the user specified in the

       guest_username setting.
       Default: NO
       hide_ids

       If enabled, all user and group information in  directory list-

       ings will be displayed as "ftp".
       Default: NO
       listen If enabled, vsftpd will run in standalone mode. This means that

       vsftpd must not be run from an inetd of some kind. Instead, the

       vsftpd executable is run once directly. vsftpd itself will then

       take care of listening for and handling incoming connections.
       Default: NO
       listen_ipv6

       Like the listen parameter, except vsftpd will listen on an IPv6

       socket  instead  of  an IPv4 one. This parameter and the listen

       parameter are mutually exclusive.
       Default: NO
       local_enable

       Controls whether local logins are permitted or not. If enabled,

       normal user accounts in /etc/passwd may be used to log in.
       Default: NO
       log_ftp_protocol

       When  enabled,  all FTP requests and responses are logged, pro-

       viding the option xferlog_std_format is not enabled. Useful for

       debugging.
       Default: NO
       ls_recurse_enable

       When  enabled, this setting will allow the use of "ls -R". This

       is a minor security risk, because a ls -R at the top level of a

       large site may consume a lot of resources.
       Default: NO
       no_anon_password

       When enabled, this prevents vsftpd from asking for an anonymous

       password - the anonymous user will log straight in.
       Default: NO
       no_log_lock

       When enabled, this prevents vsftpd from taking a file lock when

       writing  to  log files. This  option  should generally not be

       enabled. It exists to workaround operating system bugs such  as

       the  Solaris  /  Veritas filesystem combination which has been

       observed to sometimes exhibit hangs trying to lock log files.
       Default: NO
       one_process_model

       If you have a Linux 2.4 kernel, it is possible to use a differ-

       ent  security model which only uses one process per connection.

       It is a less pure security model, but  gains  you  performance.

       You  really  don’t want to enable this unless you know what you

       are doing, and your site supports huge  numbers  of  simultane-

       ously connected users.
       Default: NO
       passwd_chroot_enable

       If enabled, along with chroot_local_user , then a chroot() jail

       location may be specified on a per-user basis. Each user’s jail

       is derived from their home directory string in /etc/passwd. The

       occurrence of /./ in the home directory string denotes that the

       jail is at that particular location in the path.
       Default: NO
       pasv_enable

       Set  to NO if you want to disallow the PASV method of obtaining

       a data connection.
       Default: YES
       pasv_promiscuous

       Set to YES if you want to disable the PASV security check  that

       ensures the data connection originates from the same IP address

       as the control connection.  Only enable if you  know  what  you

       are  doing! The only legitimate use for this is in some form of

       secure tunnelling scheme, or perhaps to facilitate FXP support.
       Default: NO
       port_enable

       Set  to NO if you want to disallow the PORT method of obtaining

       a data connection.
       Default: YES
       port_promiscuous

       Set to YES if you want to disable the PORT security check  that

       ensures  that outgoing data connections can only connect to the

       client. Only enable if you know what you are doing!
       Default: NO
       run_as_launching_user

       Set to YES if you want vsftpd to run as the user which launched

       vsftpd.  This  is  useful  where root access is not available.

       MASSIVE WARNING! Do NOT enable this option unless  you  totally

       know what you are doing, as naive use of this option can create

       massive security problems. Specifically, vsftpd does not / can-

       not  use chroot technology  to restrict file access when this

       option is set (even if launched by  root).  A  poor  substitute

       could  be to use a deny_file setting such as {/*,*..*}, but the

       reliability of this cannot compare to chroot, and should not be

       relied  on.   If using this option, many restrictions on other

       options apply. For example, options requiring privilege such as

       non-anonymous  logins,  upload  ownership  changing, connecting

       from port 20 and listen ports less than 1024 are not  expected

       to work. Other options may be impacted.
       Default: NO
       secure_email_list_enable

       Set  to  YES  if you want only a specified list of e-mail pass-

       words for anonymous logins to be accepted. This is useful as  a

       low-hassle  way  of  restricting access to low-security content

       without needing virtual users. When enabled,  anonymous  logins

       are  prevented  unless  the  password provided is listed in the

       file specified by the  email_password_file  setting.  The  file

       format  is  one  password  per  line,  no extra whitespace. The

       default filename is /etc/vsftpd.email_passwords.
       Default: NO
       session_support

       This controls whether vsftpd attempts to maintain sessions  for

       logins.  If  vsftpd  is  maintaining  sessions, it will try and

       update utmp and wtmp. It will also open a pam_session if using

       PAM  to  authenticate, and only close this upon logout. You may

       wish to disable this if you do not need  session logging,  and

       you  wish to give vsftpd more opportunity to run with less pro-

       cesses and / or less privilege. NOTE - utmp and wtmp support is

       only provided with PAM enabled builds.
       Default: NO
       setproctitle_enable

       If enabled, vsftpd will try and show session status information

       in the system process listing. In  other words, the  reported

       name  of the process will change to reflect what a vsftpd ses-

       sion is doing (idle, downloading etc).  You  probably  want  to

       leave this off for security purposes.
       Default: NO
       ssl_enable

       If  enabled,  and  vsftpd  was compiled against OpenSSL, vsftpd

       will support secure connections via SSL. This  applies  to  the

       control connection (including login) and also data connections.

       You’ll need a client  with  SSL  support too.  NOTE!!   Beware

       enabling this option. Only enable it if you need it. vsftpd can

       make no guarantees about the security of the OpenSSL libraries.

       By  enabling  this option, you are declaring that you trust the

       security of your installed OpenSSL library.
       Default: NO
       ssl_sslv2

       Only applies if  ssl_enable  is  activated.  If  enabled,  this

       option will permit SSL v2 protocol connections.  TLS v1 connec-

       tions are preferred.
       Default: NO
       ssl_sslv3

       Only applies if  ssl_enable  is  activated.  If  enabled,  this

       option will permit SSL v3 protocol connections.  TLS v1 connec-

       tions are preferred.
       Default: NO
       ssl_tlsv1

       Only applies if  ssl_enable  is  activated.  If  enabled,  this

       option will permit TLS v1 protocol connections.  TLS v1 connec-

       tions are preferred.
       Default: YES
       syslog_enable

       If enabled, then any  log  output  which would  have  gone  to

       /var/log/vsftpd.log  goes to the system log instead. Logging is

       done under the FTPD facility.
       Default: NO
       tcp_wrappers

       If enabled, and vsftpd was compiled with tcp_wrappers  support,

       incoming connections  will  be fed through tcp_wrappers access

       control. Furthermore, there is a mechanism  for per-IP based

       configuration.  If tcp_wrappers sets the VSFTPD_LOAD_CONF envi-

       ronment variable, then the vsftpd session will try and load the

       vsftpd configuration file specified in this variable.
       Default: NO
       text_userdb_names

       By  default, numeric IDs are shown in the user and group fields

       of directory listings. You can get textual  names  by  enabling

       this parameter. It is off by default for performance reasons.
       Default: NO
       tilde_user_enable

       If  enabled,  vsftpd  will  try  and  resolve pathnames such as

       ~chris/pics, i.e. a tilde followed by  a username.  Note  that

       vsftpd  will always resolve the pathnames ~ and ~/something (in

       this case the ~ resolves to the initial login directory).  Note

       that  ~user paths will only resolve if the file /etc/passwd may

       be found within the _current_ chroot() jail.
       Default: NO
       use_localtime

       If enabled, vsftpd will display  directory  listings  with  the

       time  in your  local time zone. The default is to display GMT.

       The times returned by the MDTM FTP command are also affected by

       this option.
       Default: NO
       use_sendfile

       An  internal  setting  used for testing the relative benefit of

       using the sendfile() system call on your platform.
       Default: YES
       userlist_deny

       This option is examined if userlist_enable is activated. If you

       set  this setting to NO, then users will be denied login unless

       they  are  explicitly  listed  in   the file   specified   by

       userlist_file.   When  login  is denied,  the denial is issued

       before the user is asked for a password.
       Default: YES
       userlist_enable

       If enabled, vsftpd will load a  list  of usernames,  from  the

       filename given  by  userlist_file.   If a user tries to log in

       using a name in this file, they will be denied before they  are

       asked  for a password. This may be useful in preventing cleart-

       ext passwords being transmitted. See also userlist_deny.
       Default: NO
       virtual_use_local_privs

       If enabled, virtual users will use the same privileges as local

       users.  By  default, virtual users will use the same privileges

       as anonymous users, which tends to be more  restrictive  (espe-

       cially in terms of write access).
       Default: NO
       write_enable

       This  controls  whether  any  FTP  commands  which  change  the

       filesystem are allowed or not. These commands are: STOR, DELE,

       RNFR, RNTO, MKD, RMD, APPE and SITE.
       Default: NO
       xferlog_enable

       If  enabled,  a  log file will be maintained detailling uploads

       and downloads.   By  default,  this  file  will  be  placed  at

       /var/log/vsftpd.log,  but this location may be overridden using

       the configuration setting vsftpd_log_file.
       Default: NO (but the sample config file enables it)
       xferlog_std_format

       If enabled, the transfer log file will be written  in  standard

       xferlog  format, as used by wu-ftpd. This is useful because you

       can reuse existing transfer statistics generators. The  default

       format is more readable, however. The default location for this

       style of log file is /var/log/xferlog, but you  may  change  it

       with the setting xferlog_file.
       Default: NO

NUMERIC OPTIONS

       Below  is a list of numeric options. A numeric option must be set to a

       non negative integer. Octal numbers are supported, for convenience  of

       the  umask  options.  To  specify  an octal number, use 0 as the first

       digit of the number.

       accept_timeout

       The timeout, in seconds, for a remote client to establish  con-

       nection with a PASV style data connection.
       Default: 60
       anon_max_rate

       The  maximum data transfer rate permitted, in bytes per second,

       for anonymous clients.
       Default: 0 (unlimited)
       anon_umask

       The value that the umask for file creation is set to for anony-

       mous users. NOTE! If you want to specify octal values, remember

       the "0" prefix otherwise the value will be treated as a base 10

       integer!
       Default: 077
       connect_timeout

       The  timeout, in seconds, for a remote client to respond to our

       PORT style data connection.
       Default: 60
       data_connection_timeout

       The timeout, in seconds, which is roughly the maximum  time  we

       permit  data  transfers  to  stall for with no progress. If the

       timeout triggers, the remote client is kicked off.
       Default: 300
       file_open_mode

       The permissions with which uploaded files are  created.  Umasks

       are  applied  on top  of this value. You may wish to change to

       0777 if you want uploaded files to be executable.
       Default: 0666
       ftp_data_port

       The port from which PORT style connections originate  (as  long

       as the poorly named connect_from_port_20 is enabled).
       Default: 20
       idle_session_timeout

       The  timeout,  in  seconds,  which is the maximum time a remote

       client may spend between FTP commands. If the timeout triggers,

       the remote client is kicked off.
       Default: 300
       listen_port

       If  vsftpd is in standalone mode, this is the port it will lis-

       ten on for incoming FTP connections.
       Default: 21
       local_max_rate

       The maximum data transfer rate permitted, in bytes per  second,

       for local authenticated users.
       Default: 0 (unlimited)
       local_umask

       The  value that the umask for file creation is set to for local

       users. NOTE! If you want to specify octal values, remember  the

       "0"  prefix  otherwise  the  value will be treated as a base 10

       integer!
       Default: 077
       max_clients

       If vsftpd is in standalone mode, this is the maximum number  of

       clients which may be connected. Any additional clients connect-

       ing will get an error message.
       Default: 0 (unlimited)
       max_per_ip

       If vsftpd is in standalone mode, this is the maximum number  of

       clients  which  may  be connected from the same source internet

       address. A client will get an error message  if  they  go  over

       this limit.
       Default: 0 (unlimited)
       pasv_max_port

       The  maximum  port to allocate for PASV style data connections.

       Can be used to specify a narrow  port  range  to assist fire-

       walling.
       Default: 0 (use any port)
       pasv_min_port

       The  minimum  port to allocate for PASV style data connections.

       Can be used to specify a narrow  port  range  to assist fire-

       walling.
       Default: 0 (use any port)
       trans_chunk_size

       You  probably  don’t want to change this, but try setting it to

       something like 8192 for a much smoother bandwidth limiter.
       Default: 0 (let vsftpd pick a sensible setting)

STRING OPTIONS

       Below is a list of string options.

       anon_root

       This option represents a directory which vsftpd will  try  to

       change  into  after  an  anonymous  login.  Failure is silently

       ignored.
       Default: (none)
       banned_email_file

       This option is the name of a file containing a list  of  anony-

       mous  e-mail  passwords  which  are not permitted. This file is

       consulted if the option deny_email_enable is enabled.
       Default: /etc/vsftpd.banned_emails
       banner_file

       This option is the name of a file containing  text  to  display

       when  someone  connects to the server. If set, it overrides the

       banner string provided by the ftpd_banner option.
       Default: (none)
       chown_username

       This is the name of the user who is given ownership  of  anony-

       mously  uploaded files. This option is only relevant if another

       option, chown_uploads, is set.
       Default: root
       chroot_list_file

       The option is the name of a file containing  a  list  of local

       users  which  will  be  placed in a chroot() jail in their home

       directory.  This option is  only  relevant  if  the   option

       chroot_list_enable  is enabled. If the option chroot_local_user

       is enabled, then the list file becomes a list of users  to  NOT

       place in a chroot() jail.
       Default: /etc/vsftpd.chroot_list
       cmds_allowed

       This  options  specifies a comma separated list of allowed FTP

       commands (post login. USER, PASS and QUIT  are  always  allowed

       pre-login).  Other  commands  are  rejected. This is a powerful

       method  of  really  locking  down  an  FTP   server.   Example:

       cmds_allowed=PASV,RETR,QUIT
       Default: (none)
       deny_file

       This  option  can  be  used to set a pattern for filenames (and

       directory names etc.) which should not  be  accessible  in  any

       way.  The  affected items are not hidden, but any attempt to do

       anything to them (download, change into directory, affect some-

       thing  within  directory etc.)  will be denied. This option is

       very simple, and should not be used for serious access  control

       -  the  filesystem’s  permissions should be used in preference.

       However, this option may be  useful  in  certain virtual  user

       setups. In particular aware that if a filename is accessible by

       a variety of names (perhaps  due to  symbolic  links  or  hard

       links),  then  care  must  be  taken  to deny access to all the

       names.  Access will be denied to items if their  name  contains

       the  string  given  by  hide_file, or if they match the regular

       expression specified by hide_file.  Note that vsftpd’s  regular

       expression  matching code is a simple implementation which is a

       subset of full regular  expression  functionality.  Because  of

       this,  you  will need  to  carefully and exhaustively test any

       application of this option. And  you  are  recommended  to  use

       filesystem  permissions for any important security policies due

       to       their    greater  reliability.      Example:

       deny_file={*.mp3,*.mov,.private}
       Default: (none)
       dsa_cert_file

       This  option  specifies  the location of the DSA certificate to

       use for SSL encrypted connections.
       Default: (none - an RSA certificate suffices)
       email_password_file

       This option can be used to provide an alternate file for usage

       by the secure_email_list_enable setting.
       Default: /etc/vsftpd.email_passwords
       ftp_username

       This is the name of the user we use for handling anonymous FTP.

       The home directory of this user is the root  of  the  anonymous

       FTP area.
       Default: ftp
       ftpd_banner

       This  string  option allows you to override the greeting banner

       displayed by vsftpd when a connection first comes in.
       Default: (none - default vsftpd banner is displayed)
       guest_username

       See the boolean setting guest_enable for a description of  what

       constitutes  a  guest  login. This setting is the real username

       which guest users are mapped to.
       Default: ftp
       hide_file

       This option can be used to set a pattern  for  filenames  (and

       directory  names etc.)  which  should be hidden from directory

       listings. Despite being hidden, the files  /  directories  etc.

       are fully accessible to clients who know what names to actually

       use. Items will be hidden if their  names  contain  the  string

       given  by  hide_file,  or  if they match the regular expression

       specified by hide_file. Note that vsftpd’s  regular  expression

       matching code  is a simple implementation which is a subset of

       full    regular   expression  functionality.      Example:

       hide_file={*.mp3,.hidden,hide*,h?}
       Default: (none)
       listen_address

       If vsftpd is in standalone mode, the default listen address (of

       all local interfaces) may be overridden by this  setting.  Pro-

       vide a numeric IP address.
       Default: (none)
       listen_address6

       Like listen_address, but specifies a default listen address for

       the IPv6 listener (which is used if listen_ipv6 is set). Format

       is standard IPv6 address format.
       Default: (none)
       local_root

       This  option  represents a  directory which vsftpd will try to

       change into after a local (i.e. non-anonymous)  login.  Failure

       is silently ignored.
       Default: (none)
       message_file

       This  option  is the  name  of the file we look for when a new

       directory is entered. The contents are displayed to the  remote

       user.  This  option  is  only  relevant  if  the option dirmes-

       sage_enable is enabled.
       Default: .message
       nopriv_user

       This is the name of the user that is used  by  vsftpd  when  it

       wants  to  be  totally unprivileged. Note that this should be a

       dedicated user, rather than nobody. The user nobody tends to be

       used for rather a lot of important things on most machines.
       Default: nobody
       pam_service_name

       This string is the name of the PAM service vsftpd will use.
       Default: ftp
       pasv_address

       Use  this  option  to  override the IP address that vsftpd will

       advertise in response to the PASV command. Provide a numeric IP

       address.
       Default: (none  -  the address is taken from the incoming con-

       nected socket)
       rsa_cert_file

       This option specifies the location of the  RSA  certificate  to

       use for SSL encrypted connections.
       Default: /usr/share/ssl/certs/vsftpd.pem
       secure_chroot_dir

       This  option  should be the name of a directory which is empty.

       Also, the directory should not be writable  by  the  ftp user.

       This  directory  is  used  as  a secure chroot() jail at times

       vsftpd does not require filesystem access.
       Default: /usr/share/empty
       ssl_ciphers

       This option can be used to select which SSL ciphers vsftpd will

       allow  for  encrpyted SSL connections. See the ciphers man page

       for further details. Note that restricting  ciphers  can be  a

       useful security precaution as it prevents malicious remote par-

       ties forcing a cipher which they have found problems with.
       Default: DES-CBC3-SHA
       user_config_dir

       This powerful option allows the override of any  config  option

       specified  in  the  manual  page, on a per-user basis. Usage is

       simple, and is best illustrated with an  example.  If  you  set

       user_config_dir  to be /etc/vsftpd_user_conf and then log on as

       the user "chris", then vsftpd will apply the  settings  in  the

       file  /etc/vsftpd_user_conf/chris  for the duration of the ses-

       sion. The format of this file is as  detailed  in  this  manual

       page! PLEASE NOTE that not all settings are effective on a per-

       user basis. For example, many settings only prior to the user’s

       session  being  started. Examples  of  settings which will not

       affect any behviour on a per-user basis include listen_address,

       banner_file, max_per_ip, max_clients, xferlog_file, etc.
       Default: (none)
       user_sub_token

       This  option is useful is conjunction with virtual users. It is

       used to automatically generate a home directory for  each  vir-

       tual user, based on a template. For example, if the home direc-

       tory  of the  real  user  specified  via   guest_username   is

       /home/virtual/$USER,  and  user_sub_token is set to $USER, then

       when virtual user  fred  logs  in,  he  will  end  up  (usually

       chroot()’ed)  in the directory /home/virtual/fred.  This option

       also takes affect if local_root contains user_sub_token.
       Default: (none)
       userlist_file

       This  option  is the  name  of  the  file  loaded   when   the

       userlist_enable option is active.
       Default: /etc/vsftpd.user_list
       vsftpd_log_file

       This  option  is the  name  of  the file to which we write the

       vsftpd style log file. This log is only written if  the  option

       xferlog_enable  is  set, and  xferlog_std_format  is  NOT set.

       Alternatively, it  is  written  if  you  have  set  the  option

       dual_log_enable.  One  further  complication - if you have set

       syslog_enable, then this file is not written and output is sent

       to the system log instead.
       Default: /var/log/vsftpd.log
       xferlog_file

       This  option  is the name of the file to which we write the wu-

       ftpd style transfer log. The transfer log is  only  written  if

       the  option  xferlog_enable is set, along with xferlog_std_for-

       mat.  Alternatively, it is written if you have set  the  option

       dual_log_enable.
       Default: /var/log/xferlog

AUTHOR

       
chris@scary.beasts.org
 

              VSFTPD.CONF(5)

 


===========================================

vsFTPd常用功能之读写权限

2011-02-22 09:08 佚名 网络转载 
字号:
T | 
T

vsftpd是一款在Linux发行版中最受推崇的FTP服务器程序。特点是小巧轻快,安全易用。vsftpd 的名字代表"very secure FTP daemon",并且vsFTPd服务器有许多非常好用的功能,本文为大家介绍的是如何打开读写功能!

vsftpd我用了比较长的一段时间,感觉非常稳定,安全性高,就推荐给大家,本文给大家讲下他的又一个功能读写权限。

FTP用户一般是不能登录系统的,这也是为了安全。在系统中,没有权限登录系统的用户一般也被称之为虚拟用户;虚拟用户也是要写进 /etc/passwd中;这只是一种虚拟用户的方法,但说实在的并不是真正的虚拟用户,只是把他登录SHELL的权限去掉了,所以他没有能力登录系统;

如果我们想把beinan这个用户目录定位在/opt/beinan这个目录中,并且不能登录系统;我们应该如下操作

[root@localhost ~]# adduser -d /opt/beinan -g ftp -s /sbin/nologin beinan

[root@localhost ~]# passwd beinan

Changing password for user beinan.

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

[root@localhost ~]#

其实这还是不够的,还要改一下配置文件vsftpd.conf ,以确保本地虚拟用户能有读写权限;

local_enable=YES

write_enable=YES

local_umask=022

如何用vsftpd实现用户不同权限:只能下载,可上传,管理权限等 [仅供参考未亲测]的更多相关文章

  1. tomcat6~7~8用户设置及一个独立服务器上跑多个tomcat配置JVM设置优化亲测

    tomcat6管理用户 在tomcat `安装根目录`/conf/tomcat-users.xml

  2. vsftpd只能连接不能上传文件问题

    Centos7 记得很清楚,vsftpd安装后,不需要配置,本地用户就可以正常使用(登录.上传.下载) 这次配的就是不行,另起了个虚拟机,装了下,就是不需要配置,但是在一台机上,就是不行,只能登录,下 ...

  3. IIS中的上传目录权限设置问题

    虽然 Apache 的名声可能比 IIS 好,但我相信用 IIS 来做 Web 服务器的人一定也不少.说实话,我觉得 IIS 还是不错的,尤其是 Windows 2003 的 IIS 6(马上 Lon ...

  4. Hadoop hdfs上传文件 权限问题

    问题描述: hadoop在虚拟机中的linux系统下 在本地通过eclipse编写代码把本地文件上传至hadoop平台的指定目录 代码如下: @Test public void upload() th ...

  5. winSCP连接FTP没有上传的权限

    错误: 原因: ftp用户为 1)查看ubantu中FTP文件夹目录所有者及权限,发现ftpName用户对FTP文件夹的权限为 “r-x”  ,仅有读,执行权限 2) chmod o=rwx ftp ...

  6. crm 4 注释与上传附件权限

    文档注释权限及上传附件是与实体的”追加到”权限有关. 文档注释权限及上传附件是与核心记录中”注释”的”追加”权限有关. 追加及追加到的权限,我的理解是与本实体有关联的实体的权限,比如你引用了其它表的字 ...

  7. 解决svn本身上传没有权限和配置自动更新的钩子

    第一步 :建立你的web程序目录和版本库目录 mkdir /data/webwww/project1 svnadmin create /data/svnwww/project1 进入/data/web ...

  8. tomcat 上传文件权限不足

    参考:https://www.cnblogs.com/houchaoying/p/8652040.html tomcat-bin-catalina.sh UMASK="0027" ...

  9. Centos7 vsftpd虚拟用户权限控制(vsftpd虚拟用户限制IP访问)

    实验目标:(新增限制虚拟机用户登陆的IP) 实现在同一跟目录下对admin,upload,download三个虚拟用户的不同权限的控制.具体权限控制列表如下: 用户名 权限说明 admin 管理员,可 ...

  10. VSFTPD虚拟用户配置

    转载:http://www.cnblogs.com/allenjin/archive/2011/12/03/2274542.html 以下操作验证OK!!!! VSFTPD虚拟用户配置 VSFTP = ...

随机推荐

  1. C++ STL 容器 forward_list类型

    C++ STL 容器 forward_list类型 介绍 std::forward_list 是 C++ 标准模板库 (STL) 中的一个单向链表容器.与 std::list 不同,std::forw ...

  2. Java Eclipse JUnit单元测试

    1 package com.bytezreo.ut; 2 3 import org.junit.Test; 4 5 /** 6 * 7 * @Description Java中的JUnit单元测试 8 ...

  3. C#拾遗补漏之goto跳转语句

    前言 在我们日常工作中常用的C#跳转语句有break.continue.return,但是还有一个C#跳转语句很多同学可能都比较的陌生就是goto,今天大姚带大家一起来认识一下goto语句及其它的优缺 ...

  4. CPNtools协议建模安全分析---实例变迁标记(五)

    之前的说了库所的标记,现在我们开始加讲变迁标记 1.描述变迁的标记有四种类型,分别是变迁的标记,门卫的标记,世间的标记,代码片段的标记. 咋变迁中限制更严格的输入token,其中Code Segeme ...

  5. history = his + story 男性史 = 历史 学单词

    history = his + story 男性史 = 历史 早先还有 herstory 由于女性地位底下,就由 history 代表历史了. 然后 history 由拉丁文过来 story 从法语过 ...

  6. git 提交本地仓库 提交错误撤销命令

    git reset --hard HEAD~1

  7. 候捷-C++程序设计(Ⅱ)兼谈对象模型

    目录 笔记参考 学习目标 转换函数与explicit pointer-like classes function-like classes 模板template 模板特化与偏特化 模板模板参数 引用( ...

  8. C#项目管理引用的dll文件

    这篇文章主要简单记录一下C#项目的dll文件管理方法,以便后期使用. 设置dll路径 参考C#开发奇技淫巧三:把dll放在不同的目录让你的程序更整洁中间的 方法一:配置App.config文件的pri ...

  9. IntentGC-A Scalable Graph Convolution Framework Fusing Heterogeneous Information for Recommendation-KDD19

    一.摘要 网络嵌入的显著进步导致了最先进的推荐算法.然而,网站上的用户-物品交互(即显式偏好)的稀疏性仍然是预测用户行为的一个很大的挑战. 虽然,已经有研究利用了一些辅助信息(如用户间的社会关系)来解 ...

  10. 【OpenCV】OpenCV (C++) 与 OpenCvSharp (C#) 之间数据通信

      OpenCV是一个基于Apache2.0许可(开源)发行的跨平台计算机视觉和机器学习软件库,可以运行在Linux.Windows.Android和Mac OS操作系统上. 它轻量级而且高效--由一 ...