FTP virtual user usage

Principle of virtual User

Because under linux, after establishing a user with vsftp, the default access with ftp will be to the user's home directory. If you want multiple users access to a directory at the same time, also have different permissions on with 1 directory, such as some users can only see, don't change, or some users can download can't upload these permissions, these Settings can only be set by the virtual users vsftp, ordinary users can't achieve such effect.

Therefore, through the establishment of an ordinary system user, the establishment of home directory, and then all virtual users map to the corresponding ordinary system user home directory, and then the virtual users of the authority control, to achieve the above effect.

A new user

New user marility, user locked in /var/www/ruibiaofangxuan directory

mkdir /var/www/ruibiaofangxuan
useradd -d /var/www/ruibiaofangxuan marility
chown marility.marility /var/www/ruibiaofangxuan
chmod u-w /var/www/ruibiaofangxuan

Generate random passwords for virtual users

[root@marility ~]# tr -cd '[:alnum:]' < /dev/urandom | fold -w32 |head -n1
eFEBgVTfWJ66OhQ3rTuGB4kt5k5r0aMW

Related configuration file Settings for vsftp

[root@marility vsftpd]# grep ^[^#] /etc/vsftpd/vsftpd.conf
anonymous_enable=NO         ## Prohibit anonymous users 
local_enable=YES            ## To open the local account, the virtual account needs to be mapped to the local account 
write_enable=YES            
local_umask=022           ## Local user's umask value 
anon_umask=022           ## Virtual user's umask Set the value 
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/xferlog        ## Log path 
xferlog_std_format=YES
ascii_upload_enable=YES       ## Allowed to upload ascii Format file 
ascii_download_enable=YES
ftpd_banner=Welcome to blah FTP service.
chroot_local_user=YES          ## Imprison the user's home directory 
chroot_list_enable=NO  ## Local disable directories are not enabled and there is no need to open a local list filter when using virtual users 
listen=YES             ## Listening to the ipv4
listen_ipv6=NO
allow_writeable_chroot=YES       ## Can write, because the home directory to remove user write permission 
tcp_wrappers=YES
guest_enable=YES            ## Enable virtual accounts 
guest_username=marility       ## Which user the virtual account is mapped to locally 
pam_service_name=ftp          ## loading pam.d Mechanism of which file in 
user_config_dir=/etc/vsftpd/config   ## A single permission for a virtual user 


[root@marility vsftpd]# cat /etc/vsftpd/vuser_list
ruibiaofangxuan           ## account 
eFEBgVTfWJ66OhQ3rTuGB4kt5k5r0aMW  ##rubiaofangxuan The password 
admini               ## account 
adminipw              ##admini The password 

Convert the password file to db format

[root@marility vsftpd]# db_load -T -t hash -f vuser_list /etc/vsftpd/vuser_list.db

No db command can be yum-ES35en install db4-ES38en

Then change the permissions chmod 600 /etc/vsftpd/ es44EN_list.db

User password Settings and db resolution Settings

[root@marility vsftpd]# cat /etc/pam.d/ftp
auth  required  /lib64/security/pam_userdb.so  db=/etc/vsftpd/vuser_list
account required  /lib64/security/pam_userdb.so  db=/etc/vsftpd/vuser_list

auth is to authenticate the user's username and password.
accout validates what permissions and restrictions a user's account has.
The following /lib/security/ pam_userdb.so indicates that this audit will be carried out by calling the library function pam_userdb.so.
Note that this function will vary according to the number of bits on the system. You can view it via rpm, or ql pam
Meanwhile, the file pointed to by db actually points to vuser_list.db, but the suffix db is omitted by default. Therefore, when pointing to the above db, it cannot be written as ES76en_list.db in configuration

Set the permissions for the virtual user

[root@marility vsftpd]# cat /etc/vsftpd/config/admini 
anon_world_readable_only=NO           ## Turn off readable only 
anon_upload_enable=YES             ## Allowed to upload 
anon_mkdir_write_enable=YES           ## Allow new directories 
anon_other_write_enable=YES           ## Allow to modify directories / File name, delete 
local_root=/var/www/ruibiaofangxuan/home      ## Home directory mapping 
  
[root@marility vsftpd]# cat /etc/vsftpd/config/ruibiaofangxuan 
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
local_root=/var/www/ruibiaofangxuan/home

For security, you need to keep users in your home directory, so the chroot_local_user=YES function will be turned on in vsftpd.conf, and you also need to turn off the user's write permission to your home directory

After this setting, the virtual user cannot write to the mapped user's home directory

So can be in the home directory marility 1 new directory/var/www ruibiaofangxuan/home

Change the category to marility and use chmod to change permissions

In the /etc/vsftpd/config file, set the mapping path of the two users local_root to the created directory

systemctl restart vsftpd      
systemctl enable vsftpd

Restart the service

That is, ordinary users can only download and upload materials, while admini users have all permissions and are also locked in the directory /var/www/ruibiaofangxuan