Shulou(Shulou.com)06/01 Report--

What this article shares to you is about the permission subdivision settings under LINUX. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

The business unit has proposed a requirement for FTP configuration, as shown below:

Please provide a FTP server. The FTP directory and account rules you need to create are as follows!

Staffing:

Beijing headquarters: 5 people (need to create 2 accounts: bjzb read permission bjguanli read write execution permission)

Beijing region: 8 people (need to create a FTP account: bjdq)

Shanghai region: 6 people (need to create a FTP account: shdq)

Guangzhou region: 5 people (need to create a FTP account: gzdq)

Create design for FTP directory and account permissions:

/ data/bj (Beijing Theater)

Account bjdq permission: write permission, read permission, execute permission

Account shdq and gzdq permissions: read permissions

Account bjzb permission: read permission

Account bjguanli permissions: read permission, write permission, execute permission

/ data/sh (Shanghai region)

Account shdq permission: write permission, read permission, execute permission

Account bjdq and gzdq permissions: read permissions

Account bjzb permission: write permission, read permission

Account bjguanli permissions: read permission, write permission, execute permission

/ data/gz (Guangzhou region)

Account gzdq permission: write permission, read permission, execute permission

Account bjdq and shdq permissions: read permissions

Account bjzb permission: write permission, read permission

Account bjguanli permissions: read permission, write permission, execute permission

When you see this requirement, you will basically feel that permissions are a bit difficult to implement. Because under linux, objects that can be manipulated on a file are divided into three categories: file owner (owner of the file), group (group, note that it is not necessarily the group of the owner of the file), and other (other). Permissions are consistent in each class, but it is not convenient to implement different permissions in the same class, and the requirement mentioned above is to implement different permissions in the same class. Then we need to use ACL under LINUX to achieve the requirements in the question. To put it simply, acl means that you can set the permissions of a specific user or group to operate on a file and directory, and there are only three commands you need to master: getfacl,setfacl,chacl.

Let's talk about the implementation process of the requirement mentioned at the beginning of the article.

1. Creation of directories and accounts

By default, when setting up users under linux, there is a default home directory, usually under / home, but if we want to establish multiple users in the system and the home directory is not under / home, we need to use useradd-d to specify the home directory

# groupadd ftpgroup

# useradd bjdq-d / data/bj-g ftpgroup

# passwd bjdq

# useradd shdq-d / data/sh-g ftpgroup

# passwd shdq

# useradd gzdq-d / data/gz-g ftpgroup

# passwd gzdq

# useradd bjzb

# passwd bjzb

# useradd bjguanli

# passwd bjguanli

Another way to add is to modify the / etc/default/useradd file

# useradd defaults file

GROUP=100

HOME=/home (change the default HOME to the directory you set)

INACTIVE=-1

EXPIRE=

SHELL=/bin/bash

SKEL=/etc/skel

CREATE_MAIL_SPOOL=yes

This also allows you to specify a specific user home directory when you create a user.

2. Setting of FTP

FTP server address: 192.168.1.130

Modify FTP configuration file

# vi / etc/vsftpd/vsftpd.conf

Add the following statement to it

Local_enable=YES / / whether to allow local users to log in to the FTP server. The default is to allow

Write_enable=YES / / whether users are allowed to write in FTP server files. The default is to allow.

Pam_service_name=vsftpd

Userlist_enable=YES

Tcp_wrappers=YES

Permissions of local_umask=007 # user

Chroot_list_enable=YES / / if you want the user to log in and not be able to change to a directory other than his own directory, you need to set this item to lock the user directory

Chroot_list_file=/etc/vsftpd/chroot_list

Userlist_enable=YES # sets userlist_enable=YES, then only users listed in / etc/vsftpd/user_list are allowed to have this feature

Userlist_deny=NO

Userlist_file=/etc/vsftpd/user_list

~

"/ etc/vsftpd/vsftpd.conf" 147L, 5079C written

Restart the ftp service after setting up

# service vsftpd restart

Close vsftpd: [OK]

Start vsftpd for vsftpd: [OK]

III. Setting of permissions

Since the owner of / data/bj is bjdq,/data/sh and the owner of shdq,/data/gz is gzdq, we naturally have read, write and execute permissions. We only need to set groups and other permissions.

In order to limit that users of bjdq, shdq and gzdq cannot change directories, we also need to write bjdq, shdq and gzdq to the chroot_list file.

[root@localhost vsftpd] # echo "bjdq" > > chroot_list

[root@localhost vsftpd] # echo "shdq" > > chroot_list

[root@localhost vsftpd] # echo "gzdq" > > chroot_list

The permissions are set as follows:

# chmod 755 / data/bj

# chmod 755 / data/sh

# chmod 755 / data/gz

The permissions for the bjzb and bjguanli accounts are set as follows

# setfacl-R-m u:bjzb:rx / data/bj

# setfacl-R-m u:bjguanli:rwx / data/bj

# setfacl-R-m u:bjzb:rx / data/sh

# setfacl-R-m u:bjguanli:rwx / data/sh

# setfacl-R-m u:bjzb:rx / data/gz

# setfacl-R-m u:bjguanli:rwx / data/gz

[root@localhost data] # ls-l

Total 12

Drwxr-xr-x+ 4 bjdq ftpgroup 4096 Jan 18 19:09 bj

Drwxr-xr-x+ 4 shdq ftpgroup 4096 Jan 18 19:12 sh

Drwxr-xr-x+ 4 gzdq ftpgroup 4096 Jan 18 19:22 gz

Finally, you can check the permissions of these three directories through getfacl and verify them through client login.

(note: setfacl-x g:ftpgroup file removes all permissions of the ftpgroup group on the file file

Setfacl-x u:bjguanli / data/bj Delete the permissions of the bjguanli user to the / data/bj directory keep the read permission

Setfacl-x u:bjzb file removes all permissions of the bjzb user on the file file)

# getfacl-- omit-header / data/bj

Getfacl: Removing leading'/ 'from absolute path names

# file: data/bj

# owner: bjdq

# group: ftpgroup

User::rwx

User:bjguanli:rwx

Group::r-x

Mask::rwx

Other::r-x

Default:user::rwx

Default:user:bjguanli:rwx

Default:group::r-x

Default:mask::rwx

Default:other::r-x

Other directory permission settings are similar

IV. Client testing

[root@localhost /] # ftp 192.168.1.130

Connected to localhost.localdomain.

220 (vsFTPd 2.0.5)

Name (localhost:root): bjdq

331 Please specify the password.

Password:

500 OOPS: cannot change directory:/data/bj

Login failed.

Ftp > quit

Pay attention to this error. You need to consider the limitations of IPTABLES and SELINUX.

You can close IPTABLES and SELINUX directly. If you cannot, you need to make the following adjustments

Open the FTP service in IPTABLE, allowing ports 21 and 20 to pass.

You can use this sentence for the security restrictions of SELINUX

[root@localhost test] # setsebool ftpd_disable_trans 1 # turn off SELinux's protection of ftp

[root@localhost test] # service vsftpd restart

Try again at last, everything is fine.

[root@localhost test] # ftp 192.168.1.130

Connected to localhost.localdomain.

220 (vsFTPd 2.0.5)

Name (localhost:root): bjdq

331 Please specify the password.

Password:

Login successful.

Ftp > pwd

"/"

Ftp > bye

It has been verified that the final permission setting meets the needs of the business department.

The above is what the permission subdivision settings are under LINUX. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.