昨天我使用 Pure-FTPd 配置完成了 FTP 服务器。我使用的方法是“虚拟用户”方法。
下面的命令基本上是我为了使其工作而执行的:
PureFTPd (Debian 10)
Instalar FTP usando o Pure-FTPd no Debian 10:
sudo apt install -y pure-ftpd-common pure-ftpd # Install Pure-FTPd
sudo ss -lnpt | grep pure-ftpd # Check what port is Pure-FTPd is running
Initial Steps for Preparing Pure-FTPd to work:
System User and Group:
sudo su -
groupadd ftpgroup # Create FTP Group
useradd -g ftpgroup -d /dev/null -s /etc ftpuser # Create Emulated System User for Virtual FTP User
mkdir /home/ftpusers # Create Base Home dir for Virtual Users
chown root:root /home/ftpusers -R # Set root Permissions so Pure-FTPd can create folders Automatically
chgrp ftpgroup /home/ftpusers # Set permissions to FTP Group for Virtual Users Permissions
chmod g+rx /home/ftpusers
PureFTPd Config
echo "yes" > /etc/pure-ftpd/conf/Daemonize # Run as Daemon
echo "yes" > /etc/pure-ftpd/conf/NoAnonymous # Prohibit Anonymous
echo "yes" > /etc/pure-ftpd/conf/ChrootEveryone # Enable chroot
echo “yes” > /etc/pure-ftpd/conf/VerboseLog # Enable Verbose Logging
echo yes > /etc/pure-ftpd/conf/CreateHomeDir # Create Folders Automatically
echo no > /etc/pure-ftpd/conf/PAMAuthentication # ??? Check Later
echo no > /etc/pure-ftpd/conf/UnixAuthentication # ??? Check Later - Disable login, maybe?
>/var/log/pure-ftpd/transfer.log && chmod 755 /var/log/pure-ftpd/transfer.log # Enable Logging
Config. Pure-FTPd => /etc/pure-ftpd/pure-ftpd.conf
# This limits accounts to only what is in the Pure-FTPd database
AUTH="-lpuredb:/etc/pure-ftpd/pureftpd.pdb"
# Disallow anonymous connections. Only accept authenticated users.
NoAnonymous yes
# File creation mask. <umask for files>:<umask for dirs> - Use 177:077 if you’re paranoid.
Umask 003:002
# Enable Passive mode to avoid Firewall NAT problems.
PassivePortRange 40000 60000
Config. Common Pure-FTPd => vi /etc/default/pure-ftpd-common
id -u ftpuser # Get UID/GID of FTP User first.
Change UPLOADUID/UPLOADGID on pure-ftpd-common file.
Those commands are needed for some reason, otherwise, user can’t login:
ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/40PureDB
ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/50pure
Virtual User PureFTPd
pure-pw useradd victor -u ftpuser -g ftpgroup -d /home/ftpusers/victor
pure-pw passwd victor -m
Reload PureFTPd
pure-pw mkdb -f /etc/pure-ftpd/pureftpd.passwd -F /etc/pure-ftpd/pureftpd.pdb # Update PureFTPd Database
service pure-ftpd restart
但是,在此之后,我的下一个需求是从 NGINX 安装中创建一个 HTML 文件夹,以便客户端可以通过 FTP 传输文件。根据上述命令和他的 Chrooted FTP 文件夹 - 一切正常!如果我尝试使用 MobaXTerm 或其他 FTP 客户端将任何内容上传到他的 FTP 文件夹,我就可以做到。
但是,如果我尝试将其上传到使用以下命令创建的 HTML 绑定文件夹,它不允许我这样做:
CHRoot HTML Folder
mkdir -p /home/ftpusers/victor/sites # Create Websites Folder for Victor
mount --bind /var/www/html /home/ftpusers/victor/sites # Bind Mount because Link command does not work
Config. for FSTab in order to mount it at boot:
/mnt/data/html /var/www/html none nofail,bind 0 0
/var/www/html /home/ftpusers/victor/sites none nofail,bind 0 0
groups www-data # Check what groups NGINX user is in
chown -R :<group> /var/www/html # Just to be sure let’s redo HTML Permission for NGINX.
chmod -R g+w /var/www/html # Group can Edit/Write
usermod -a -G www-data ftpuser # Add our FTP User to NGINX Group
groups ftpuser # Now FTP User is in the same groups as NGINX User
Read and Write tests for FTP using cURL => All Tests worked when the owners were ftpuser ftpgroup.
When Owners were www-data www-data it does not let my FTP User replace and upload files... Even tho, I added the FTP User above as being in the group that is owning the files.
curl ftp://localhost:21/testfile_read -u 'victor:ftp_password' -O # Read Permissions from Outside HTML folder
curl ftp://localhost:21/sites/testfile_html_read -u 'victor:ftp_password' -O # Read Permissions from Inside HTML folder.
curl -T testfile_write ftp://localhost:21/ -u 'victor:ftp_password' # Write Permissions from Outside HTML folder.
curl -T testfile_html_write ftp://localhost:21/sites/ -u 'victor:ftp_password' # Write Permissions from Inside HTML folder.
因此,这看起来像是 www-data 和绑定文件夹本身的权限问题...但这没有意义,因为我已经将 FTP 用户添加到可以编辑/写入的组中...
答案1
我完成这项工作的唯一方法是:
sudo chown root /var/www
sudo chmod 755 /var/www
sudo chgrp ftpgroup /var/www/ -R
sudo chown www-data /var/www/html/ -R
sudo chmod 775 /var/www/html/ -R
就像这样,甚至斜线在这里也很重要。我相信这不是完全安全的,一定有另一种更安全的方法,但我找不到。