Proftpd
使用 proftp-mysql 在 centos 7 上的 proftpd:使用者可以登錄/上傳文件,但他們無法檢索文件或 CWD
我找不到任何有這個奇怪問題的人:ftp 使用者能夠上傳文件但他們無法檢索它們。
請給我任何線索來解決這個問題。謝謝
“ftpuser1”是在 proftp-mysql 表中定義的使用者,帶有 home:
/srv/ftp/users/ftpuser1
當“ftpuser1”開始一個 ftp 會話時,他被正確地 chroot,所以他上傳文件並在其中創建目錄,
/srv/ftp/users/ftpuser1
但是當他嘗試 cwd 或檢索文件時,他得到 500 個錯誤,似乎他正試圖從/
虛擬使用者 ftpuser1 映射到 uid/gid 2001/2001 這裡是所有目錄權限
# ls -aldn /srv /srv/ftp /srv/ftp/users /srv/ftp/users/ftpuser1 /srv/ftp/users/ftpuser1/directory1/ drwxr-xr-x. 3 0 0 16 May 23 2016 /srv drwxr-xr-x. 3 0 0 18 May 23 2016 /srv/ftp drwxr-xr-x. 6 99 99 67 Sep 9 08:03 /srv/ftp/users drwx------. 3 2001 2001 23 Sep 9 08:04 /srv/ftp/users/ftpuser1 drwxr-xr-x. 2 2001 2001 6 Sep 9 08:03 /srv/ftp/users/ftpuser1/directory1/
此外,使用 -Z 選項,似乎 se linux 標誌還可以
# ls -aldnZ /srv /srv/ftp /srv/ftp/users /srv/ftp/users/ftpuser1 /srv/ftp/users/ftpuser1/directory1/ drwxr-xr-x. 0 0 system_u:object_r:var_t:s0 /srv drwxr-xr-x. 0 0 unconfined_u:object_r:public_content_t:s0 /srv/ftp drwxr-xr-x. 99 99 unconfined_u:object_r:public_content_rw_t:s0 /srv/ftp/users drwx------. 2001 2001 unconfined_u:object_r:public_content_rw_t:s0 /srv/ftp/users/ftpuser1 drwxr-xr-x. 2001 2001 unconfined_u:object_r:public_content_rw_t:s0 /srv/ftp/users/ftpuser1/directory1/
我已禁用 selinux 並且沒有任何更改 我在 proftpd 日誌或審核日誌中沒有找到任何內容
我在centos 7上使用這個包
proftpd Arch : x86_64 Version : 1.3.5e Release : 2.el7 proftpd-mysql Arch : x86_64 Version : 1.3.5e Release : 2.el7 From repo : epel
帶有 mod_mysql 的proftpd.conf
# This is the ProFTPD configuration file # Trace logging, disabled by default for performance reasons # (http://www.proftpd.org/docs/howto/Tracing.html) TraceLog /var/log/proftpd/trace.log Trace DEFAULT:0 TransferLog /var/log/proftpd/xferlog SystemLog /var/log/proftpd/proftpd.log ServerName "ProFTPD server" ServerIdent on "FTP Server ready." ServerAdmin root@localhost DefaultServer on ListOptions "-l" DenyFilter \*.*/ # Use this to jail all users in their homes DefaultRoot ~ # Users require a valid shell listed in /etc/shells to login. # Use this directive to release that constrain. # RequireValidShell off # Port 21 is the standard FTP port. Port 21 PassivePorts 1024 1048 # Don't do reverse DNS lookups (hangs on DNS problems) UseReverseDNS off # Set the user and group that the server runs as User nobody Group nobody CreateHome true # To prevent DoS attacks, set the maximum number of child processes # to 20. If you need to allow more than 20 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode; in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 20 # Disable sendfile by default since it breaks displaying the download speeds in # ftptop and ftpwho UseSendfile off # Define the log formats LogFormat default "%h %l %u %t \"%r\" %s %b" LogFormat auth "%v [%P] %h %t \"%r\" %s" # Dynamic Shared Object (DSO) loading # See README.DSO and howto/DSO.html for more details # # General database support (http://www.proftpd.org/docs/contrib/mod_sql.html) LoadModule mod_sql.c # Mysql support (requires proftpd-mysql package) # (http://www.proftpd.org/docs/contrib/mod_sql.html) LoadModule mod_sql_mysql.c # Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html) LoadModule mod_quotatab.c # SQL database "driver" for storing quota table information in SQL tables # (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html) LoadModule mod_quotatab_sql.c # Administrative control actions for the ftpdctl program # (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html) LoadModule mod_ctrls_admin.c # # Implement a virtual chroot capability that does not require root privileges # (http://www.castaglia.org/proftpd/modules/mod_vroot.html) # Using this module rather than the kernel's chroot() system call works # around issues with PAM and chroot (http://bugzilla.redhat.com/506735) LoadModule mod_vroot.c # Allow only user root to load and unload modules, but allow everyone # to see which modules have been loaded # (http://www.proftpd.org/docs/modules/mod_dso.html#ModuleControlsACLs) ModuleControlsACLs insmod,rmmod allow user root ModuleControlsACLs lsmod allow user * # Enable basic controls via ftpdctl # (http://www.proftpd.org/docs/modules/mod_ctrls.html) ControlsEngine on ControlsACLs all allow user root ControlsSocketACL allow user * ControlsLog /var/log/proftpd/controls.log # Enable admin controls via ftpdctl # (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html) <IfModule mod_ctrls_admin.c> AdminControlsEngine on AdminControlsACLs all allow user root </IfModule> # Enable mod_vroot by default for better compatibility with PAM # (http://bugzilla.redhat.com/506735) <IfModule mod_vroot.c> VRootEngine on </IfModule> # Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html) # Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd <IfDefine DYNAMIC_BAN_LISTS> LoadModule mod_ban.c BanEngine on BanLog /var/log/proftpd/ban.log BanTable /var/run/proftpd/ban.tab # If the same client reaches the MaxLoginAttempts limit 2 times # within 10 minutes, automatically add a ban for that client that # will expire after one hour. BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00 # Inform the user that it's not worth persisting BanMessage "Host %a has been banned" # Allow the FTP admin to manually add/remove bans BanControlsACLs all allow user ftpadm </IfDefine> # Set networking-specific "Quality of Service" (QoS) bits on the packets used # by the server (contrib/mod_qos.html) <IfDefine QOS> LoadModule mod_qos.c # RFC791 TOS parameter compatibility QoSOptions dataqos throughput ctrlqos lowdelay # For a DSCP environment (may require tweaking) #QoSOptions dataqos CS2 ctrlqos AF41 </IfDefine> # Global Config - config common to Server Config and all virtual hosts # See: http://www.proftpd.org/docs/howto/Vhost.html <Global> # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable Umask 022 # Allow users to overwrite files and change permissions AllowOverwrite yes </Global> # # Proftpd sample configuration for SQL-based authentication. # # (This is not to be used if you prefer a PAM-based SQL authentication) # <IfModule mod_sql.c> DefaultRoot ~ # # Choose a SQL backend among MySQL or PostgreSQL. # Both modules are loaded in default configuration, so you have to specify the backend # or comment out the unused module in /etc/proftpd/modules.conf. # Use 'mysql' or 'postgres' as possible values. # SQLBackend mysql # SQLEngine on SQLAuthenticate on # # Use both a crypted or plaintext password #SQLAuthTypes Crypt Plaintext # # Use a backend-crypted or a crypted password #SQLAuthTypes Backend Crypt # SQLAuthTypes OpenSSL Crypt Plaintext # Connection #SQLConnectInfo proftpd@sql.example.com proftpd_user proftpd_password SQLConnectInfo ftp@localhost dedalo dedalo # # Describes both users/groups tables # SQLUserInfo ftpuser userid passwd uid gid homedir shell SQLGroupInfo ftpgroup groupname gid members # set min UID and GID - otherwise these are 999 each SQLMinID 98 SQLNamedQuery updatecount UPDATE "count=count+1, accessed=now() WHERE userid='%u'" ftpuser # Update modified everytime user uploads or deletes a file SQLLog STOR,DELE modified SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser # User quotas # =========== QuotaEngine on QuotaDirectoryTally on QuotaDisplayUnits Mb QuotaShowQuotas on SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}' AND quota_type = '%{1}'" SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'" SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatallies SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies QuotaLimitTable sql:/get-quota-limit QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally SqlLogFile /var/log/proftpd/sql.log </IfModule>
我發現這是 mod_vroot 模組的問題。在配置文件中停用它 - 註釋行 LoadModule mod_vroot.c。然後它按預期工作正常。
我認為問題是由於某種原因您的權限
/srv/ftp/users/ftpuser1
不正確。您應該驗證ftpuser1
對文件夾具有完全控制權。
- 執行
ls -l /src/ftp/users | grep ftpuser1
並查看它具有哪些權限以及誰擁有該文件夾。- 如果
ftpuser1
不擁有該文件夾,請嘗試使用sudo chown ftpuser1:ftpuser1 /srv/ftp/users/ftpuser1
.- 重新啟動 ProFTPD 並重試。
其他人在這裡遇到了類似的問題: Cannot delete or edit files on ProFTPD server
發布您的配置文件也將幫助我們更多。
此外,當您的使用者
CHROOT
啟用並且客戶端說他們正在嘗試從/
. 它指/
的是他們目前的工作目錄,而不是作業系統本身的實際根目錄。