Ubuntu14.04 vsftpd

Ubuntu14.04 vsftpd

参考文档：
http://www.cnblogs.com/acpp/archive/2010/02/08/1666054.html
http://segmentfault.com/a/1190000000438443
Vsftpd虚拟用户设置

一.安装
apt-get -y install vsftpd
root@localhost:~# lsb_release -a 2>/dev/null
Distributor ID:    Ubuntu
Description:    Ubuntu 14.04.1 LTS
Release:    14.04
Codename:    trusty
root@localhost:~# vsftpd -v
vsftpd: version 3.0.2
root@localhost:/usr/share/doc/vsftpd/examples# pwd
/usr/share/doc/vsftpd/examples
root@localhost:/usr/share/doc/vsftpd/examples# ls
INTERNET_SITE  INTERNET_SITE_NOINETD  PER_IP_CONFIG  README  VIRTUAL_HOSTS  VIRTUAL_USERS  VIRTUAL_USERS_2
提示：发行版的安装包中自带了很多帮助文档和配置范例，非常有情怀


二.匿名用户
cp /etc/vsftpd.conf{,.default}
养成修改前做备份的习惯
1.开启匿名访问
anonymous_enable=YES #匿名访问只需要对默认的配置文件修改上面一行即可,但只能读
root@localhost:~# touch /srv/ftp/Test2015
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0               0 Aug 02 03:51 Test2015
226 Directory send OK.
默认的匿名用户为ftp或者anonymous，密码为空
2.修改匿名用户的根目录
#默认的匿名根是/srv/ftp
root@localhost:~# mkdir /ftp_guest
root@localhost:~# touch /ftp_guest/ftp
root@localhost:~# vim /etc/vsftpd.conf
anon_root=/ftp_guest

root@localhost:~# service vsftpd restart
vsftpd stop/waiting
vsftpd start/running, process 4823
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0               0 Aug 02 03:49 ftp
226 Directory send OK.

三.本地用户
1.本地用户全局FTP根目录
root@localhost:~# mkdir -p /ftp_admin/{leader,foo}
root@localhost:~# vim /etc/vsftpd.conf
root@localhost:~# useradd -M -s /bin/false leader
root@localhost:~# echo leader:leader|chpasswd
问题1：密码输入正确了仍然提示密码不对
注意：ubuntu登录shell设置为/bin/false或/usr/sbin/nologin都会提示incorrect,按照rhel的模式来配置会有问题
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): leader
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> 221 Goodbye.
问题2：提示不能切换到家目录
root@localhost:~# chsh -s /bin/bash leader
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): leader
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/home/leader
Login failed.
421 Service not available, remote server has closed connection
解决办法1：修改/etc/passwd把对应家目录的栏位补全为合法的目录(实际存在的目录即可)
root@localhost:~# usermod leader -d /ftp_admin/leader
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): leader
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/ftp_admin"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Aug 02 04:03 foo
drwxr-xr-x    2 0        0            4096 Aug 02 04:03 leader
226 Directory send OK.
这里显示的根在/ftp_admin是因为全局配置文件中定义的根在/ftp_admin
解决办法2：删除该用户后重新建
root@localhost:~# userdel -r leader
userdel: leader mail spool (/var/mail/leader) not found
userdel: /ftp_admin/leader not owned by leader, not removing
root@localhost:~# useradd -m -s /bin/bash leader
root@localhost:~# echo leader:leader|chpasswd
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): leader
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/ftp_admin"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Aug 02 04:03 foo
drwxr-xr-x    2 0        0            4096 Aug 02 04:03 leader
226 Directory send OK.
 

2.锁定所有本地用户的FTP根目录
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): leader
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/ftp_admin"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Aug 02 04:03 foo
drwxr-xr-x    2 0        0            4096 Aug 02 04:24 leader
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Aug 02 01:58 bin
drwxr-xr-x    4 0        0            1024 Aug 01 19:09 boot
drwxr-xr-x    2 0        0            4096 Aug 02 01:44 ccc
drwxr-xr-x    3 0        0            4096 Aug 02 03:33 data
drwxr-xr-x   15 0        0            4020 Aug 01 20:58 dev
drwxr-xr-x   82 0        0            4096 Aug 02 04:29 etc
drwxr-xr-x    5 0        0            4096 Aug 02 04:03 ftp_admin
drwxr-xr-x    2 0        0            4096 Aug 02 03:49 ftp_guest
drwxr-xr-x    8 0        0            4096 Aug 02 04:21 home
lrwxrwxrwx    1 0        0              33 Aug 01 18:59 initrd.img -> boot/initrd.img-3.13.0-32-generic
drwxr-xr-x   21 0        0            4096 Aug 01 19:08 lib
drwxr-xr-x    2 0        0            4096 Aug 01 18:57 lib64
drwx------    2 0        0           16384 Aug 01 18:56 lost+found
drwxr-xr-x    2 0        0            4096 Jul 23  2014 media
drwxr-xr-x    2 0        0            4096 Apr 11  2014 mnt
drwxr-xr-x    2 0        0            4096 Jul 23  2014 opt
dr-xr-xr-x  100 0        0               0 Aug 01 20:58 proc
drwx------    5 0        0            4096 Aug 02 04:29 root
drwxr-xr-x   19 0        0             600 Aug 01 21:05 run
drwxr-xr-x    2 0        0            4096 Aug 01 19:10 sbin
drwxr-xr-x    3 0        0            4096 Aug 01 21:05 srv
dr-xr-xr-x   13 0        0               0 Aug 01 20:58 sys
drwxrwxrwt    2 0        0            4096 Aug 02 04:24 tmp
drwxr-xr-x   10 0        0            4096 Aug 01 18:57 usr
drwxr-xr-x   11 0        0            4096 Aug 01 18:57 var
lrwxrwxrwx    1 0        0              30 Aug 01 18:59 vmlinuz -> boot/vmlinuz-3.13.0-32-generic
226 Directory send OK.
注意：默认配置是允许本地合法用户切换目录的，如上，该用户直接可以看到服务器真实的根/，实在太危险。可以通过
chroot_local_user=YES来禁用根目录跳转
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): leader
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Aug 02 04:03 foo
drwxr-xr-x    2 0        0            4096 Aug 02 04:24 leader
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Aug 02 04:03 foo
drwxr-xr-x    2 0        0            4096 Aug 02 04:24 leader
226 Directory send OK.



3.FTP根禁锢白名单(只有指定的用户才能跳出FTP根目录)
通过搭配能实现以下几种效果：
①当chroot_list_enable=YES，chroot_local_user=YES时，在/etc/vsftpd.chroot_list文件中列出的用户，可以切换到其他目录；未在文件中列出的用户，不能切换到其他目录。
②当chroot_list_enable=YES，chroot_local_user=NO时，在/etc/vsftpd.chroot_list文件中列出的用户，不能切换到其他目录；未在文件中列出的用户，可以切换到其他目录。
③当chroot_list_enable=NO，chroot_local_user=YES时，所有的用户均不能切换到其他目录。
④当chroot_list_enable=NO，chroot_local_user=NO时，所有的用户均可以切换到其他目录。
这里设置如下：
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

root@localhost:~# echo leader >>/etc/vsftpd.chroot_list
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): leader
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/ftp_admin"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Aug 02 04:03 foo
drwxr-xr-x    2 0        0            4096 Aug 02 04:24 leader
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Aug 02 01:58 bin
drwxr-xr-x    4 0        0            1024 Aug 01 19:09 boot
... ...

4.允许本地用户写权限
a.配置文件加上write_enable=YES
b.本地文件系统有写权限
注意：(Warning! chroot'ing can be very dangerous. If using chroot, make sure that the user does not have write access to the top level directory within the chroot)
只要本地FTP用户对配置文件中的FTP根目录有写权限，就会报500，oops错误
所以FTP根对FTP用户来说是不能有写权限的，这样就出现了很多问题
问题1：用户对自己的根目录没有写权限才能登录，那么就只能下载不能上传，功能缺陷，必须解决
问题2：根目录的子目录对用户可以有写权限，可行
配置文件的根定义为/ftp_admin
root@localhost:~# setfacl -R -b /ftp_admin/
root@localhost:~# useradd -m -s /bin/bash foo
root@localhost:~# echo foo:foo|chpasswd
root@localhost:~# chown -R foo:foo /ftp_admin/foo/
root@localhost:~# ll -d /ftp_admin/ /ftp_admin/foo/
drwxr-xr-x 4 root root 4096 Aug  2 04:43 /ftp_admin/
drwxr-xr-x 2 foo foo 4096 Aug  2 04:47 /ftp_admin/foo/
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): foo
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 1006     1006         4096 Aug 02 04:47 foo
drwxr-xr-x    2 0        0            4096 Aug 02 04:24 leader
226 Directory send OK.
ftp> cd foo
250 Directory successfully changed.
ftp> put /etc/passwd
local: /etc/passwd remote: /etc/passwd
200 PORT command successful. Consider using PASV.
553 Could not create file.
注意:foo用户对/ftp_admin/foo是有写入权限的，但上面上传出错

多番测试，发现是ftp命令的问题，换成lftp就可以正常上传，这个现象不知道大家有什么看法，期待大家的交流与回复
root@localhost:~# lftp localhost
lftp localhost:~> user foo
Password:
lftp foo@localhost:~> ls
drwxr-xr-x    2 1006     1006         4096 Aug 02 04:47 foo
drwxr-xr-x    2 0        0            4096 Aug 02 04:24 leader
lftp foo@localhost:/> put /etc/passwd
put: /etc/passwd: Access failed: 553 Could not create file. (passwd)
lftp foo@localhost:/> cd foo
cd ok, cwd=/foo
lftp foo@localhost:/foo> ls
-rw-r--r--    1 1006     1006            0 Aug 02 04:47 my_name_is_foo
lftp foo@localhost:/foo> put /etc/passwd
1390 bytes transferred
lftp foo@localhost:/foo> ls
-rw-r--r--    1 1006     1006            0 Aug 02 04:47 my_name_is_foo
-rw-------    1 1006     1006         1390 Aug 02 05:04 passwd
如上，已经成功传输文件到/ftp_admin/foo目录，对其它没有写权限的目录是不能上传的，但能查看和下载，所以这还不够完美
有没有一种完美解决方案，如：各用户有不同的根，能自己的根目录有全权限，但对其它人根目录没有任何权限，或者说根本看不到其它人的根目录，答案就是子配置文件加allow_writeable_chroot=YES

5.chroot()权限问题
root@localhost:~# ll -d /ftp_admin/
drwxr-xr-x 5 root root 4096 Aug  2 04:03 /ftp_admin//
root@localhost:~# setfacl -m u:leader:rwx /ftp_admin/
root@localhost:~# getfacl /ftp_admin/
getfacl: Removing leading '/' from absolute path names
# file: ftp_admin/
# owner: root
# group: root
user::rwx
user:leader:rwx
group::r-x
mask::rwx
other::r-x
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): leader
331 Please specify the password.
Password:
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
Login failed.
421 Service not available, remote server has closed connection
注意：
Ubuntu14.04/CentOS7这些比较新的发行版提供的vsftpd版本都是3.x，而从vsftpd-2.3.5之后，vsftpd增强了安全检查，如果用户被限定在local_root下，则该用户不能对自己的家目录再具有写权限！如果检查发现还有写权限，就会报该错误。
我就纳闷了大半天，之前CentOS6相同的配置没有任何问题，到Ubuntu上就出现这个错，在网上查了好久，和selinux无办毛钱关系，就是vsftp新版本的更高安全性所致

解决方案1：chmod a-w /home/user去除用户主目录的写权限，用户对自己的FTP根无写权限，但对根下的其它目录有全权限，对网站或共享没有实质影响，只是多进一层目录而己。
解决方案2：在vsftpd的配置文件中增加一行allow_writeable_chroot=YES，这样对FTP根也具有写权限，实测有效，完美解决

6.子配置文件
user_config_dir=/etc/vsftpd_user_conf

root@localhost:~# mkdir /etc/vsftpd_user_conf
root@localhost:~#cat >/etc/vsftpd_user_conf/foo <<HERE
local_root=/ftp_admin/foo
HERE
root@localhost:~#cat >/etc/vsftpd_user_conf/leader <<HERE
local_root=/ftp_admin/leader
HERE
root@localhost:~# touch /ftp_admin/foo/my_name_is_foo
root@localhost:~# touch /ftp_admin/foo/leader_is_me
root@localhost:~# chown -R foo:foo /ftp_admin/foo/
root@localhost:~# chown -R leader:leader /ftp_admin/leader/
root@localhost:~# ll -d /ftp_admin/ /ftp_admin/foo/ /ftp_admin/leader/
drwxr-xr-x 4 root   root   4096 Aug  2 14:53 /ftp_admin/
drwxr-xr-x 2 foo    foo    4096 Aug  2 14:54 /ftp_admin/foo/
drwxr-xr-x 2 leader leader 4096 Aug  2 14:54 /ftp_admin/leader/
root@localhost:~# service vsftpd restart
vsftpd stop/waiting
vsftpd start/running, process 5479
root@localhost:~# lftp localhost
lftp localhost:~> user leader
Password:
lftp leader@localhost:~> put /etc/passwd
1433 bytes transferred                        
lftp leader@localhost:~> ls
-rw-r--r--    1 1005     1005            0 Aug 02 14:54 leader_is_me
-rw-------    1 1005     1005         1433 Aug 02 15:01 passwd
lftp leader@localhost:~> cd ..
cd ok, cwd=/ftp_admin
lftp leader@localhost:/ftp_admin> ls
drwxr-xr-x    2 1008     1008         4096 Aug 02 14:54 foo
drwxr-xr-x    2 1005     1005         4096 Aug 02 15:01 leader
lftp leader@localhost:/ftp_admin> user foo
Password:
lftp foo@localhost:~> put /etc/shadow
1699 bytes transferred                        
lftp foo@localhost:/> ls
-rw-r--r--    1 1008     1008            0 Aug 02 14:54 my_name_is_foo
-rw-------    1 1008     1008         1699 Aug 02 15:01 shadow
lftp foo@localhost:/> cd ..
lftp foo@localhost:/> ls
-rw-r--r--    1 1008     1008            0 Aug 02 14:54 my_name_is_foo
-rw-------    1 1008     1008         1699 Aug 02 15:01 shadow

7.全局白名单，黑名单
a.白名单userlist
root@localhost:~# cat /etc/vsftpd.user_list
foo
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): foo
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 221 Goodbye.
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): leader
530 Permission denied.
Login failed.
只有写入usrlist_file中的用户才能登录，不在列表里的用户还不等输入密码就报permission denied
b.黑名单ftpusers
注意：这是由PAM控制和定义的/etc/pam.d/vsftpd
root@localhost:~# echo foo >>/etc/ftpusers
root@localhost:~# cat /etc/ftpusers
# /etc/ftpusers: list of users disallowed FTP access. See ftpusers(5).

root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
nobody
foo
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:ubuntu): foo
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
如上，foo用户既在白名单又在黑名单中，此时，黑名单优先，最终foo用户无法登录

8.隐藏特定文件
root@localhost:~# touch /ftp_admin/foo/{1..3}.{txt,mp3,png}
root@localhost:~# ls /ftp_admin/foo/
1.mp3  1.png  1.txt  2.mp3  2.png  2.txt  3.mp3  3.png  3.txt  my_name_is_foo  shadow
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:liujun): foo
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0               0 Aug 02 15:14 1.mp3
-rw-r--r--    1 0        0               0 Aug 02 15:14 1.png
-rw-r--r--    1 0        0               0 Aug 02 15:14 1.txt
-rw-r--r--    1 0        0               0 Aug 02 15:14 2.mp3
-rw-r--r--    1 0        0               0 Aug 02 15:14 2.png
-rw-r--r--    1 0        0               0 Aug 02 15:14 2.txt
-rw-r--r--    1 0        0               0 Aug 02 15:14 3.mp3
-rw-r--r--    1 0        0               0 Aug 02 15:14 3.png
-rw-r--r--    1 0        0               0 Aug 02 15:14 3.txt
-rw-r--r--    1 1008     1008            0 Aug 02 14:54 my_name_is_foo
-rw-------    1 1008     1008         1699 Aug 02 15:01 shadow
226 Directory send OK.
修改配置增加一行，hide_file={*.mp3,*.mp4}
root@localhost:~# echo 'hide_file={*.mp3,*.mp4}' >>/etc/vsftpd_user_conf/foo
root@localhost:~# service vsftpd restart
vsftpd stop/waiting
vsftpd start/running, process 2245
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:liujun): foo
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0               0 Aug 02 15:14 1.png
-rw-r--r--    1 0        0               0 Aug 02 15:14 1.txt
-rw-r--r--    1 0        0               0 Aug 02 15:14 2.png
-rw-r--r--    1 0        0               0 Aug 02 15:14 2.txt
-rw-r--r--    1 0        0               0 Aug 02 15:14 3.png
-rw-r--r--    1 0        0               0 Aug 02 15:14 3.txt
-rw-r--r--    1 1008     1008            0 Aug 02 14:54 my_name_is_foo
-rw-------    1 1008     1008         1699 Aug 02 15:01 shadow
226 Directory send OK.


四.虚拟用户
1.新建虚拟用户列表
格式：一行用户名，一行口令
cat >>/tmp/vsftpd.virtual_user.txt <<HERE
virt1
123
virt2
123
virt3
123
HERE

注意：奇数行为账户名，偶数行为密码。也就是1.3.5.等行为用户名，2.4.6行为密码；
最后一行需要回车（否则建立数据库文件时无法识别最后一行，导致报奇数行错误）。

这里建了3个虚拟用户(virt1,virt2,virt3)密码统一为123，存放在/tmp/vsftpd.virtual_user.txt中
2.生成虚拟用户数据库
root@localhost:~# apt-get -y install db5.3-util
root@localhost:~# db5.3_load -T -t hash -f /tmp/vsftpd.virtual_user.txt /etc/vsftpd.virtual_user.db
root@localhost:~# file /etc/vsftpd.virtual_user.db
/etc/vsftpd.virtual_user.db: Berkeley DB (Hash, version 9, native byte-order)
root@localhost:~# chmod 600 /etc/vsftpd.virtual_user.db
3.配置PAM认证
root@localhost:~# cp -fv /etc/pam.d/vsftpd{,default}
‘/etc/pam.d/vsftpd’ -> ‘/etc/pam.d/vsftpddefault’
root@localhost:~# vim /etc/pam.d/vsftpd
最上方添加如下两行，PAM认证顺序很重要，放末尾会报Login Failed
auth    sufficient      pam_userdb.so     db=/etc/vsftpd.virtual_user
account sufficient   pam_userdb.so     db=/etc/vsftpd.virtual_user
注意：db=/etc/vsftpd.virtual_user，没有.db,认证时会自动补全.db，因此前面生成的db文件一定要以.db结尾. pam_userdb.so可参照原生样例写，建议写相对路径
centos6/7 64bit: /lib64/security/pam_userdb.so
ubuntu14.04 64bit: /lib/x86_64-linux-gnu/security/pam_userdb.so

4.定义虚拟用户配置文件
a.创建虚拟用户及修改相关权限
root@localhost:~# mkdir -p /ftp_virtual/virt{1,2,3}
root@localhost:~# useradd -d /ftp_virtual/ -s /bin/false ftp_virtual
提示：指定的目录即为虚拟用户将要访问的目录，宿主用户不要设定密码。不用来登陆，只用来让虚拟用户访问ftp
root@localhost:~# chown -R ftp_virtual:ftp_virtual /ftp_virtual/
root@localhost:~# ll -d /ftp_virtual/*
drwxr-xr-x 2 ftp_virtual ftp_virtual 4096 Aug  2 15:49 /ftp_virtual/virt1/
drwxr-xr-x 2 ftp_virtual ftp_virtual 4096 Aug  2 15:49 /ftp_virtual/virt2/
drwxr-xr-x 2 ftp_virtual ftp_virtual 4096 Aug  2 15:49 /ftp_virtual/virt3/
b.启用虚拟用户
修改全局主配置文件，添加如下2行
guest_enable=YES
guest_username=ftp_virtual
root@localhost:~# echo ftp_virtual >>/etc/vsftpd.user_list
注意：一旦启用了虚拟用户，则原来的本地用户权限会受到影响，如原来可以写的现在会没有写权限
root@localhost:~# ftp localhost
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:root): virt2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 1001     1001         4096 Aug 13 00:26 virt1
drwxr-xr-x    2 1001     1001         4096 Aug 13 00:26 virt2
drwxr-xr-x    2 1001     1001         4096 Aug 13 00:26 virt3
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 1001     1001         4096 Aug 13 00:26 virt1
drwxr-xr-x    2 1001     1001         4096 Aug 13 00:26 virt2
drwxr-xr-x    2 1001     1001         4096 Aug 13 00:26 virt3
226 Directory send OK.
ftp> 221 Goodbye.
c.定义虚拟用户各自配置文件
write_enable=YES #写权限总开关
anon_world_readable_only=NO #开放列出文件权限
anon_upload_enable=YES #开放上传权限
download_enable=YES ＃开放下载权限
anon_mkdir_write_enable=YES #开放创建目录的权限
anon_other_write_enable=YES #开放删除和重命名的权限

virt1只能上传不能下载
cat >/etc/vsftpd_user_conf/virt1 <<HERE
local_root=/ftp_virtual/virt1
write_enable=YES
anon_world_readable_only=NO
anon_upload_enable=YES
download_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
HERE

root@localhost:~# lftp localhost
lftp localhost:~> user virt1
Password:
lftp virt1@localhost:~> ls
lftp virt1@localhost:/> pwd
ftp://virt1@localhost/
lftp virt1@localhost:/> put /etc/passwd
1208 bytes transferred
lftp virt1@localhost:/> ls
-rw-------    1 1001     1001         1208 Aug 13 00:37 passwd
lftp virt1@localhost:/> get passwd
get: Access failed: 550 Permission denied. (passwd)
virt2只能下载不能上传
cat >/etc/vsftpd_user_conf/virt2 <<HERE
local_root=/ftp_virtual/virt2
anon_world_readable_only=NO
anon_upload_enable=NO
download_enable=YES
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
HERE

root@localhost:~# touch /ftp_virtual/virt2/do_not_upload.txt
root@localhost:~# ll /ftp_virtual/virt2/do_not_upload.txt
-rw-r--r-- 1 root root 0 Aug 13 00:40 /ftp_virtual/virt2/do_not_upload.txt
root@localhost:~# lftp localhost
lftp localhost:~> user virt2
Password:
lftp virt2@localhost:~> ls
-rw-r--r--    1 0        0               0 Aug 13 00:40 do_not_upload.txt
lftp virt2@localhost:/> put /etc/passwd
put: /etc/passwd: Access failed: 550 Permission denied. (passwd)
lftp virt2@localhost:/> get do_not_upload.txt
lftp virt2@localhost:/> !ls
do_not_upload.txt
virt3既能上传又能下载,创建删除重全名移动目录及文件
cat >/etc/vsftpd_user_conf/virt3 <<HERE
local_root=/ftp_virtual/virt3
write_enable=YES
anon_world_readable_only=NO
anon_upload_enable=YES
download_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
HERE

root@localhost:~# lftp localhost
lftp localhost:~> user virt3
Password:
lftp virt3@localhost:~> put /etc/shadow
870 bytes transferred                         
lftp virt3@localhost:/> ls
-rw-------    1 1001     1001          870 Aug 13 00:41 shadow
lftp virt3@localhost:/> get shadow
870 bytes transferred
lftp virt3@localhost:/> !ls
do_not_upload.txt  shadow




其它辅助参数解释参考
virtual_use_local_privs参数
当virtual_use_local_privs=YES时，虚拟用户和本地用户有相同的权限；
当virtual_use_local_privs=NO时，虚拟用户和匿名用户有相同的权限，默认是NO。
 
当virtual_use_local_privs=YES，write_enable=YES时，虚拟用户具有写权限（上传、下载、删除、重命名）。
 
当virtual_use_local_privs=NO，write_enable=YES，anon_world_readable_only=YES，
anon_upload_enable=YES时，虚拟用户不能浏览目录，只能上传文件，无其他权限。
 
当virtual_use_local_privs=NO，write_enable=YES，anon_world_readable_only=NO，
anon_upload_enable=NO时，虚拟用户只能下载文件，无其他权限。
 
当virtual_use_local_privs=NO，write_enable=YES，anon_world_readable_only=NO，
anon_upload_enable=YES时，虚拟用户只能上传和下载文件，无其他权限。
 
当virtual_use_local_privs=NO，write_enable=YES，anon_world_readable_only=NO，
anon_mkdir_write_enable=YES时，虚拟用户只能下载文件和创建文件夹，无其他权限。
 
当virtual_use_local_privs=NO，write_enable=YES，anon_world_readable_only=NO，
anon_other_write_enable=YES时，虚拟用户只能下载、删除和重命名文件，无其他权限。