|
|
安装包:vsftpd(very secure ftp非常安全的ftp)
配置文件:/etc/vsftpd/vsftpd.conf
默认匿名用户根目录/var/ftp/pub
环境:redhat6.1 32bit
实验了匿名用户登录,更改匿名用户默认的登录路径,selinux问题
过程如下:
[iyunv@mail ~]# yum -y install vsftpd
Loaded plugins: refresh-packagekit, rhnplugin
This system is not registered with RHN.
RHN support will be disabled.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package vsftpd.i686 0:2.2.2-11.el6 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
vsftpd i686 2.2.2-11.el6 rhel-source 157 k
Transaction Summary
================================================================================
Install 1 Package(s)
Upgrade 0 Package(s)
Total download size: 157 k
Installed size: 344 k
Downloading Packages:
vsftpd-2.2.2-11.el6.i686.rpm | 157 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : vsftpd-2.2.2-11.el6.i686 1/1
Installed:
vsftpd.i686 0:2.2.2-11.el6
Complete!
[iyunv@mail ~]# service vsftpd start
为 vsftpd 启动 vsftpd: [确定]
[iyunv@mail ~]# chkconfig vsftpd on#设置开机即启动ftp服务
[iyunv@mail ~]# lftp 192.169.1.98
-bash: lftp: command not found
[iyunv@mail ~]# yum -y install lftp
Loaded plugins: refresh-packagekit, rhnplugin
This system is not registered with RHN.
RHN support will be disabled.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package lftp.i686 0:4.0.9-1.el6 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
lftp i686 4.0.9-1.el6 rhel-source 735 k
Transaction Summary
================================================================================
Install 1 Package(s)
Upgrade 0 Package(s)
Total download size: 735 k
Installed size: 2.3 M
Downloading Packages:
lftp-4.0.9-1.el6.i686.rpm | 735 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : lftp-4.0.9-1.el6.i686 1/1
Installed:
lftp.i686 0:4.0.9-1.el6
Complete!
[iyunv@mail ~]# touch /var/ftp/pub/a#匿名用户的默认登陆目录为/var/ftp/pub/
[iyunv@mail ~]# lftp 192.169.1.98
lftp 192.169.1.98:~> ls
drwxr-xr-x 2 0 0 4096 Aug 14 14:19 pub
lftp 192.169.1.98:/> cd pub/
lftp 192.169.1.98:/pub> ls
-rw-r--r-- 1 0 0 0 Aug 14 14:19 a
lftp 192.169.1.98:/pub> quit
#要实现匿名用户的读写,要有几个条件
1.要给/var/ftp/pub/目录other写权限
2./etc/vsftpd/vsftpd.conf 修改anon_upload_enable=YES
3.要关闭selinux,或给目录打上标签
4.创建文件夹另外需要/etc/vsftpd/vsftpd.conf 修改anon_mkdir_write_enable=YES
[iyunv@mail ~]# chmod o+w /var/ftp/pub/
[iyunv@mail ~]# vim /etc/vsftpd/vsftpd.conf#anon_upload_enable=YES
[iyunv@mail ~]# ls
anaconda-ks.cfg install.log Package 公共的 视频 文档 音乐
Finished install.log.syslog Running 模板 图片 下载 桌面
[iyunv@mail ~]# service vsftpd restart
关闭 vsftpd: [确定]
为 vsftpd 启动 vsftpd: [确定]
[iyunv@mail ~]# lftp 192.169.1.98
lftp 192.169.1.98:~> cd pub/
lftp 192.169.1.98:/pub> mkdir anon_dir1
mkdir: Access failed: 550 Permission denied. (anon_dir1)
lftp 192.169.1.98:/pub> put install.log
put: Access failed: 553 Could not create file. (install.log)#只修改两项,此时创建目录和上传都是不行的
lftp 192.169.1.98:/pub> quit
[iyunv@mail ~]# setenforce 0#关闭selinux
[iyunv@mail ~]# lftp 192.169.1.98
lftp 192.169.1.98:~> cd pub/
lftp 192.169.1.98:/pub> ls
-rw-r--r-- 1 0 0 0 Aug 14 14:19 a
lftp 192.169.1.98:/pub> put install.log
41465 bytes transferred
lftp 192.169.1.98:/pub> mkdir anon_dir1#上传可以了,但是创建目录还是不行的
mkdir: Access failed: 550 Permission denied. (anon_dir1)
lftp 192.169.1.98:/pub> quit
[iyunv@mail ~]# vim /etc/vsftpd/vsftpd.conf#修改anon_mkdir_write_enable=YES
[iyunv@mail ~]# service vsftpd restart
关闭 vsftpd: [确定]
为 vsftpd 启动 vsftpd: [确定]
[iyunv@mail ~]# lftp 192.169.1.98
lftp 192.169.1.98:~> cd pub/
lftp 192.169.1.98:/pub> ls
-rw-r--r-- 1 0 0 0 Aug 14 14:19 a
-rw------- 1 14 50 41465 Aug 14 14:30 install.log
lftp 192.169.1.98:/pub> mkdir anon_dir1#这下上传和创建目录都可以了
mkdir 成功, 建立 `anon_dir1'
lftp 192.169.1.98:/pub> ls
-rw-r--r-- 1 0 0 0 Aug 14 14:19 a
drwx------ 2 14 50 4096 Aug 14 14:32 anon_dir1
-rw------- 1 14 50 41465 Aug 14 14:30 install.log
lftp 192.169.1.98:/pub> quit
[iyunv@mail ~]# ls -l /var/ftp/pub/
总用量 48
-rw-r--r--. 1 root root 0 8月 14 22:19 a
drwx------. 2 ftp ftp 4096 8月 14 22:32 anon_dir1
-rw-------. 1 ftp ftp 41465 8月 14 22:30 install.log#匿名用户以ftp的身份上传文件和创建文件夹
#默认目录/var/ftp/pub,需要注意的是在redhat6里面,
#也可以修改匿名用户的默认的登陆目录,但是目录结构要有一定的规范。
#1.目录必须是三级。2.前两级目录必须是755权限。
#在/etc/vsftpd/vsftpd.conf中的anon_root=第一级目录(在碰到诡异问题时候可以像这样解决,但有时候写第二级或第三级也行)
#
[iyunv@mail ~]# vim /etc/vsftpd/vsftpd.conf
[iyunv@mail ~]# tail -1 /etc/vsftpd/vsftpd.conf
anon_root=/data1/
[iyunv@mail ~]# mkdir -p /data1/data2/data3
[iyunv@mail ~]# service vsftpd restart
关闭 vsftpd: [确定]
为 vsftpd 启动 vsftpd: [确定]
[iyunv@mail ~]# chmod o+w /data1/data2/data3/
[iyunv@mail ~]# setenforce 0
[iyunv@mail ~]# lftp 192.169.1.98
lftp 192.169.1.98:~> ls
drwxr-xr-x 3 0 0 4096 Aug 15 03:40 data2
lftp 192.169.1.98:/> cd data2/
lftp 192.169.1.98:/data2> ls
drwxr-xrwx 2 0 0 4096 Aug 15 03:40 data3
lftp 192.169.1.98:/data2> cd data3/
lftp 192.169.1.98:/data2/data3> ls
lftp 192.169.1.98:/data2/data3> put
.ICEauthority .gnupg/ .ssh/ .xauthzWxTwM
.bash_history .gstreamer-0.10/ .tcshrc Finished
.bash_logout .gtk-bookmarks .themes/ Package
.bash_profile .gvfs/ .thumbnails/ Running
.bashrc .icons/ .viminfo anaconda-ks.cfg
.cache/ .imsettings.log .xauthPOZYeE install.log
.config/ .lesshst .xauthUmfkv2 install.log.syslog
.cshrc .lftp/ .xauthZPDirN 下载/
.dbus/ .local/ .xauthdwewZF 公共的/
.elinks/ .nautilus/ .xauthhXO72Z 图片/
.esd_auth .printer-groups.xml .xauthjJSo1Z 文档/
.gconf/ .pulse/ .xauthkCfxzH 桌面/
.gconfd/ .pulse-cookie .xauthmGZjkB 模板/
.gnome2/ .recently-used.xbel .xauthrcABFo 视频/
.gnote/ .rnd .xauthsvl3SP 音乐/
lftp 192.169.1.98:/data2/data3> put anaconda-ks.cfg
1388 bytes transferred
lftp 192.169.1.98:/data2/data3> ls
-rw------- 1 14 50 1388 Aug 15 03:41 anaconda-ks.cfg
lftp 192.169.1.98:/data2/data3> cd ..
lftp 192.169.1.98:/data2> ls
drwxr-xrwx 2 0 0 4096 Aug 15 03:40 data3
lftp 192.169.1.98:/data2> put Package
put: Access failed: 553 Could not create file. (Package)
lftp 192.169.1.98:/data2> put install.log#因为data2没有写权限,即使有,也不能上传目录
put: Access failed: 553 Could not create file. (install.log)
lftp 192.169.1.98:/data2> cd data3/
lftp 192.169.1.98:/data2/data3> ls
-rw------- 1 14 50 1388 Aug 15 03:41 anaconda-ks.cfg
lftp 192.169.1.98:/data2/data3> mkdir anon_dir1
mkdir 成功, 建立 `anon_dir1'
lftp 192.169.1.98:/data2/data3> ls
-rw------- 1 14 50 1388 Aug 15 03:41 anaconda-ks.cfg
drwx------ 2 14 50 4096 Aug 15 03:42 anon_dir1
lftp 192.169.1.98:/data2/data3> cd /etc#不能跳到本机的其他目录
cd: Access failed: 550 Failed to change directory. (/etc)
lftp 192.169.1.98:/data2/data3> quit
[iyunv@mail ~]# vim /etc/vsftpd/vsftpd.conf
[iyunv@mail ~]# tail -1 /etc/vsftpd/vsftpd.conf#anon_root写第二级目录试试
anon_root=/data1/data2/
[iyunv@mail ~]# service vsftpd restart
关闭 vsftpd: [确定]
为 vsftpd 启动 vsftpd: [确定]
[iyunv@mail ~]# lftp 192.169.1.98
lftp 192.169.1.98:~> ls#默认登陆进来是第二级
drwxr-xrwx 3 0 0 4096 Aug 15 03:42 data3
lftp 192.169.1.98:/> cd data3/
lftp 192.169.1.98:/data3> ls
-rw------- 1 14 50 1388 Aug 15 03:41 anaconda-ks.cfg
drwx------ 2 14 50 4096 Aug 15 03:42 anon_dir1
lftp 192.169.1.98:/data3> put install.log
41465 bytes transferred
lftp 192.169.1.98:/data3> mkdir anon_dir2#可以上传,可以创建
mkdir 成功, 建立 `anon_dir2'
lftp 192.169.1.98:/data3> cd ..
lftp 192.169.1.98:/> cd
cd 成功, 当前目录=/
lftp 192.169.1.98:/> ls
drwxr-xrwx 3 0 0 4096 Aug 15 03:42 data3
lftp 192.169.1.98:/> pwd
ftp://192.169.1.98/
lftp 192.169.1.98:/> quit
[iyunv@mail ~]#
--------------------selinux---------------------
[iyunv@mail ~]# --------selinux----------^C
[iyunv@mail ~]# setenforce 1#打开selinux
[iyunv@mail ~]# lftp 192.169.1.98#连ls都不可以了
lftp 192.169.1.98:~> ls
ls: 登录失败: 500 OOPS: cannot change directory:/data1/data2
lftp 192.169.1.98:~> quit
[iyunv@mail ~]# getsebool -a|grep ftp#查看一下跟ftp有关的selinux
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
[iyunv@mail ~]# setsebool -P allow_ftpd_anon_write on#打开allow_ftpd_anon_write试试
[iyunv@mail ~]# lftp 192.169.1.98#还是不行的
lftp 192.169.1.98:~> ls
ls: 登录失败: 500 OOPS: cannot change directory:/data1/data2
lftp 192.169.1.98:~> quit
[iyunv@mail ~]# setsebool -P allow_ftpd_full_access on#把allow_ftpd_full_access也打开
[iyunv@mail ~]# lftp 192.169.1.98
lftp 192.169.1.98:~> ls
drwxr-xrwx 4 0 0 4096 Aug 15 03:46 data3
lftp 192.169.1.98:/> cd data3/
lftp 192.169.1.98:/data3> ls
-rw------- 1 14 50 1388 Aug 15 03:41 anaconda-ks.cfg
drwx------ 2 14 50 4096 Aug 15 03:42 anon_dir1
drwx------ 2 14 50 4096 Aug 15 03:46 anon_dir2
-rw------- 1 14 50 41465 Aug 15 03:46 install.log
lftp 192.169.1.98:/data3> mkdir anon_dir3
mkdir 成功, 建立 `anon_dir3'
lftp 192.169.1.98:/data3> put install.log.syslog#这下上传和创建文件夹都可以了
10565 bytes transferred
lftp 192.169.1.98:/data3> quit
[iyunv@mail ~]#
#但是allow_ftpd_full_access为on权限还是太大,能不能保证put,mkdir正常到情况下,进一步减小权限,可以!
#给目录和文件都打上标签
[iyunv@mail ~]# setsebool -P allow_ftpd_full_access off#先把这个关了
[iyunv@mail ~]# ls -dZ /data1/data2/data3/#data3的标签为default_t
drwxr-xrwx. root root unconfined_u:object_r:default_t:s0 /data1/data2/data3/
[iyunv@mail ~]# ls -dZ /var/ftp/pub/#看一下默认目录的标签,为public_content_t
drwxr-xrwx. root root system_u:object_r:public_content_t:s0 /var/ftp/pub/
[iyunv@mail ~]# chcon -t public_content_t /data1/data2/data3/#给目录打这个标签
[iyunv@mail ~]# chcon -t public_content_t /data1/data2/#data2也打
[iyunv@mail ~]# lftp 192.169.1.98
lftp 192.169.1.98:~> ls
ls: 登录失败: 500 OOPS: cannot change directory:/data1/data2
lftp 192.169.1.98:~> quit
[iyunv@mail ~]# chcon -t public_content_t /data1/#登陆后还是不行,给data1也打上
[iyunv@mail ~]# lftp 192.169.1.98
lftp 192.169.1.98:~> ls#这时候可以了
drwxr-xrwx 5 0 0 4096 Aug 15 05:42 data3
lftp 192.169.1.98:/> cd data3/
lftp 192.169.1.98:/data3> ls#但是ls看不到任何东西
lftp 192.169.1.98:/data3> quit
#因为里面文件的标签跟public_content_t不兼容,所以给文件也打上,注意加-R递归的改有时候不起作用
[iyunv@mail ~]# chcon -t public_content_t /data1/data2/data3/anaconda-ks.cfg
[iyunv@mail ~]# chcon -t public_content_t /data1/data2/data3/anon_dir1/
[iyunv@mail ~]# chcon -t public_content_t /data1/data2/data3/anon_dir2/
[iyunv@mail ~]# chcon -t public_content_t /data1/data2/data3/anon_dir3/
[iyunv@mail ~]# chcon -t public_content_t /data1/data2/data3/install.log
[iyunv@mail ~]# chcon -t public_content_t /data1/data2/data3/install.log.syslog
[iyunv@mail ~]# lftp 192.169.1.98
lftp 192.169.1.98:~> ls
drwxr-xrwx 5 0 0 4096 Aug 15 05:42 data3
lftp 192.169.1.98:/> cd data3/
lftp 192.169.1.98:/data3> ls#这下都能看到了
-rw------- 1 14 50 1388 Aug 15 03:41 anaconda-ks.cfg
drwx------ 2 14 50 4096 Aug 15 03:42 anon_dir1
drwx------ 2 14 50 4096 Aug 15 03:46 anon_dir2
drwx------ 2 14 50 4096 Aug 15 05:41 anon_dir3
-rw------- 1 14 50 41465 Aug 15 03:46 install.log
-rw------- 1 14 50 10565 Aug 15 05:42 install.log.syslog
lftp 192.169.1.98:/data3>
[iyunv@mail ~]#
版权声明:本文为博主原创文章,未经博主允许不得转载。 |
|
|
窥视卡
雷达卡
发表于 2015-11-6 08:30:50