Fedora vsftpd限制登錄安裝配置
想知道到Fedora vsftpd系統的真相么,想知道Fedora vsftpd系統中藏有的內在奧義么,只有我來給大家全面講解介紹Fedora vsftpd系統打開/etc/selinux/config 將selinux=enforcing或permissive改成disabled。記得要重新啟動服務器! 當然還要確定以下問題:
1、用戶是否被 Fedora vsftpd 限制登錄, 比如用戶名在 /etc/ftpusers 中,并被阻止登錄了
2、Fedora vsftpd.conf 中是否打開了pam認證的選項 (自己編譯安裝的時候常因為這個出錯) (看Fedora vsftpd.conf中是否有pam_service_name=ftp或Fedora vsftpd.到底是哪個要看。
PAM模塊的服務文件/etc/pam.d下是誰.我的是ftp且它的配置如下: #%PAM-1.0
- auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
- auth required /lib/security/pam_unix.so shadow nullok
- auth required /lib/security/pam_shells.so
- account required /lib/security/pam_unix.so
- session required /lib/security/pam_unix.so 如果/etc/ftpusers有的用戶將被deny
3、相關文件夾的權限是否正確 關于“Fedora vsftpd 部分本地用戶不能登錄,部分可以”的問題, 系統中原來就有的本地帳號都不能登錄,我的/etc/Fedora vsftpd/Fedora vsftpd.conf文件的配置如下:
- local_enable=YES
- write_enable=YES
- chroot_local_user=YES
- pam_service_name=Fedora vsftpd
- /etc/pam.d/Fedora vsftpd存在且正常。
- 登錄時錯誤信息都是一樣的:
500 OOPS: cannot change directory:/home/xxxx Login failed. 421 Service not available, remote server has closed connection 他們的home目錄都是/home/xxxx。/home和/home/xxxx的權限都是755。以上這些帳號都不能ftp登錄,這些都是平常經常使用的,可以用shell登錄的。
我新創建了一個usr1帳號 # useradd -G test -d /tmp/usr1 usr1 能ftp登錄,他的home為/tmp/usr1,在/分區上。而/home我是mount到/dev/hda9上的。 #mount /dev/hdb1 on / type ext3 (rw) /dev/hda9 on /home type ext2 (rw) 所以,我猜想:是否是由于/home分區的原因,而造成“主目錄在/home分區的帳號”都不能登錄呢?
為了驗證以上設想,我試著再創建了一個帳號 useradd -G test -d /home/usr3 usr3 /home, /home/usr3 的權限都是755。 usr3 ftp登錄失敗。 500 OOPS: cannot change directory:/home/usr3 Login failed. 421 Service not available, remote server has closed connection 至此,我覺得可以確定是由于/home分區的原因,而造成“主目錄在/home分區的帳號”都不能登錄。
參考文章:
I finished my second upgrade to Fedora Core 4. Not everything is ironed out yet with the build of course. But one thing is for sure a lot has happened to the RedHat I knew before.
I must say of all the changes, for me the nicest addition is the new SELinux extensions. For deep background on the reasons for and theory of SELinux read, The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments
The more I work with SELinux the more I realize I need to know about it, and how exactly it does all its stuff. It certainly changes things relating to users, directories and access. As I am starting to learn it, I'm sure I'm doing things the hard-way. :)
The major difference, so far for me, in Red Hat's SELinux is the way ftp is handled. Fedora vsftpd is still the server which is great. However, it seems to be designed to run as a daemon rather than invoked via xinet.d. If you grab a working copy of the xinet.d file for Fedora vsftpd you can invoke it via xinet.d wrapper. I did my first server upgrade in this manner. The current one I am trying as a daemon. I certainly think I will miss some of the features that the xinet.d wrapper brings, and may yet return to it.
Of all the issues I saw most notable is if you want to enable chroot directory's outside of the normal /home/xxx Fedora vsftpd. These will fail with a 500 OOPS: cannot change directory: /mnt/xxxxx
I was able to use ftp if I logged in with an account with a directory in /home, but once I set a user account to have a home drive outside of /home (in this case on a mounted secondary disk) Fedora vsftpd barfs the above.
I found information at the NSA that indicates you can disable SELinux protection of the ftp daemon. setsebool -P ftpd_disable_trans 1 This seems a bit drastic. It certainly works for now though.
I think ultimately the issue resides with policies, but as SELinux policies are new to me, it will take time before it all gets sorted out. As I spend time with the new SELinux extensions in Fedora Core 4 I will keep you updated on my thoughts and configuration lessons.
解決辦法:
# setsebool ftpd_disable_trans 1
# service Fedora vsftpd restart
我用的是FC4,按照你上一帖子里的方法試了,馬上就解決了。所以,可以確定原因就在SELinux。
他的系統是CentOS,是RH派系的。我把Fedora vsftpd安裝配置好了,以為大功告成,但客戶端訪問提示如下錯誤:500 OOPS: cannot change directory:/home/ftp原因是他的CentOS系統安裝了SELinux,因為默認下是沒有開啟FTP的支持,所以訪問時都被阻止了。
- //查看SELinux設置# getsebool -a|grep ftpftpd_disable_trans --> off或者ftp_home_dir-->off
- //使用setsebool命令開啟# setsebool ftpd_disable_trans 1或者# setsebool ftp_home_dir 1
- //查看當前狀態是否是on的狀態# getsebool -a|grep ftpftpd_disable_trans --> on或者ftp_home_dir-->on
- //setsebool使用-P參數,無需每次開機都輸入這個命令# setsebool -P ftpd_disable_trans 1或者
- # setsebool -P ftp_home_dir 1# service Fedora vsftpd restart
有關selinux的配置如關閉,僅僅警告,強制等等 需要編輯/etc/sysconfig/selinux 默認是強制
【編輯推薦】
