´ò¿ª/etc/selinux/config
½«selinux=enforcing»òpermissive¸Ä³Édisabled¡£
¼ÇµÃÒªÖØÐÂÆô¶¯·þÎñÆ÷!
µ±È»»¹ÒªÈ·¶¨ÒÔÏÂÎÊÌâ:
1, Óû§ÊÇ·ñ±» vsftpd ÏÞÖƵǼ, ±ÈÈçÓû§ÃûÔÚ /etc/ftpusers ÖÐ,²¢±»×èÖ¹µÇ¼ÁË
2, vsftpd.conf ÖÐÊÇ·ñ´ò¿ªÁËpamÈÏÖ¤µÄÑ¡Ïî (×Ô¼º±àÒë°²×°µÄʱºò³£ÒòΪÕâ¸ö³ö´í) (¿´vsftpd.confÖÐÊÇ·ñÓÐpam_service_name=ftp»òvsftpd.µ½µ×ÊÇÄĸöÒª¿´
PAMÄ£¿éµÄ·þÎñÎļþ/etc/pam.dÏÂÊÇË.ÎÒµÄÊÇftpÇÒËüµÄÅäÖÃÈçÏÂ:
#%PAM-1.0
auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required /lib/security/pam_unix.so shadow nullok
auth required /lib/security/pam_shells.so
account required /lib/security/pam_unix.so
session required /lib/security/pam_unix.so
Èç¹û/etc/ftpusersÓеÄÓû§½«±»deny
3, Ïà¹ØÎļþ¼ÐµÄȨÏÞÊÇ·ñÕýÈ·.
¹ØÓÚ¡°vsftpd ²¿·Ö±¾µØÓû§²»ÄܵǼ£¬²¿·Ö¿ÉÒÔ¡±µÄÎÊÌ⣬
ϵͳÖÐÔÀ´¾ÍÓеı¾µØÕʺŶ¼²»ÄܵǼ£¬ÎÒµÄ/etc/vsftpd/vsftpd.confÎļþµÄÅäÖÃÈçÏ£º
local_enable=YES
write_enable=YES
chroot_local_user=YES
pam_service_name=vsftpd
/etc/pam.d/vsftpd´æÔÚÇÒÕý³£¡£
µÇ¼ʱ´íÎóÐÅÏ¢¶¼ÊÇÒ»ÑùµÄ£º
500 OOPS: cannot change directory:/home/xxxx
Login failed.
421 Service not available, remote server has closed connection
ËûÃǵÄhomeĿ¼¶¼ÊÇ/home/xxxx¡£/homeºÍ/home/xxxxµÄȨÏÞ¶¼ÊÇ755¡£
ÒÔÉÏÕâЩÕʺŶ¼²»ÄÜftpµÇ¼£¬ÕâЩ¶¼ÊÇƽ³£¾³£Ê¹Óõģ¬¿ÉÒÔÓÃshellµÇ¼µÄ¡£
ÎÒд´½¨ÁËÒ»¸öusr1ÕʺÅ
# useradd -G test -d /tmp/usr1 usr1
ÄÜftpµÇ¼£¬ËûµÄhomeΪ/tmp/usr1,ÔÚ/·ÖÇøÉÏ¡£¶ø/homeÎÒÊÇmountµ½/dev/hda9Éϵġ£
#mount
/dev/hdb1 on / type ext3 (rw)
/dev/hda9 on /home type ext2 (rw)
ËùÒÔ£¬ÎÒ²ÂÏ룺ÊÇ·ñÊÇÓÉÓÚ/home·ÖÇøµÄÔÒò£¬¶øÔì³É¡°Ö÷Ŀ¼ÔÚ/home·ÖÇøµÄÕʺš±¶¼²»ÄܵǼÄØ£¿
ΪÁËÑéÖ¤ÒÔÉÏÉèÏ룬ÎÒÊÔ×ÅÔÙ´´½¨ÁËÒ»¸öÕʺÅ
useradd -G test -d /home/usr3 usr3
/home, /home/usr3 µÄȨÏÞ¶¼ÊÇ755¡£
usr3 ftpµÇ¼ʧ°Ü¡£
500 OOPS: cannot change directory:/home/usr3
Login failed.
421 Service not available, remote server has closed connection
ÖÁ´Ë£¬ÎÒ¾õµÃ¿ÉÒÔÈ·¶¨ÊÇÓÉÓÚ/home·ÖÇøµÄÔÒò£¬¶øÔì³É¡°Ö÷Ŀ¼ÔÚ/home·ÖÇøµÄÕʺš±¶¼²»ÄܵǼ¡£
²Î¿¼ÎÄÕ£º
I finished my second upgrade to Fedora Core 4. Not everything is ironed out yet with the build of course. But one thing is for sure a lot has happened to the RedHat I knew before.
I must say of all the changes, for me the nicest addition is the new SELinux extensions. For deep background on the reasons for and theory of SELinux read, The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments
The more I work with SELinux the more I realize I need to know about it, and how exactly it does all its stuff. It certainly changes things relating to users, directories and access. As I am starting to learn it, I'm sure I'm doing things the hard-way. :)
The major difference, so far for me, in Red Hat's SELinux is the way ftp is handled. vsftpd is still the server which is great. However, it seems to be designed to run as a daemon rather than invoked via xinet.d. If you grab a working copy of the xinet.d file for vsftpd you can invoke it via xinet.d wrapper. I did my first server upgrade in this manner. The current one I am trying as a daemon. I certainly think I will miss some of the features that the xinet.d wrapper brings, and may yet return to it.
Of all the issues I saw most notable is if you want to enable chroot directory's outside of the normal /home/xxx vsftpd. These will fail with a
500 OOPS: cannot change directory: /mnt/xxxxx
I was able to use ftp if I logged in with an account with a directory in /home, but once I set a user account to have a home drive outside of /home (in this case on a mounted secondary disk) vsftpd barfs the above.
I found information at the NSA that indicates you can disable SELinux protection of the ftp daemon.
setsebool -P ftpd_disable_trans 1
This seems a bit drastic. It certainly works for now though.
I think ultimately the issue resides with policies, but as SELinux policies are new to me, it will take time before it all gets sorted out. As I spend time with the new SELinux extensions in Fedora Core 4 I will keep you updated on my thoughts and configuration lessons.
½â¾ö°ì·¨£º
# setsebool ftpd_disable_trans 1
# service vsftpd restart
ÎÒÓõÄÊÇFC4£¬°´ÕÕÄãÉÏÒ»Ìû×ÓÀïµÄ·½·¨ÊÔÁË£¬ÂíÉϾͽâ¾öÁË¡£ËùÒÔ£¬¿ÉÒÔÈ·¶¨ÔÒò¾ÍÔÚSELinux¡£
