Fictitious user of VSFTP + MySQL configures a process to explain
Tuesday, March 03, 2009 by rain
? ?
? ?One, the installation of VSFTPD
? ? is current,The newest version of VSFTPD is 1.2.0 edition.Official download address is Ftp://vsftpd.beasts.org/users/cevans/vsftpd-1.2.0.tar.gz.Before installation,Need does the following preparation to work first:
? ?
The need in acquiescent configuration of ? ? VSFTPD " Nobody " user.This user is added in the system,If the user has existed,Useradd command has corresponding clew.
? ? [Root@hpe45 Root]# Useradd Nobody
? ? Useradd: User Nobody Exists
? ?
The need in acquiescent configuration of ? ? VSFTPD " / Usr/share/empty " catalog.In the system this catalog,If catalog has existed,Mkdir command has corresponding clew.
? ? [Root@hpe45 Root]# Mkdir /usr/share/empty/
? ? Mkdir: Cannot Create Directory '/usr/share/empty' : File Exists
? ?
When ? ? VSFTPD offers faceless FTP to serve,Need " Ftp " user and an active faceless list.
? ? [Root@hpe45 Root]# Mkdir /var/ftp/
? ? [Root@hpe45 Root]# Useradd -d /var/ftp Ftp
? ? next whether the operation has existed to Ftp user is useful.
? ? [Root@hpe45 Root]# Chown Root.root /var/ftp
? ? [Root@hpe45 Root]# Chmod Og-w /var/ftp
? ?
After ? ? above prepares the job to finish,We can begin to compile source code.The Vsftpd-1.2.0.tar.gz that assumes we download is in / Root catalog,Execute the following order:
? ? [Root@hpe45 Root]# Tar Zxvf Vsftpd-1.2.0.tar.gz
? ? [Root@hpe45 Root]# Cd Vsftpd-1.2.0
? ? [Root@hpe45 Vsftpd-1.2.0]# Make
? ? [Root@hpe45 Vsftpd-1.2.0]# Make Install
? ?
Above ? ? " Make Install " the binary document that the command will compiled, manual duplicate corresponding catalog.On RHL9,The likelihood needs a hand to move carry out duplicate below:
? ? [Root@hpe45 Vsftpd-1.2.0]# Cp Vsftpd /usr/local/sbin/vsftpd
? ? [Root@hpe45 Vsftpd-1.2.0]# Cp Vsftpd.conf.5 /usr/local/share/man/man5
? ? [Root@hpe45 Vsftpd-1.2.0]# Cp Vsftpd.8 /usr/local/share/man/man8
? ?
? ? next,We are duplicate a simple configuration document is offerred as the foundation from the back revise.
? ? [Root@hpe45 Vsftpd-1.2.0]# Cp Vsftpd.conf /etc
? ? [Root@hpe45 Vsftpd-1.2.0]# Cp RedHat/vsftpd.pam /etc/pam.d/ftp
File of test and verify of ? ? duplicate PAM,Log onto VSFTPD in order to allow this locality user.
? ? [Root@hpe45 Vsftpd-1.2.0]# Cp RedHat/vsftpd.pam /etc/pam.d/ftp
? ?
? ?Two, found Guest user
? ? VSFTPD uses PAM means test and verify fictitious user.The user name as a result of fictitious user / countersign bed sheet is saved alone,When test and verify because of this,The capacity that VSFTPD needs to use user of a system will read access to occupy library file or database server with finishing test and verify,The Guest user that this is VSFTPD.This no less than also needs to have Ftp of user of a system with faceless user same.Of course,We also can regard Guest user as the fictitious user delegate in the system.Vsftpdguest user is added in the system below,The Guest that serves as VSFTPD.
? ? [Root@hpe45 Vsftpd-1.2.0]# Useradd Vsftpdguest
? ? after fictitious user logins,The oneself catalog that the position of the place is Vsftpdguest / Home/vsftpdguest.If want to let fictitious user login / the other table of contents such as Var/ftp,The oneself catalog of modification Vsftpdguest can.
? ?
? ?Three, setting VSFTPD configures a file
? ? is in / in Etc/vsftpd.conf file,Add the following option:
? ? Guest_enable=YES
? ? Guest_username=vsftpdguest
? ?
? ? executes the following order next,Let VSFTPD backstage move:
? ? [Root@hpe45 Vsftpd-1.2.0]# /usr/local/sbin/vsftpd %26amp;
? ?
? ?Four, in protecting fictitious user server of existence MySQL database
We build ? ? database Vsftpdvu,Express Users,Field Name and Passwd are used at saving the user name of fictitious user and countersign, increase Xiaotong of two fictitious users and Xiaowang at the same time.
? ?
? ? [Root@hpe45 Vsftpd-1.2.0]# Mysql -p
? ? Mysql%26gt;create Database Vsftpdvu;
? ? Mysql%26gt;use Vsftpdvu;
? ? Mysql%26gt;create Table Users(name Char(16) Binary, passwd Char(16) Binary);
? ? Mysql%26gt;insert Into Users (name, passwd) Values ('xiaotong' , password('qqmywife'));
? ? Mysql%26gt;insert Into Users (name, passwd) Values ('xiaowang' , password('ttmywife'));
? ? Mysql%26gt;quit
? ?
? ? next,The Users that accredit Vsftpdguest can read Vsftpdvu database is expressed.Execute the following order:
? ? [Root@hpe45 Vsftpd-1.2.0]# Mysql -u Root Mysql -p
? ? Mysql%26gt;grant Select On Vsftpdvu.users To Vsftpdguest@localhost Identified By 'i52serial0';
? ? Mysql%26gt;quit
? ?
If ? ? wants test and verify a moment ago operation can be carried out whether successfully below command:
? ? [Root@hpe45 Vsftpd]#mysql -u Vsftpdguest -pi52serial0 Vsftpdvu
? ? Mysql%26gt;select * From Users;
If ? ? is successful,Will list Xiaotong, Xiaowang is mixed add close the password after
? ?
? ?Five, the PAM test and verify that installs MySQL
The project opening a source that we want to be used to to use Mysql to undertake Pam test and verify here (Http://sourceforge.net/projects/pam-mysql/ ) .The program that downloads it from the website above all wraps Pam_myql-0.5.tar.gz,Duplicate / in Root catalog.Before compiling installation,Should ensure the RPM bag of Mysql-devel has been installed on your machine,If did not install the installation in CD from RHL please,should wrap.Next,Execute the following order:
? ? [Root@hpe45 Root]#tar Xvzf Pam_mysql-0.5.tar.gz
? ? [Root@hpe45 Root]#cd Pam_mysql
? ? [Root@hpe45 Pam_mysql]#make
? ? [Root@hpe45 Pam_mysql]#make Install
? ? Make Install this one pace may appear mistake,That ace moves the Pam_mysql.o that will generate below this catalog to duplicate / below Lib/security catalog.
? ? next,The document of PAM test and verify that we want to install Vsftpd.Open / Etc/pam.d/ftp file,Add the following content:
? ? Auth Required Pam_mysql.o User=vsftpdguest Passwd=i52serial0 Host=localhost Db=vsftpdvu Table=users Usercolumn=name Passwdcolumn=passwd Crypt=2
? ? Account Required Pam_mysql.o User=vsftpdguest Passwd=i52serial0 Host=localhost Db=vsftpdvu Table=users Usercolumn=name Passwdcolumn=passwd Crypt=2
The parameter that involves above ? ? ,Want the implication that the setting of the database can understand them before correspondence only.What the specification needs here is Crypt parameter.Crypt indicates the word of command in countersign field impose close kind:Crypt=0,Countersign with means of proclaimed in writing (do not add close) in maintaining existence database;Crypt=1,The DES of system of countersign use UNIX adds close means close hind in maintaining existence database;Crypt=2,Countersign is added through the Password() function of MySQL close hind save.
? ?
? ?Six, farther fictitious user setting
The measure of above of ? ? course,Fictitious user can be used normally.The fictitious user with farther introduction is installed here.Above all,The attributive that introduces fictitious user is installed.
? ?
? ? VSFTPD-1.2.0 added Virtual_use_local_privs parameter newly,Activation when this parameter (YES) when,Fictitious user uses as identical as this locality user limits of authority.Shut when this parameter (NO) when,Fictitious user uses as identical as faceless user limits of authority,This namely version is right before VSFTPD-1.2.0 the processing technique of fictitious user attributive.This is both kind of practice photograph than,Latter is more a few stricter,Be in especially the case that writes a visit falls.This parameter is below acquiescent circumstance shut (NO) .
? ? when Virtual_use_local_privs=YES,Need to install Write_enable=YES only,Fictitious user can be had write attributive.And when Virtual_use_local_privs=NO,A few morer to the setting of fictitious user attributive a few stricter.
? ? controls fictitious user to scan list:If let an user cannot scan list,But still can operate to the file,Need to carry out so the following two measure:One,In configuring a file,Anon_world_readable_only=YES.Two,The attributive instead of fictitious user catalog can be operated by Vsftpdguest only:
? ? [Root@hpe45 Root]# Chown Vsftpdguest.vsftpdguest /home/vsftpdguest
? ? [Root@hpe45 Root]# Chmod 700 /home/vsftpdguest
? ? allows fictitious user to upload a file:
? ? Write_enable=YES
? ? Anon_upload_enable=YES
? ? allows fictitious user to alter a document name and delete a file:
? ? Anon_other_write_enable=YES
? ? is met likewise as a result of the setting of above option pair of faceless user become effective.If do not think faceless user takes the chance to have similar limits of authority,Had better be to prohibit faceless user logins.
? ?
? ? next,Because fictitious user is in the system,be Vsftpdguest identity,The other table of contents that can visit a system so.For more safe,We can be fictitious user limitation below oneself catalog.Have two kinds of ways:One,The following option adds in configuring a file
? ? Chroot_local_user=NO
? ? Chroot_list_enable=YES
? ? Chroot_list_file=/etc/vsftpd.chroot_list
? ? next,In / fictitious user name is added in Etc/vsftpd.chroot_list file Xiaotong and Xiaowang.
? ? the second kind of practice,Chroot_local_user=YES is revised in configuring a file.
After ? ? course is revised,After fictitious user logins, its root catalog is in with respect to limitation / below Home/vsftpdguest,Cannot visit other table of contents.
? ?
? ?Seven, the individual catalog of fictitious user
Everybody can discover ? ? ,No matter be which fictitious user,The catalog of the place after loginning is / Home/vsftpdguest,The oneself catalog that is Guest_username user namely.Below,How does the introduction build oneself list for every fictitious user.Above all,In advocate the following option is added in configuring a file:
? ? User_config_dir=/etc/vsftpd/vsftpd_user_conf
? ? next,Generate / Etc/vsftpd/vsftpd_user_conf catalog,Build as homonymic as specific and fictitious user file below this catalog:
? ? [Root@hpe45 Root]# Mkdir /etc/vsftpd/vsftpd_user_conf
? ? [Root@hpe45 Root]# Cd /etc/vsftpd/vsftpd_user_conf
? ? [Root@hpe45 Vsftpd_user_conf]# Touch Xiaowang
The operation of ? ? above built an individual to configure a file for fictitious user Xiaowang / Etc/vsftpd/vsftpd_user_conf/xiaowang.Next,The oneself catalog that configures Xiaowang of file lieutenant general in the individual of Xiaowang repairs instead / Home/xiaowang,Configuration option is:
? ? Local_root=/home/xiaowang
? ? next,Build Xiaowang list,Establish limits of authority for Vsftpdguest:
? ? [Root@hpe45 Vsftpd_user_conf]# Mkdir /home/xiaowang
? ? [Root@hpe45 Vsftpd_user_conf]# Chown Vsftpdguest.vsftpdguest. / Xiaowang
? ? [Root@hpe45 Vsftpd_user_conf]# Chmod 600 /home/xiaowang
? ? is installed through above,After Xiaowang logs onto VSFTPD,With " Pwd " the instruction can discover be gone to by fixed position by oneself oneself " / Home/xiaowang " catalog.
? ? looks from file system administrative levels,As a result of " / Home/xiaowang " the attributive of catalog is belong to Vsftpdguest,The oneself catalog that so other fictitious users also can visit Xiaowang likewise.Solve this problem very simple also,We need to make VSFTPD responsible restrict fictitious user only in its oneself catalog,The mutual visit that can prevent fictitious user.Particular way consults in front the place in the sixth pace is narrated,Here no longer give uncecessary details.After be being installed through above,Fictitious user can have the list that belongs to his.