How to build vsftpd server application based on virtual user 01/19 Update SLTechnology News&Howtos

How to build vsftpd server application based on virtual user

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to build a vsftpd server application based on virtual users, which is very detailed and has a certain reference value. Interested friends must read it!

Installation:

[root@server ~] # yum install-y vsftpd [root@server ~] # rpm-ql vsftpd/etc/logrotate.d/vsftpd/etc/pam.d/vsftpd/etc/rc.d/init.d/vsftpd/etc/vsftpd/etc/vsftpd/ftpusers/etc/vsftpd/user_list/etc/vsftpd/vsftpd.conf/etc/vsftpd/vsftpd_conf_migrate.sh/usr/sbin/vsftpd. [root@server ~] # / etc/init.d/vsftpd startStarting vsftpd For vsftpd: [OK] [root@server ~] # netstat-lntup | grep 21tcp 00 0.0.0.0 root@server pub 21 0.0.0.0 lntup * LISTEN 3419/vsftpd [root@server ~] # cd / var/ftp/pub [root@server pub] # lltotal 0 [root@server pub] # cp / etc/fstab.

Go to browser to test:

1. Establish the account database file of the virtual FTP user

two。 System users who create FTP root directory and virtual user mapping

3. Establish PAM authentication files to support virtual users

4. Add a support configuration to the vsftpd.conf file

5. Create independent profiles for individual virtual users

6. Reload the vsftpd configuration

7. Access test using virtual FTP account

Process example:

1. Establish the account database file of the virtual FTP user

Set up a list of account names and passwords of virtual users (through local files)

[root@filesvr~] # vi / etc/vsftpd/vusers.listfedora123gentoo456 [root@filesvr~] # cd / etc/vsftpd/ [root@filesvrvsftpd] # db_load-T-t hash-f vusers.list vusers.db [root@filesvrvsftpd] # file vusers.dbvusers.db: Berkeley DB (Hash, version 8, native byte-order) [root@filesvrvsftpd] # chmod 600 vusers.list vusers.db vsftpdGue vusers.*

two。 System users who create FTP root directory and virtual user mapping

[root@filesvr~] # mkdir/var/ftproot [root@filesvr~] # useradd-d / var/ftproot-s / sbin/nologin virtual [root@filesvr~] # chmod 755 / var/ftproot/

3. Establish PAM authentication files to support virtual users

[root@filesvr~] # vi / etc/pam.d/vsftpd.vu#%PAM-1.0auth required pam_userdb.so db=/etc/vsftpd/vusersaccount required pam_userdb.so db=/etc/vsftpd/vusers

4. Add a support configuration to the vsftpd.conf file

[root@filesvr~] # vi / etc/vsftpd/vsftpd.confanonymous_enable=NOlocal_enable=YESwrite_enable=YESanon_umask=022guest_enable=YESguest_username=virtualpam_service_name=vsftpd.vuanon_upload_enable=YES # allows anonymous accounts to upload anon_mkdir_write_enable=YES # allows anonymous accounts to create files anon_other_write_enable=YES # allows anonymous accounts to be deleted. Rename permission dirmessage_enable=YES...

5. Create independent profiles for individual virtual users

Add user configuration directory support to the vsftpd.conf file

User_config_dir=/etc/vsftpd/vusers_dir

Set up independent configuration directories and files for users fedora and gentoo

The profile name has the same name as the user name

[root@filesvr~] # mkdir/etc/vsftpd/vusers_dir/ [root@filesvr~] # cd / etc/vsftpd/vusers_dir/ [root @ filesvrvusers_dir] # touch fedora [root @ filesvrvusers_dir] # vi gentooanon_upload_enable=YESanon_mkdir_write_enable=YES

6. Reload the vsftpd configuration

Service vsftpd reload

7. Access test using virtual FTP account

Fedora users can log in and browse and download files, but cannot upload them

Gentoo users can log in and browse, download, or upload files

Anonymous users or other system users will not be able to log in

When using the db_load command, the "- f" option is used to specify the username / password list file, the "- T" option allows non-Berkeley DB applications to use DB data files converted from text format, and the "- t hash" option specifies the basic method of reading the data file. For more information on the db_load command, please refer to the / usr/share/doc/db4-utils-4.3.29/utility/db_load.html file

Setting the permissions of the account file to 600 can effectively improve security.

The vsftpd virtual user needs to have a corresponding system user account (this account does not need to set a password and log in to Shell). The host directory of the user account serves as the common FTP root directory for all virtual users after login.

PAM configuration file (the name can be defined by yourself) is mainly used to provide user authentication control for programs. The default PAM configuration file used by vsftpd service is / etc/pam.d/vsftpd. You can refer to the format of this file to establish a new PAM configuration file for virtual user authentication control.

Add guest_enable and guest_username configuration items to the vsftpd.conf configuration file to correspond all virtual users accessing the FTP service to the same system user account virtual. And modify the pam_service_name configuration item to point to the PAM configuration file / etc/pam.d/vsftpd.vu established in the previous step

In the vsftpd service, virtual user accounts are treated as anonymous users by default to reduce permissions, so the corresponding permission settings typically use configuration items that begin with anon_. For example, you should use the configuration item anon_umask instead of local_umask when setting the default permission mask for files uploaded by virtual users

This step is actually optional and is not required if you do not need to set separate options for individual users

Although you do not need to add additional permission settings for the fedora user, you do need to create an empty profile

If you need to disable or only allow some virtual user accounts, you can also use the / etc/vsftpd/user_list list file. For specific methods, please refer to the example in Section 2.2.3.

2.13 . It should be noted that adding a virtual user name to the / etc/vsftpd/ftpusers file does not disable the corresponding system account.

# # practical example # #

[root@server pub] # cd / etc/vsftpd/ [root@server vsftpd] # vim vusers.listmike123john456 [root@server vsftpd] # db_load-T-t hash-f vusers.list vusers.db [root@server vsftpd] # file vusers.dbvusers.db: Berkeley DB (Hash, version 9 Native byte-order) [root@server vsftpd] # chmod 600. / vusers.* [root@server vsftpd] # useradd-d / var/ftproot-s / sbin/nologin virtual #-d specify the user's home directory [root@server vsftpd] # chmod 755 / var/ftproot/ [root@server vsftpd] # vi / etc/pam.d/vsftpd.vuauth required pam_userdb.so db=/etc/vsftpd/vusersaccount required pam_userdb.so db=/etc/vsftpd/vusers [root@server vsftpd] # vim / etc/vsftpd/vsftpd.confanonymous_enable=NOlocal_enable=YESwrite_enable=YESanon_umask=022guest_enable=YESguest_username=virtualpam_service_name=vsftpd.vu

Test:

[root@server src] # yum install-y lftp [root@server src] # lftp mike@127.0.0.1 Password:lftp mike@127.0.0.1:~ > mkdir testmkdir ok, `test' createdlftp mike@127.0.0.1:/ > quit [root@server src] # cd / var/ftproot/ [root@server ftproot] # lltotal 4drwx-2 virtual virtual 4096 May 16 17:56 test # test directory belongs to virtual user virtual

# set different permissions for different virtual users #

[root@server ftproot] # cd / etc/vsftpd/ [root@server vsftpd] # mkdir vusers_ home [root @ server vsftpd] # cd vusers_home/ [root @ server vusers_home] # vi mikeanon_mkdir_write_enable=YESanon_upload_enable=YES

Test:

[root@server vusers_home] # / etc/init.d/vsftpd restartShutting down vsftpd: [OK] Starting vsftpd for vsftpd: [OK] [root@server vusers_home] # lftp mike@127.0.0.1 Password:lftp mike@127.0.0.1:~ > mkdir test1mkdir ok `When test1' created lftp mike@127.0.0.1:/ > quit [root@server vusers_home] # lltotal 4When RwMurray Rafael-1 root root 51 May 16 18:24 mike [root@server vusers_home] # ll / var/ftproot/.bash_logout .bash _ profile .bashr c test/ test1/ [root@server vusers_home] # ll / var/ftproot/total 8drwx-2 virtual virtual 4096 May 16 17:56 testdrwx- 2 virtual virtual 4096 May 16 18:24 test1 [root@server vusers_home] # lftp john@127.0.0.1 Password:lftp john@127.0.0.1:~ > ls ls: Login failed: 530 Login incorrect. Lftp john@127.0.0.1:~ > mkdir test3mkdir: Login failed: 530 Login incorrect. Lftp john@127.0.0.1:~ > quit [root@server vusers_home] # cp / etc/vsftpd/ftpusers vsftpd_conf_migrate.sh vusers.listuser_list vusers.db vsftpd.conf vusers_home/ [root@server vusers_home] # cp / etc/vsftpd/vusers_home/mike / etc/vsftpd/vusers_home/ John [root @ server vusers_home] # / etc/init.d/vsftpd restartShutting down vsftpd: [OK] Starting vsftpd for vsftpd: [OK] [root@server vusers_home] # lftp john@127.0.0.1Password:lftp john@127.0.0.1:~ > mkdir test4mkdir ok `test4' createdlftp john@127.0.0.1:/ > quit [root@server vusers_home] # ll / var/ftproot/total 12drwx-2 virtual virtual 4096 May 16 17:56 testdrwx- 2 virtual virtual 4096 May 16 18:24 test1drwx- 2 virtual virtual 4096 May 16 18:29 test4

Continue testing:

[root@server vusers_home] # vi / etc/vsftpd/vusers_home/johnanon_mkdir_write_enable=YESanon_upload_enable=YESwrite_enable=YESvirtual_use_local_privs=YES when there is write_enable=YES When virtual_use_local_privs=YES, the virtual user has write permissions (upload, download, delete) Rename) [root@server vusers_home] # / etc/init.d/vsftpd restartShutting down vsftpd: [OK] Starting vsftpd for vsftpd: [OK] [root@server vusers_home] #! llftp john@127.0.0.1Password:lftp john@127.0.0.1:~ > ls drwx- 2 501 501 4096 May 16 09:56 testdrwx- 2 501 501 4096 May 16 10:24 test1drwx- 2 501 501 4096 May 16 10:29 test4drwx- 2 501 501 4096 May 16 10:34 test5lftp john@127.0.0.1:~ > rmdir test5 # Delete rmdir ok `test5' removedlftp john@127.0.0.1:~ > lsdrwx- 2 501 501 4096 May 16 09:56 testdrwx- 2 501 4096 May 16 10:24 test1drwx- 2 501 501 4096 May 16 10:29 test4lftp john@127.0.0.1:~ > cd testtest/ test1/ test4/lftp john@127.0.0.1:~ > cd test4lftp john@127.0.0.1:~/test4 > Put / etc/fstab # upload 855 bytes transferredlftp john@127.0.0.1:~/test4 > ls-rw-r--r-- 1 501 501 855 May 16 10:43 fstablftp john@127.0.0.1:~/test4 > get fstab-o / tmp/ # download 855 bytes transferredlftp john@127.0.0.1:~/test4 > mv fstab fftab # rename rename successfullftp john@127.0.0.1:~/test4 > ls-rw-r-- Rmuri-1 501 501 855 May 16 10:46 fftab

# remarks # #

Remarks: virtual_use_local_privs parameter

When virtual_use_local_privs=YES, virtual users and local users have the same permissions

When virtual_use_local_privs=NO, virtual users and anonymous users have the same permissions, and the default is NO.

When virtual_use_local_privs=YES,write_enable=YES, the virtual user has write permissions (upload, download, delete, rename).

When virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=YES

During anon_upload_enable=YES, virtual users cannot browse directories and can only upload files without other permissions.

When virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO

When anon_upload_enable=NO, virtual users can only download files and have no other permissions.

When virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO

When anon_upload_enable=YES, virtual users can only upload and download files and have no other permissions.

When virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO

When anon_mkdir_write_enable=YES, virtual users can only download files and create folders and have no other permissions.

When virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO

When anon_other_write_enable=YES, virtual users can only download, delete, and rename files and have no other permissions.

# # using mysql+pam+vsftpd##

First, install the required programs

1. Install mysql and pam_mysql

# yum-y install mysql-server mysql-devel pam_mysql

Note: pam_mysql is provided by the epel source. (yum install-y epel-release)

Create a virtual user account

1. Prepare database and related tables

First, make sure that the mysql service is started properly. Then, as needed, set up a database to store the virtual user, which is created as a vsftpd database.

Mysql > create database vsftpd;mysql > grant select on vsftpd.* to vsftpd@localhost identified by 'redhat';mysql > grant select on vsftpd.* to vsftpd@127.0.0.1 identified by' redhat';mysql > flush privileges;mysql > use vsftpd;mysql > create table users (id int AUTO_INCREMENT NOT NULL, name char (20) binary NOT NULL,password char (48) binary NOT NULL, primary key (id))

2. Add a virtual user for the test

Add the required users as needed, and it is important to note that their passwords should be encrypted and stored using the PASSWORD function for security reasons.

Mysql > insert into users (name,password) values ('fush2',password (' asdfg')); mysql > insert into users (name,password) values ('fush3',password (' asdfg'))

3. Configure vsftpd

1. Establish the documents required for pam certification

# vi / etc/pam.d/vsftpd.mysql

Add the following two lines

Auth required/lib64/security/pam_mysql.so user=vsftpd passwd=redhat host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2account required/lib64/security/pam_mysql.so user=vsftpd passwd=redhat host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

# # Please check whether the file ll / lib64/security/pam_mysql.so exists. Check whether pam_mysql is installed successfully.

Note: due to the different installation of mysql, there may be problems when pam_mysql.so connects to the mysql server based on unix sock. At this time, it is recommended to authorize a remotely connected mysql and access the vsftpd database.

two。 Modify the configuration file of vsftpd to adapt to mysql authentication

Establish the system user and corresponding directory of virtual user mapping

# useradd-s / sbin/nologin-d / var/ftproot virtual # virtual is the system user # chmod go+rx / var/ftproot mapped by the virtual user

Make sure the following options are enabled in / etc/vsftpd.conf

[root@server vusers_home] # vi / etc/vsftpd/vsftpd.confanonymous_enable=NOlocal_enable=YESwrite_enable=YESanon_upload_enable=NOanon_mkdir_write_enable=NOchroot_local_user=YES

Then add

Guest_enable=YESguest_username=virtual

# virtual is the system user mapped by the virtual user, created in useradd-s / sbin/nologin-d / var/ftproot virtual

And make sure that the value of the pam_service_name option is as follows

Pam_service_name=vsftpd.mysql

Start the vsftpd service

# service vsftpd start# chkconfig vsftpd on

Check the port opening condition

# netstat-tnlp | grep: 21tcp 0 0 0.0 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 of the LISTEN 23286/vsftpd.

Test:

Oot@server] # lftp fush2@127.0.0.1Password:lftp fush2@127.0.0.1:~ > ls drwx- 2 501 501 4096 May 16 10:47 testdrwx- 2501 501 4096 May 16 10:24 test1drwx- 25501 4096 May 16 10:46 test4lftp fush2@127.0.0.1:/ > mkdir test3mkdir: Access failed: 550Permission denied. (test3) # because the global anon_mkdir_write_enable=YES permission is commented out, there is no permission lftp fush2@127.0.0.1:/ > quit

5. Configure virtual users with different access rights

# vim vsftpd.conf

Add the following options

User_config_dir=/etc/vsftpd/vusers_ home [root @ server vusers_home] # touch fush2 [root@server vusers_home] # vim fush2write_enable=YESvirtual_use_local_privs=YES at this time fush2 will have all permissions (download, upload, rename, create, delete)

The tests are as follows:

[root@server vusers_home] # / etc/init.d/vsftpd restartShutting down vsftpd: [OK] Starting vsftpd for vsftpd: [OK] [root@server vusers_home] # lftp fush2@127.0.0.1Password:lftp fush2@127.0.0.1:~ > ls drwx- 2 501 501 4096 May 16 10:47 testdrwx- 2 501 501 4096 May 16 10:24 test1drwx- 2 501 501 4096 May 16 10:46 test5lftp fush2@127.0.0.1:~ > mkdir test4mkdir ok `test4' createdlftp fush2@127.0.0.1:~ > cd test4lftp fush2@127.0.0.1:~/test4 > put / etc/fstab855 bytes transferredlftp fush2@127.0.0.1:~/test4 > ls-rw-r--r-- 1 501 501 855 May 18 06:29 fstablftp fush2@127.0.0.1:~/test4 > get / etc/fstab-o / usr/local/src/855 bytes transferredlftp fush2@127.0.0.1 : ~ / test4 > cd.. lftp fush2@127.0.0.1:~ > lsdrwx- 2 501 501 4096 May 16 10:47 testdrwx- 2 501 501 4096 May 16 10:24 test1drwxr-xr-x 2501 501 4096 May 18 06:29 test4drwx- 25501 501 4096 May 16 10:46 test5lftp fush2@127.0.0.1:~ > mv test5 test2rename successfullftp fush2@127.0.0. 1 lsdrwx- 2 501 501 4096 May 16 10:47 testdrwx- 2 501 501 4096 May 16 10:24 test1drwx- 2501 501 4096 May 16 10:46 test2drwxr-xr-x 2501 501 4096 May 18 06:29 test4lftp fush2@127.0.0.1:~ > rm-rf test2rm ok 2 files removedlftp fush2@127.0.0.1:~ > lsdrwx- 2 501 501 4096 May 16 10:47 testdrwx- 2 501 501 4096 May 16 10:24 test1drwxr-xr-x 2 501 501 4096 May 18 06:29 test4 are all the contents of the article "how to build vsftpd server applications based on virtual users" Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.