[求助] 手工安装vsftpd-2.0.5锁定ftp的目录不成功....求助！

jsw7001

手工安装vsftpd-2.0.5锁定ftp的目录不成功....求助！

目的:建了一个叫test的用户，家目录指定到/var/www/html,但是在ftp登录后，显示当前位置不是/而是/var/www/html,按退回上一级按钮，可以一直退到/目录中，这显然是不安全的。我想达到的目的是锁定用户只能在/var/www/html及以下目录活动。

然后使用了下面的方法:
-------------------------------------------------------
列表中的用户在家目录
在vsftpd.conf中添加
chroot_local_user=NO( 也可不添加 系统默认为no)
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot
然后将需要锁定的用户一行一个用户名填写到/etc/vsftpd.chroot文件中
-------------------------------------------------------
重启vsftpd服务后，用flashfxp软件一登录，直接跳到/目录下了，根本没有起作用，请教！


.

handuck

我也是遇到这个问题 感谢 讲解

jsw7001

问题已经解决,问题在于我在添加用户时错把用户添加到了ftp组。

useradd -d /var/www/html -g ftp -s /sbin/nologin test

之后把用户删掉,改成就好了。

useradd -d /var/www/html -s /sbin/nologin test

登录后效果:

下载 (19.74 KB)

2012-1-4 14:55

.

jsw7001

重起
admin 发表于 2012-1-4 12:36

    service vsftpd restart后连接还是直接进了/目录了。

　　

下载 (57.51 KB)

2012-1-4 14:07

.

admin

重起

jsw7001

chroot_local_user=YES
admin 发表于 2012-1-4 09:41

test用户指定的目录是/var/www/html/holimov,如图:

　　

下载 (12.23 KB)

2012-1-4 11:38

但是登录后根直接进入根目录了。
   

下载 (60.55 KB)

2012-1-4 11:37

新装的vsftp,只在vsftpd.conf中加了一条 chroot_local_user=YES  ,其它的啥都没有动。

vsftpd.conf全配置如下:

1. # Example config file /etc/vsftpd/vsftpd.conf
   
2. #
   
3. # The default compiled in settings are fairly paranoid. This sample file
   
4. # loosens things up a bit, to make the ftp daemon more usable.
   
5. # Please see vsftpd.conf.5 for all compiled in defaults.
   
6. #
   
7. # READ THIS: This example file is NOT an exhaustive list of vsftpd options.
   
8. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
   
9. # capabilities.
   
10. #
    
11. # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
    
12. #anonymous_enable=YES
    
13. #
    
14. # Uncomment this to allow local users to log in.
    
15. local_enable=YES
    
16. #
    
17. # Uncomment this to enable any form of FTP write command.
    
18. write_enable=YES
    
19. #
    
20. # Default umask for local users is 077. You may wish to change this to 022,
    
21. # if your users expect that (022 is used by most other ftpd's)
    
22. local_umask=022
    
23. #
    
24. # Uncomment this to allow the anonymous FTP user to upload files. This only
    
25. # has an effect if the above global write enable is activated. Also, you will
    
26. # obviously need to create a directory writable by the FTP user.
    
27. #anon_upload_enable=YES
    
28. #
    
29. # Uncomment this if you want the anonymous FTP user to be able to create
    
30. # new directories.
    
31. #anon_mkdir_write_enable=YES
    
32. #
    
33. # Activate directory messages - messages given to remote users when they
    
34. # go into a certain directory.
    
35. dirmessage_enable=YES
    
36. #
    
37. # The target log file can be vsftpd_log_file or xferlog_file.
    
38. # This depends on setting xferlog_std_format parameter
    
39. xferlog_enable=YES
    
40. #
    
41. # Make sure PORT transfer connections originate from port 20 (ftp-data).
    
42. connect_from_port_20=YES
    
43. #
    
44. # If you want, you can arrange for uploaded anonymous files to be owned by
    
45. # a different user. Note! Using "root" for uploaded files is not
    
46. # recommended!
    
47. #chown_uploads=YES
    
48. #chown_username=whoever
    
49. #
    
50. # The name of log file when xferlog_enable=YES and xferlog_std_format=YES
    
51. # WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
    
52. #xferlog_file=/var/log/xferlog
    
53. #
    
54. # Switches between logging into vsftpd_log_file and xferlog_file files.
    
55. # NO writes to vsftpd_log_file, YES to xferlog_file
    
56. xferlog_std_format=YES
    
57. #
    
58. # You may change the default value for timing out an idle session.
    
59. #idle_session_timeout=600
    
60. #
    
61. # You may change the default value for timing out a data connection.
    
62. #data_connection_timeout=120
    
63. #
    
64. # It is recommended that you define on your system a unique user which the
    
65. # ftp server can use as a totally isolated and unprivileged user.
    
66. #nopriv_user=ftpsecure
    
67. #
    
68. # Enable this and the server will recognise asynchronous ABOR requests. Not
    
69. # recommended for security (the code is non-trivial). Not enabling it,
    
70. # however, may confuse older FTP clients.
    
71. #async_abor_enable=YES
    
72. #
    
73. # By default the server will pretend to allow ASCII mode but in fact ignore
    
74. # the request. Turn on the below options to have the server actually do ASCII
    
75. # mangling on files when in ASCII mode.
    
76. # Beware that on some FTP servers, ASCII support allows a denial of service
    
77. # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
    
78. # predicted this attack and has always been safe, reporting the size of the
    
79. # raw file.
    
80. # ASCII mangling is a horrible feature of the protocol.
    
81. #ascii_upload_enable=YES
    
82. #ascii_download_enable=YES
    
83. #
    
84. # You may fully customise the login banner string:
    
85. #ftpd_banner=Welcome to blah FTP service.
    
86. #
    
87. # You may specify a file of disallowed anonymous e-mail addresses. Apparently
    
88. # useful for combatting certain DoS attacks.
    
89. #deny_email_enable=YES
    
90. # (default follows)
    
91. #banned_email_file=/etc/vsftpd/banned_emails
    
92. #
    
93. # You may specify an explicit list of local users to chroot() to their home
    
94. # directory. If chroot_local_user is YES, then this list becomes a list of
    
95. # users to NOT chroot().
    
96. #chroot_list_enable=YES
    
97. # (default follows)
    
98. #chroot_list_file=/etc/vsftpd/chroot_list
    
99. #
    
100. # You may activate the "-R" option to the builtin ls. This is disabled by
     
101. # default to avoid remote users being able to cause excessive I/O on large
     
102. # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
     
103. # the presence of the "-R" option, so there is a strong case for enabling it.
     
104. #ls_recurse_enable=YES
     
105. #
     
106. # When "listen" directive is enabled, vsftpd runs in standalone mode and
     
107. # listens on IPv4 sockets. This directive cannot be used in conjunction
     
108. # with the listen_ipv6 directive.
     
109. listen=YES
     
110. #
     
111. # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
     
112. # sockets, you must run two copies of vsftpd whith two configuration files.
     
113. # Make sure, that one of the listen options is commented !!
     
114. #listen_ipv6=YES
     
115. 
     
116. pam_service_name=vsftpd
     
117. userlist_enable=YES
     
118. tcp_wrappers=YES
     
119. chroot_local_user=YES

复制代码

.

admin

chroot_local_user=YES