Shulou(Shulou.com)06/01 Report--

This article mainly explains the principle and usage of FTP virtual users. Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let Xiaobian take you to learn "the principle and usage of FTP virtual users"!

Virtual User Principle

Because under linux, after using vsftp to create a user, the default ftp access will access the corresponding user's home directory. If you want multiple users to access a directory at the same time, and have different permissions to the same directory, for example, some users can only view, not modify, or some users can only download these permissions, these settings can only be set by virtual users in vsftp, ordinary users cannot achieve this effect.

Therefore, by establishing a common system user, establishing a home directory, and then mapping all virtual users to the corresponding common system user home directory, and then controlling the permissions of each virtual user, the above effect is achieved.

new user

New user marility, user lock in/var/www/ruibiaofangxuan directory

mkdir /var/www/ruibiaofangxuanuseradd -d /var/www/ruibiaofangxuan marilitychown marility.marility /var/www/ruibiaofangxuanchmod u-w /var/www/ruibiaofangxuan

Generate random passwords for virtual users

[root@marility ~]# tr -cd '[:alnum:]' < /dev/urandom | fold -w32 |head -n1eFEBgVTfWJ66OhQ3rTuGB4kt5k5r0aMW

vsftp profile settings

[root@marility vsftpd]# grep ^[^#] /etc/vsftpd/vsftpd.confanonymous_enable=NO ##Disable anonymous userslocal_enable=YES ##Open local account, virtual account needs to be mapped to local account write_enable=YES local_umask=022 ##local user umask value anon_umask=022 ##virtual user umask value setting dirmessage_enable=YESxferlog_enable=YESconnect_from_port_20=YESxferlog_file=/var/log/xferlog ##log path xferlog_std_format=YESascii_upload_enable=YES ##Allow uploading ascii format files ascii_download_enable=YESftpd_banner=Welcome to blah FTP service.chroot_local_user=YES ##Imprison users at home directory chroot_list_enable=NO ##Do not enable local disabled directory, do not need to open a local list filter when using virtual users listen=YES ##Listen_ipv6 =NOallow_writable_chroot=YES ##You can write because you need to remove the user write permission to imprison the home directory tcp_wrappers=YESguest_enable=YES ##Enable virtual account function guest_username=marility ##Which local user does the virtual account map to pam_service_name=ftp ##Load mechanism of which file in pam.d user_config_dir=/etc/vsftpd/config ##Single permissions for virtual users [root@marility vsftpd]# cat /etc/vsftpd/vuser_listruibiaofangxuan ##Account eFEBgVTfWJ66OhQ3rTuGB4kt5k5r0aMW ##rubiaofangxuan's password admini ##Account adminw ##admini password

Convert password files to db format

[root@marility vsftpd]# db_load -T -t hash -f vuser_list /etc/vsftpd/vuser_list.db

yum -y install db4-utils

The requested URL/etc/vftpd/vuser_list.db was not found on this server.

User password settings and db resolution settings

[root@marility vsftpd]# cat /etc/pam.d/ftpauth required /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser_listaccount required /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser_list

auth is the authentication of a user's username and password.

Accout means verifying what permissions and restrictions a user's account has.

The following/lib/security/pam_userdb.so indicates that the audit will call pam_userdb.so library function.

Note that this function will be located differently depending on the number of bits in the system, and can be viewed via rpm -ql pam

At the same time, the file pointed to by db actually points to vuser_list.db, but the db suffix is omitted by default, so the above db point cannot be written as vuser_list.db when configured.

Set permissions for virtual users

[root@marility vsftpd]# cat /etc/vsftpd/config/admini anon_world_readable_only=NO ##Turn off read-only anon_upload_enable=YES ##Allow uploads anon_mkdir_write_enable=YES ##Allow new directories anon_other_write_enable=YES ##Allow directory/file name modification, delete local_root=/var/www/ruibiaofangxuan/home ##home directory mapping [root@marility vsftpd]# cat /etc/vsftpd/config/ruibiaofangxuan anon_world_readable_only=NOanon_upload_enable=YESanon_mkdir_write_enable=NOanon_other_write_enable=NOlocal_root=/var/www/ruibiaofangxuan/home

For security reasons, you need to imprison users in your home directory, so you will turn on the chroot_local_user=YES function in vsftpd.conf, and you need to turn off the user's write permission to your home directory.

After this setting, the virtual user cannot write data to the mapped user's home directory

The requested URL/var/www/ruibiaofangxuan/was not found on this server.

Also change the parent group of this directory to marility, and use chmod to change permissions

In the/etc/vsftpd/config file, set the mapping path local_root of the two users to the created directory

systemctl restart vsftpd systemctl enable vsftpd

Restart the service

That is, ordinary users can only download and upload data, while admini users have all permissions and are also locked in/var/www/ruibiaofangxuan.

At this point, I believe that we have a deeper understanding of the "FTP virtual user principle and usage", may wish to actually operate it! Here is the website, more related content can enter the relevant channels for inquiry, pay attention to us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.