来源:自学PHP网 时间:2015-04-14 11:51 作者: 阅读:次
[导读] RHEL6.1 vsftpd SELinux配置和开启本地用户上传修改/etc/vsftpd.conf,设置anonymous_enable=NO,local_enable=YES。这样,我们就禁止了匿名用户的访问并且允许了本地用户访问 www.2cto.com ===============......
RHEL6.1 vsftpd SELinux配置和开启本地用户上传
修改/etc/vsftpd.conf,设置anonymous_enable=NO,local_enable=YES。这样,我们就禁止了匿名
用户的访问并且允许了本地用户访问 www.2cto.com ==========================================================================================
将用户加入ftp组,并设置linux权限
[root@www ~]# usermod -aG ftp alexscript
[root@www ~]# groups alexscript
[root@www ~]# chown ftp:ftp /var/ftp/pub/ -R
[root@www ~]# ls -ld /var/ftp/pub/
drwxr-xr-x. 6 ftp ftp 4096 6月 16 14:48 /var/ftp/pub/
[root@www ~]# chmod 775 /var/ftp/pub/ -R
[root@www ~]# ls -ld /var/ftp/pub/
drwxrwxr-x. 6 ftp ftp 4096 6月 16 14:48 /var/ftp/pub/
===========================================================================================
SELinux设置
官方说明:
FTP must be allowed to write to a directory before users can upload files via FTP.
SELinux allows FTP to write to directories labeled with the public_content_rw_t type.
就是说如果FTP要允许上传,类型要设置为public_content_rw_t
www.2cto.com
1.查看类型
[root@localhost ~]# ls -dZ /var/ftp/
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /var/ftp/
目前是public_content_t,只能读取。
-------------------------------------------------------------------------------------------
2. 修改Type
[root@localhost ~]# semanage fcontext -a -t public_content_rw_t "/var/ftp(/.*)?"
-bash: semanage: command not found
遇到问题 命令不存在。官方文档说明
policycoreutils-python : provides utilities such as semanage, audit2allow, audit2why
and chcat, for operating and managing SELinux. policycoreutils-python这个包提供了semanage命令。
3. 安装policycoreutils-python
挂载光驱
[root@localhost ~]# mkdir /cdrom
[root@localhost ~]# mount -o auto /dev/cdrom /cdrom
mount: block device /dev/sr0 is write-protected, mounting read-only
[root@localhost Packages]# rpm -ivh policycoreutils-python-2.0.83-19.8.el6_0.i686.rpm \
audit-libs-python-2.1-5.el6.i686.rpm \
libsemanage-python-2.0.43-4.el6.i686.rpm \
setools-libs-python-3.3.7-4.el6.i686.rpm \
setools-libs-3.3.7-4.el6.i686.rpm
warning: policycoreutils-python-2.0.83-19.8.el6_0.i686.rpm: Header V3 RSA/SHA256 Signature,
key ID fd431d51: NOKEY www.2cto.com Preparing... ########################################### [100%]
1:setools-libs ########################################### [ 20%]
2:setools-libs-python ########################################### [ 40%]
3:libsemanage-python ########################################### [ 60%]
4:audit-libs-python ########################################### [ 80%]
5:policycoreutils-python ########################################### [100%]
4. 接着第2步,修改并应用标签
[root@localhost Packages]# semanage fcontext -a -t public_content_rw_t "/var/ftp(/.*)?"
libsemanage.dbase_llist_query: could not query record value (No such file or directory).
libsemanage.get_home_dirs: alex homedir /var/ftp or its parent directory conflicts with
a file context already specified in the policy. This usually indicates an incorrectly defined system account. If it is a system account please make sure its uid is less than 500 or its login shell is /sbin/nologin. [root@localhost Packages]# restorecon -R -v /var/ftp
restorecon reset /var/ftp context system_u:object_r:public_content_t:s0->system_u:object_r:public_content_rw_t:s0
restorecon reset /var/ftp/pub context system_u:object_r:public_content_t:s0->system_u:object_r:public_content_rw_t:s0
5. The allow_ftpd_anon_write Boolean must be on to allow vsftpd to write to files that
are labeled with the public_content_rw_t type. Run the following command as the root user to turn this Boolean on: allow_ftpd_anon_write Boolean 必须设置为on才能上传。
[root@localhost Packages]# setsebool -P allow_ftpd_anon_write on
libsemanage.get_home_dirs: alex homedir /var/ftp or its parent directory conflicts with
a file context already specified in the policy. This usually indicates an incorrectly defined system account. If it is a system account please make sure its uid is less than 500 or its login shell is /sbin/nologin. =========================================================================================
防火墙iptables设置:
设置了iptables的禁止所有的端口,只容许可能访问了策略后大部分情况下会出现ftp不能正常访问
的问题,因为ftp有主动和被动连接两种模式,少添加一些策略就会出问题。 1.首先加载模块 www.2cto.com
[root@localhost Packages]# cd /etc/sysconfig/
[root@localhost sysconfig]# vi iptables-config
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES=""
IPTABLES_MODELES="ip_conntrack_ftp" // 这里是新增的两行
IPTABLES_MODELES="ip_nat_ftp"
2.然后加载策略
[root@localhost sysconfig]# vi iptables
###### vsftpd ######
-I INPUT -p tcp --dport 21 -j ACCEPT
-I OUTPUT -p tcp --dport 21 -j ACCEPT
3. 重启防火墙
[root@localhost sysconfig]# service iptables restart
iptables:清除防火墙规则: [确定]
iptables:将链设置为政策 ACCEPT:filter [确定]
iptables:正在卸载模块: [确定]
iptables:应用防火墙规则: [确定]
=========================================================================================
说明: www.2cto.com
连接时请设置为主动连接方式。
[root@localhost sysconfig]# service vsftpd start
为 vsftpd 启动 vsftpd: [确定]
[root@localhost sysconfig]# chkconfig --level 3 vsftpd on
========================================================================================
参考文档:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_
Services/sect-Managing_Confined_Services-File_Transfer_Protocol-Configuration_Examples.html Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf 5.1.SELinux Packages
作者 大果粒
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com