Bash 脚本 (#!/bin/bash ) 权限错误 (chown、chmod)

tag-icon tag-icon server bash permissions security vsftpd
Bash 脚本 (#!/bin/bash ) 权限错误 (chown、chmod)

我希望有人能帮帮我。我不是专业人士,也不在这个行业工作。我之前的两份工作是海军军官/卡车司机。我喜欢摆弄科技。

我现在对 Linux 环境很有信心,并尝试编写我的第一个长 bash 脚本。实际上,在社区帖子的大力帮助下,我成功编写了脚本。但是,我在某个地方犯了一个权限错误,或者在设置时在要包含哪些目录方面犯了一个错误FTP服务器完全使用脚本。

我希望有人能发现我的错误,因为我想做到完美并继续学习。我将在下面附上完整的脚本。

#!/bin/bash

USERNAME="someusername"

# Changing to Downloads folder in order to cp the vsdftpd.conf file here change permissions, find/replace text and add text and then cp back to /etc/ folder.

cd ~/Downloads
sudo apt update && sudo apt upgrade
sudo apt install vsftpd

# Check to see if the vsftpd.conf file is in its proper location and if so copies it to ~/Downloads

FILE=/etc/vsftpd.conf
 if test -f "$FILE"; then
    echo "$FILE exists."
    cp /etc/vsftpd.conf ~/Downloads
 fi

# This is a test to see if a program is installed which could replace the above check for ufw.conf file

REQUIRED_PKG="ufw"
PKG_OK=$(dpkg-query -W --showformat='${Status}\n' $REQUIRED_PKG|grep "install ok installed")
echo Checking for $REQUIRED_PKG: $PKG_OK
if [ "" = "$PKG_OK" ]; then
  echo "No $REQUIRED_PKG. Setting up $REQUIRED_PKG."
  sudo apt-get --yes install $REQUIRED_PKG 
fi

# Firewall settings using ufw
# Open firewall ports

sudo ufw allow OpenSSH
sudo ufw allow 20/tcp
sudo ufw allow 21/tcp
sudo ufw allow 990/tcp
sudo ufw allow 40000:50000/tcp
sudo ufw allow 32400/tcp

# Check ufw status

sudo ufw status
sudo ufw enable

# Add a user and create ftp directory

sudo assuser $USERNAME
sudo mkdir /home/$USERNAME/ftp
sudo chown nobody:nogroup /home/$USERNAME/ftp
sudo chown a-w /home/$USERNAME/ftp
sudo ls -la /home/$USERNAME/ftp
sudo mkdir /home/$USERNAME/ftp/files
sudo chown $USERNAME:$USERNAME /home/$USERNAME/ftp/files
echo "vsftpd sample file" | sudo tee /home/$USERNAME/ftp/files/sample.txt

# Change ownership and edit vsftpd.conf file

chmod 755 vsftpd.conf
chown $USERNAME vsftpd.conf


# Find and replace text on vsftpd.conf file using sed
sed -i 's/anonymous_enable=YES/anonymous_enable=NO/g' vsftpd.conf
sed -i 's/local_enable=NO/local_enable=YES/g' vsftpd.conf
sed -i 's/#write_enable=YES/write_enable=YES/g' vsftpd.conf
sed -i 's/#chroot_local_user=YES/chroot_local_user=YES/g' vsftpd.conf


# Add rules to the vsftpd.conf file
echo "user_sub_token=$USER" >> vsftpd.conf
echo "local_root=/home/$USER/ftp" >> vsftpd.conf
echo "pasv_min_port=40000" >> vsftpd.conf
echo "pasv_max_port=50000" >> vsftpd.conf
echo "userlist_enable=YES" >> vsftpd.conf
echo "userlist_file=/etc/vsftpd.userlist" >> vsftpd.conf
echo "userlist_deny=NO" >> vsftpd.conf


# Making FTP Secure

# By default, FTP doesn’t encrypt data, so we will be using
# SSL/TLS
# Certificate to secure data transfer. The first step is we need to create the SSL certificate for the Ubuntu FTP serve
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem


# This points the configuration file to the certificate that created
echo "rsa_cert_file=/etc/ssl/private/vsftpd.pem" >> vsftpd.conf
echo "rsa_private_key_file=/etc/ssl/private/vsftpd.pem" >> vsftpd.conf


# Adding rules to the vsftpd.conf file
echo "ssl_enable=YES" >> vsftpd.conf
echo "allow_anon_ssl=NO" >> vsftpd.conf
echo "force_local_data_ssl=YES" >> vsftpd.conf
echo "force_local_logins_ssl=YES" >> vsftpd.conf
echo "ssl_tlsv1=YES" >> vsftpd.conf
echo "ssl_sslv2=NO" >> vsftpd.conf
echo "ssl_sslv3=NO" >> vsftpd.conf
echo "require_ssl_reuse=NO" >> vsftpd.conf
echo "ssl_ciphers=HIGH" >> vsftpd.conf
echo "$USERNAME" | sudo tee -a /etc/vsftpd.userlist
cat /etc/vsftpd.userlist


# Here I return the vsftpd.conf edited file back to /etc/
sudo cp -r ~/Downloads/vsftpd.conf /etc/


# Restart vsftpd and cross my fingers
sudo systemctl restart vsftpd

echo "I've never failed at anything. Except life."

就是这样。

所以它对我来说确实有效,我可以通过 FileZilla 连接。

我的问题是,我能够访问所有文件和文件夹,包括根目录和所有子目录。

我非常肯定这确实不安全。

好吧,我知道读起来很长,但我希望有人能指出我的错误。

另外,有人能给我推荐一个好的培训工具或书籍,让我更多地了解 Linux、shell 和 bash 脚本吗?(最好不是试图向我推销 Udemy 课程或获取我的电子邮件的 bs 网站)

谢谢

亚伦

答案1

您的错误是在 jail 配置 (chroot) 中,
如果我很好地理解了您的意愿,您可以选择以下第一个选项:所有用户默认被监禁

对 chroot 用户

要监禁/chroot 用户(不是 VSFTPD 服务),有三种选择。在文件中搜索“chroot_local_users”,并考虑以下之一

所有用户默认被监禁 
chroot_local_user=YES
chroot_list_enable=NO
一些用户被判入狱 
chroot_local_user=NO
chroot_list_enable=YES
# Create the file /etc/vsftpd.chroot_list with a list of the jailed users.
只有一些用户是“免费的” 
chroot_local_user=YES
chroot_list_enable=YES
# Create the file /etc/vsftpd.chroot_list with a list of the "free" users.
更多详细信息:https://help.ubuntu.com/community/vsftpd#To_chroot_users

相关内容