幫朋友設定VSFTPD--取消ftp用戶的刪除權限
最近朋友在設定vsftpd時有個需求,就是讓所有user只能上傳,但是不能刪除檔案,後來我加入這樣的設定:
chown_uploads=YES
chown_username=ftp
guest_enable=yes
guest_username=test
但這樣所以的user都被對映到anonymous,且所有的使用者都會對映到test這個帳號的家目錄,也可以滿足讓所有user只能上傳不能刪檔的需求,但他要的是每個user要不同目錄,所以只要想其它的方式了。
後來只好用man vsftpd.conf 見到一個參數cmds_allowed之後開始有了一線生機。這個參數是說讓vsftp server能夠接受那些指令。就是將指定可用的ftp指令加到等號後面就行了(指令之間以逗號分隔)。
cmds_allowed=PASV,RETR,QUIT,REST,TYPE,USER,PASS,
LIST,CWD,CDUP,STOR,SIZE,PWD,MKD
上面是我觀查出一般ftp client會用到的指令,我們要的是讓user不能刪檔,DELE這個指令不要加上去就好了。這樣就可以達到我朋友的要求了!!
另外我想到cmds_allowed=是site wide的,但如果我某些user要能有全部的權限,有些不能刪檔怎麼辨,可以利用user_config_dir 來專為特定的使用者設定不同的設定。
以下是man vsftpd.conf 中cmds_allowed及user_config_dir 的原文:
cmds_allowed
This options specifies a comma separated list of allowed FTP commands (post login. USER, PASS and QUIT are always allowed pre-login). Other commands are rejected. This is a powerful method of really locking down an FTP server. Example: cmds_allowed=PASV,RETR,QUIT
user_config_dir
This powerful option allows the override of any config option specified in the manual page, on a per-user basis. Usage is simple, and is best illustrated with an example. If you set user_config_dir to be /etc/vsftpd_user_conf and then log on as the user "chris", then vsftpd will apply the settings in the file /etc/vsftpd_user_conf/chris for the duration of the session. The format of this file is as detailed in this manual page! PLEASE NOTE that not all settings are effective on a per-user basis. For example, many settings only prior to the user's session being started. Examples of settings which will not affect any behviour on a per-user basis include listen_address, banner_file, max_per_ip, max_clients, xferlog_file, etc.
chown_uploads=YES
chown_username=ftp
guest_enable=yes
guest_username=test
但這樣所以的user都被對映到anonymous,且所有的使用者都會對映到test這個帳號的家目錄,也可以滿足讓所有user只能上傳不能刪檔的需求,但他要的是每個user要不同目錄,所以只要想其它的方式了。
後來只好用man vsftpd.conf 見到一個參數cmds_allowed之後開始有了一線生機。這個參數是說讓vsftp server能夠接受那些指令。就是將指定可用的ftp指令加到等號後面就行了(指令之間以逗號分隔)。
cmds_allowed=PASV,RETR,QUIT,REST,TYPE,USER,PASS,
LIST,CWD,CDUP,STOR,SIZE,PWD,MKD
上面是我觀查出一般ftp client會用到的指令,我們要的是讓user不能刪檔,DELE這個指令不要加上去就好了。這樣就可以達到我朋友的要求了!!
另外我想到cmds_allowed=是site wide的,但如果我某些user要能有全部的權限,有些不能刪檔怎麼辨,可以利用user_config_dir 來專為特定的使用者設定不同的設定。
以下是man vsftpd.conf 中cmds_allowed及user_config_dir 的原文:
cmds_allowed
This options specifies a comma separated list of allowed FTP commands (post login. USER, PASS and QUIT are always allowed pre-login). Other commands are rejected. This is a powerful method of really locking down an FTP server. Example: cmds_allowed=PASV,RETR,QUIT
user_config_dir
This powerful option allows the override of any config option specified in the manual page, on a per-user basis. Usage is simple, and is best illustrated with an example. If you set user_config_dir to be /etc/vsftpd_user_conf and then log on as the user "chris", then vsftpd will apply the settings in the file /etc/vsftpd_user_conf/chris for the duration of the session. The format of this file is as detailed in this manual page! PLEASE NOTE that not all settings are effective on a per-user basis. For example, many settings only prior to the user's session being started. Examples of settings which will not affect any behviour on a per-user basis include listen_address, banner_file, max_per_ip, max_clients, xferlog_file, etc.
posted by bie @ 10:13 上午
0 Comments:
張貼留言
<< Home