Proftpd permission setting principle (1)

ProFTPDIt is the most popular FTP server software After Wu-FTP. All permissions of Proftpd must be set to run stably. This article will introduce the principle of Proftpd!

I. Test Platform

Debian 4.0r3

Proftpd 1.3.1 (with ssl)

Ii. Principles

1. Inheritance

The subdirectory inherits the attributes of its parent directory.

2. Priority

The priority ranges from large to small:

Original FTP command (list dele, etc.)> Command Group (dirs read write)> ALL Command Group

3. Application sequence of access control

Regardless of the order, the application is Deny first, and then the application is allowed (Allow)

4. System Permissions

Linux permissions still work. If the directory test Write is allowed, but this user has only

Read Permission. This means that the user cannot write data to the test directory.

----------------- Inheritance 1

------------------------- Priority 2

AllowUser u1 ------------------ authorization 3. Application sequence of access control

DenyAll

One explanation: According to reference 1, the sequence of access control should be related to the sequence of access control, but in my test, the sequence of access control has no effect. That is to say, like the above access control, AllowUser u1 and DenyAll are both in front of each other.

Iii. Instances

1. Introduction

Assume that the proftpd server has five users:

Manager, manA1, manA2, manB1, manB2

And two groups:

GroupA, groupB

ManA1 and manA2 belong to the groupA group, and manB1 and manB2 belong to the groupB group.

The directory structure is as follows:

 
 

  
  
/Root directory
  
  
 
  
  
│
  
  
 
  
  
├ Ftproot/
  
  
 
  
  
│ Volume manager/
  
  
 
  
  
│
  
  
 
  
  
│ ├ GroupA/
  
  
 
  
  
│ G0a1/
  
  
 
  
  
│ G0a2/
  
  
 
  
  
│ Large .../
  
  
 
  
  
│
  
  
 
  
  
│ ├ GroupB/
  
  
 
  
  
│ 10000b1/
  
  
 
  
  
│ ├ B2/
  
  
 
  
  
│ Large .../
  
  
 
  
  
│
  
  
 
  
  
.../
 
 

Permissions to be implemented:

1. User manager can read and write the manager, groupA, and groupB directories and Their subdirectories.

2. manA1 can read and write the A1 directory and all subdirectories of groupB.

3. manA2 can read and write the A2 directory and all subdirectories of groupB.

4. manB1 can read and write the B1 directory.

5. manB2 can read and write the B2 directory.

6. If a user does not have access to a directory, the user cannot see the directory.

7. Only manger users and group groupA and group B members are allowed to access the FTP server.

8. No one is allowed to break the main directory structure

2. Implementation

(1) Add users and groups

Useradd manager

Passwd manager

Groupadd groupA

Groupadd groupB

Useradd manA1

Passwd manA1

Usermod-G groupA manA1

Useradd manA2

Passwd manA2

Usermod-G groupA manA2

Useradd manB1

Passwd manB1

Usermod-G groupB manB1

Useradd manB2

Passwd manB2

Usermod-G groupB manB2