Shulou(Shulou.com)06/01 Report--

This article mainly explains "what is the principle of setting Proftpd permissions". The content in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "what is the principle of setting Proftpd permissions".

I. Test platform

Debian 4.0r3

Proftpd 1.3.1 (WITH SSL)

A brief introduction to the principle

1. Inheritance

A subdirectory inherits the properties of its parent directory.

2. Priority

The order of priority from highest to lowest:

Original FTP command (LIST DELE, etc.) > command group (DIRS READ WRITE) > ALL command group

3. Application sequence of access control

Regardless of the order of occurrence, apply reject first (Deny) and then apply allow (Allow)

4. System permissions

Linux system permissions still work. If the directory test is set to allow writing, but the user only has a test directory

Read permission, which means that the user cannot write to the test directory.

- 1, inheritance

- 2, priority

AllowUser U1- 3, application sequence of access control

DenyAll

One explanation: according to reference 1, the order of access controls should be related to the order in which they appear, but I found that the order of occurrence had no effect in my tests. That is, like the access control above, either AllowUser U1 or DenyAll is the same in front.

III. Examples

1. Introduction

Suppose there are five users on the proftpd server:

Manager, manA1, manA2, manB1, manB2

And 2 groups:

GroupA, groupB

ManA1 and manA2 belong to groupA group, manB1 and manB2 belong to groupB group.

And has the following directory structure:

/ root directory │ ├ ftproot/ │ ├ manager/ │ ├ groupA/ │ │ ├ A1 / │ │ ├ A2 / │ │ └. / │ │ groupB/ B1 / B2 /. /. /

The permissions to be implemented now:

1. User manager can read and write manager, groupA, groupB directories and their subdirectories.

2. ManA1 can read and write A1 directories, and can read and write all subdirectories of groupB.

3. ManA2 can read and write A2 directories and all subdirectories of groupB.

4. ManB1 can read and write the B1 directory.

5. ManB2 can read and write B2 directory.

6. If a user does not have access to a directory, the user cannot see the directory.

7. Only manger users and groupA and groupB group members are allowed to access the FTP server.

8. No one is allowed to destroy the backbone directory structure

2. Realize

(1) add users and groups

Useradd manager

Passwd manager

Groupadd groupA

Groupadd groupB

Useradd manA1

Passwd manA1

Usermod-G groupA manA1

Useradd manA2

Passwd manA2

Usermod-G groupA manA2

Useradd manB1

Passwd manB1

Usermod-G groupB manB1

Useradd manB2

Passwd manB2

Usermod-G groupB manB2

(2) configuration file

# This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon.

ServerName "Formax BPO FTP Server"

ServerType standalone

DefaultServer on

# Port 21 is the standard FTP port.

Port 21

UseReverseDNS off

IdentLookups off# Umask 022 is a good standard umask to prevent new dirs and files

# from being group and world writable.

Umask 000

# To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd).

MaxInstances 30

# Set the user and group under which the server will run.

User nobody

Group nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home # directory, uncomment this line. # DefaultRoot ~

DefaultRoot / ftproot

# Normally, we want files to be overwriteable.

AllowOverwrite on

AllowStoreRestart on

ServerIdent off

TLSEngine on

TLSLog / var/ftpd/tls.log

TLSProtocol SSLv23

# Are clients required to use FTP over TLS when talking to this server?

TLSRequired on

# Server's certificate

TLSRSACertificateFile / etc/proftpd.cert

TLSRSACertificateKeyFile / etc/proftpd.key

# CA the server trusts

TLSCACertificateFile / etc/proftpd.cert

# Authenticate clients that want to use FTP over TLS?

TLSVerifyClient off

TLSOptions NoCertRequest

# Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotations. Some clients do not support # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these # clients will close the data connection, or there will be a timeout # on an idle data connection.

TLSRenegotiate required off

# Bar use of SITE CHMOD by default

Thank you for your reading, the above is the content of "what is the principle of setting Proftpd permissions". After the study of this article, I believe you have a deeper understanding of what the principle of setting Proftpd permissions is, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.