作者:哎自己哈 | 来源:互联网 | 2014-05-28 09:06
情景设计4:只允许本地用户访问自己的主目录,不能访问其他目录(关键字,chroot)[root@station12vsftpd]#manvsftpd.conf有问题多查查manual总是好的chroot_list_enableIfactivated,youmayprovidealistoflocaluserswhoar
情景设计4: 只允许本地用户访问自己的主目录,不能访问其他目录(关键字,chroot )
[root@station12 vsftpd]# man vsftpd.conf
有问题多查查manual总是好的
chroot_list_enable
If activated, you may provide a list of local users who are placed
in a chroot() jail in their home
directory upon login. The meaning is slightly
different if chroot_local_user is set to YES. In this
case, the list becomes a list of users which are NOT to be placed
in a chroot() jail. By default, the
file containing this list
is /etc/vsftpd/chroot_list, but you
may override this with the
chroot_list_file setting.
Default: NO
chroot_local_user
If set to YES, local users will be (by default) placed in a
chroot() jail in their home
directory
after login. Warning: This option has security implications,
especially if the users have upload per-
mission, or shell access. Only enable if you know what you are
doing. Note that these security impli-
cations are not vsftpd specific.
They apply to all FTP daemons which offer to put local users
in
chroot() jails.
Default: NO
chroot_list_enable如果设置是YES,但chroot_local_user没有设置为YES,则所有在/etc/vsftpd/chroot_list中定义的用户会进入
chroot环境
,如果两者都设置是yes,则是本地用户,但不在/etc/vsftpd/chroot_list中定义的用户才进入chroot环境
/etc/vsftpd/chroot_list这个文件默认是不存在的呵!
验证
[root@station12 vsftpd]# useradd a
[root@station12 vsftpd]# useradd b
[root@station12 vsftpd]# passwd a
Changing password for user a.
New UNIX password:
BAD PASSWORD: it is WAY too short
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@station12 vsftpd]# passwd b
Changing password for user b.
New UNIX password:
BAD PASSWORD: it is WAY too short
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@station12 vsftpd]#
以上添加了两个用户a和b
-------------------------------------------------------------------------------------------------------------------------------------------
[root@station12 vsftpd]# echo a > chroot_list
[root@station12 vsftpd]# cat chroot_list
a
[root@station12 vsftpd]# ll chroot_list
-rw-r--r-- 1 root root 2 Jan 6 17:07 chroot_list
[root@station12 vsftpd]# cp vsftpd.conf vsftpd.4
[root@station12 vsftpd]# vi vsftpd.conf
[root@station12 vsftpd]# diff vsftpd.conf vsftpd.4
92d91
[root@station12 vsftpd]#
[root@station12 vsftpd]# service vsftpd restart
Shutting down
vsftpd:
[ OK ]
Starting vsftpd for
vsftpd:
[ OK ]
[root@station12 vsftpd]#
设置让本地用户都进入chroot环境
--------------------------------------------------------------------------------------------------------------------------------------------
[root@localhost vsftpd]# ftp station12
Connected to station12.example.com.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (station12:root): a
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> cd /var/ftp
550 Failed to change directory.
ftp>
注意上面显示是的是/
----------------------------------------------------------------------------------------------------------------------------
[root@station12 vsftpd]# service vsftpd restart
Shutting down
vsftpd:
[ OK ]
Starting vsftpd for
vsftpd:
[ OK ]
[root@station12 vsftpd]# cp vsftpd.conf vsftpd.5
[root@station12 vsftpd]# vi vsftpd.conf
[root@station12 vsftpd]# diff vsftpd.conf vsftpd.5
96c96
---
> #chroot_list_enable=YES
98c98
---
> #chroot_list_file=/etc/vsftpd/chroot_list
[root@station12 vsftpd]# service vsftpd restart
Shutting down
vsftpd:
[ OK ]
Starting vsftpd for
vsftpd:
[ OK ]
[root@station12 vsftpd]#
让chroot_local_user和
chroot_list_enable都设置成YES看看
[root@localhost vsftpd]# ftp station12
Connected to station12.example.com.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (station12:root): a
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257
"/home/a"
<=======用户a是本地用户,但在chroot_list中有定义,因此不会chroot的
ftp> cd /var/ftp
250 Directory successfully changed.
ftp> user b
500 Unknown command.
Login failed.
ftp> bye
221 Goodbye.
[root@localhost vsftpd]# ftp station12
Connected to station12.example.com.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (station12:root): b
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp>
京公网安备 11010802041100号