FTP virtual user usage
- 2020-06-19 12:22:32
- OfStack
Principle of virtual User
Because under linux, after establishing a user with vsftp, the default access with ftp will be to the user's home directory. If you want multiple users access to a directory at the same time, also have different permissions on with 1 directory, such as some users can only see, don't change, or some users can download can't upload these permissions, these Settings can only be set by the virtual users vsftp, ordinary users can't achieve such effect.
Therefore, through the establishment of an ordinary system user, the establishment of home directory, and then all virtual users map to the corresponding ordinary system user home directory, and then the virtual users of the authority control, to achieve the above effect.
A new user
New user marility, user locked in /var/www/ruibiaofangxuan directory
mkdir /var/www/ruibiaofangxuan
useradd -d /var/www/ruibiaofangxuan marility
chown marility.marility /var/www/ruibiaofangxuan
chmod u-w /var/www/ruibiaofangxuan
Generate random passwords for virtual users
[root@marility ~]# tr -cd '[:alnum:]' < /dev/urandom | fold -w32 |head -n1
eFEBgVTfWJ66OhQ3rTuGB4kt5k5r0aMW
Related configuration file Settings for vsftp
[root@marility vsftpd]# grep ^[^#] /etc/vsftpd/vsftpd.conf
anonymous_enable=NO ## Prohibit anonymous users
local_enable=YES ## To open the local account, the virtual account needs to be mapped to the local account
write_enable=YES
local_umask=022 ## Local user's umask value
anon_umask=022 ## Virtual user's umask Set the value
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/xferlog ## Log path
xferlog_std_format=YES
ascii_upload_enable=YES ## Allowed to upload ascii Format file
ascii_download_enable=YES
ftpd_banner=Welcome to blah FTP service.
chroot_local_user=YES ## Imprison the user's home directory
chroot_list_enable=NO ## Local disable directories are not enabled and there is no need to open a local list filter when using virtual users
listen=YES ## Listening to the ipv4
listen_ipv6=NO
allow_writeable_chroot=YES ## Can write, because the home directory to remove user write permission
tcp_wrappers=YES
guest_enable=YES ## Enable virtual accounts
guest_username=marility ## Which user the virtual account is mapped to locally
pam_service_name=ftp ## loading pam.d Mechanism of which file in
user_config_dir=/etc/vsftpd/config ## A single permission for a virtual user
[root@marility vsftpd]# cat /etc/vsftpd/vuser_list
ruibiaofangxuan ## account
eFEBgVTfWJ66OhQ3rTuGB4kt5k5r0aMW ##rubiaofangxuan The password
admini ## account
adminipw ##admini The password
Convert the password file to db format
[root@marility vsftpd]# db_load -T -t hash -f vuser_list /etc/vsftpd/vuser_list.db
No db command can be yum-ES35en install db4-ES38en
Then change the permissions chmod 600 /etc/vsftpd/ es44EN_list.db
User password Settings and db resolution Settings
[root@marility vsftpd]# cat /etc/pam.d/ftp
auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser_list
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser_list
auth is to authenticate the user's username and password.
accout validates what permissions and restrictions a user's account has.
The following /lib/security/ pam_userdb.so indicates that this audit will be carried out by calling the library function pam_userdb.so.
Note that this function will vary according to the number of bits on the system. You can view it via rpm, or ql pam
Meanwhile, the file pointed to by db actually points to vuser_list.db, but the suffix db is omitted by default. Therefore, when pointing to the above db, it cannot be written as ES76en_list.db in configuration
Set the permissions for the virtual user
[root@marility vsftpd]# cat /etc/vsftpd/config/admini
anon_world_readable_only=NO ## Turn off readable only
anon_upload_enable=YES ## Allowed to upload
anon_mkdir_write_enable=YES ## Allow new directories
anon_other_write_enable=YES ## Allow to modify directories / File name, delete
local_root=/var/www/ruibiaofangxuan/home ## Home directory mapping
[root@marility vsftpd]# cat /etc/vsftpd/config/ruibiaofangxuan
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
local_root=/var/www/ruibiaofangxuan/home
For security, you need to keep users in your home directory, so the chroot_local_user=YES function will be turned on in vsftpd.conf, and you also need to turn off the user's write permission to your home directory
After this setting, the virtual user cannot write to the mapped user's home directory
So can be in the home directory marility 1 new directory/var/www ruibiaofangxuan/home
Change the category to marility and use chmod to change permissions
In the /etc/vsftpd/config file, set the mapping path of the two users local_root to the created directory
systemctl restart vsftpd
systemctl enable vsftpd
Restart the service
That is, ordinary users can only download and upload materials, while admini users have all permissions and are also locked in the directory /var/www/ruibiaofangxuan