ftp 虚拟用户

-bash-4.2# pwd
/etc/vsftpd  vsftp配置文件目录
-bash-4.2# ll
total 52
-rw------- 1 root root 13 May 16 19:10 chroot_list   配置的用户可以切换任意目录

-rw------- 1 root root 135 May 8 09:53 ftpadmin   ftpadmin配置用户读写权限已经他的主目录
-rw------- 1 root root 125 May 8 09:53 ftpusers  暂时没发现用处
-rw------- 1 root root 380 May 16 19:11 user_list  配置哪些用户访问ftp
-rw------- 1 root root 5204 May 8 09:53 vsftpd.conf  
-rw-r--r-- 1 root root 12288 May 16 19:20 vuser.db  ftp用户密码数据库(鉴权用的)
drwx------ 2 root root 4096 May 8 09:53 vusers 里面放用户,用来编写脚本时判断用户是否已经创建
-rw------- 1 root root 21 May 8 09:53 zte  zte配置用户读写权限已经他的主目录
-rw------- 1 root root 140 May 8 09:53 ztepm  ztepm配置用户读写权限已经他的主目录

cat /etc/pam.d/vsftpd

#%PAM-1.0
auth sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser                            密码鉴权使用/etc/vsftpd/vuser.db 这个数据库中的密码
account sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth

common.sh

#!/bin/bash

FTPUSRCFGDIR=/etc/vsftpd
VUSERSDIR=$FTPUSRCFGDIR/vusers

FTPHOMEBASE=/var/zte
PROVIDERCFGHOME=/home/Data/vDirector_config

updateDb(){
rm -f $FTPUSRCFGDIR/vuser.db
echo -n > $FTPUSRCFGDIR/vuser

for user in $(ls "$VUSERSDIR"); do
echo "$user" >> $FTPUSRCFGDIR/vuser
cat $VUSERSDIR/$user >> $FTPUSRCFGDIR/vuser
done

db_load -T -t hash -f $FTPUSRCFGDIR/vuser $FTPUSRCFGDIR/vuser.db
rm -f $FTPUSRCFGDIR/vuser
}

stopVsftpd(){
vsftpdPid=`ps -ef |grep "vsftpd" | grep -v grep | awk '{print $2}'`
[ ! -z "$vsftpdPid" ] && sudo kill -9 $vsftpdPid
}

startVsftpd(){
/usr/sbin/vsftpd &
}

restartVsftpd() {
stopVsftpd
startVsftpd
}

userExisted(){
[ ! -d "$VUSERSDIR" ] && return 1
ls $VUSERSDIR |grep -w "$USERNAME" >/dev/null
if [ $? -eq 0 ]; then
return 0
else
return 1
fi
}

backupVsftpCfg(){
if [[ ! -d "$PROVIDERCFGHOME/others/vsftpd" ]]; then
mkdir -p $PROVIDERCFGHOME/others/vsftpd
else
rm -rf $PROVIDERCFGHOME/others/vsftpd/*
fi
cp -rf /etc/vsftpd/* $PROVIDERCFGHOME/others/vsftpd/
}

restoreVsftpCfg(){
if [[ -d "$PROVIDERCFGHOME/others/vsftpd" && -n "$(ls $PROVIDERCFGHOME/others/vsftpd)" ]]; then
rm -rf /etc/vsftpd/*
cp -rf $PROVIDERCFGHOME/others/vsftpd/* /etc/vsftpd/
fi
}

adduser.sh

#!/bin/bash

currentDir=$(cd $(dirname $0);pwd)
. $currentDir/common.sh

USERNAME=$1
PASSWORD=$2

USERHOME=$FTPHOMEBASE/$USERNAME

addFtpUser(){
[ ! -d "$VUSERSDIR" ] && mkdir -p $VUSERSDIR
echo "$PASSWORD" > $VUSERSDIR/$USERNAME
updateDb

mkdir -p $USERHOME
chown -R zte:zte $USERHOME
}

modifyVsftpPam(){
egrep "pam_userdb.so.*vuser" /etc/pam.d/vsftpd > /dev/null

if [[ $? -ne 0 ]]; then
sed -i "/#%PAM-1.0/a\account sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser" /etc/pam.d/vsftpd
sed -i "/#%PAM-1.0/a\auth sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser" /etc/pam.d/vsftpd
fi
}

setUserFtpConfig(){
if [[ "$USERNAME" = "ftpadmin" ]]; then
setAdminFtpConfig
else
setCommonUserFtpConfig
fi
}

setCommonUserFtpConfig(){
sed -i "/$USERNAME/d" $FTPUSRCFGDIR/user_list
echo "$USERNAME" >> $FTPUSRCFGDIR/user_list
echo "local_root=$USERHOME   配置用户的主目录,ftp登录的默认目录,如果没有再chroot_list 配置,这个用户只能在这个目录下活动,无法切换到其他目录

write_enable=NO
idle_session_timeout=300
data_connection_timeout=300
max_clients=10
max_per_ip=5
local_max_rate=0" > $FTPUSRCFGDIR/$USERNAME
}

setAdminFtpConfig(){
sed -i "/$USERNAME/d" $FTPUSRCFGDIR/user_list
echo "$USERNAME" >> $FTPUSRCFGDIR/user_list
echo "local_root=$FTPHOMEBASE
write_enable=YES
idle_session_timeout=300
data_connection_timeout=300
max_clients=10
max_per_ip=5
local_max_rate=0" > $FTPUSRCFGDIR/$USERNAME
}


#main
if [[ -z "$USERNAME" || -z "$PASSWORD" ]]; then
echo "para missing. need two paras."
exit 1
fi

if userExisted;then
echo "$USERNAME already existed"
exit 2
else
addFtpUser
modifyVsftpPam
setUserFtpConfig
backupVsftpCfg
exit 0
fi

 

update_user.sh  更新用户密码

#!/bin/bash

currentDir=$(cd $(dirname $0);pwd)
. $currentDir/common.sh

USERNAME=$1
PASSWORD=$2

update(){
echo "$PASSWORD" > $VUSERSDIR/$USERNAME
updateDb
}

#main
if [[ -z "$USERNAME" || -z "$PASSWORD" ]]; then
echo "para missing. need two paras."
exit 1
fi

if userExisted;then
update
backupVsftpCfg
exit 0
else
echo "user $USERNAME not exist"
exit 2
fi

 

 

install_vsftp.sh

#!/bin/sh

. $COMMON_PATH/common.sh
USERNAME=zte
PASSWORD=Aa888888
GROUP=$USERNAME
USERHOME=/var/zte/
FTPUSRCFGDIR=/etc/vsftpd
FTPCONF=$FTPUSRCFGDIR/vsftpd.conf

add_ftp_user(){
useradd -d $USERHOME $USERNAME
echo $PASSWORD| passwd --stdin $USERNAME
}

need_add_user(){
egrep "^$USERNAME:" /etc/passwd >/dev/null
if [ $? -eq 0 ]; then
LOG "$USERNAME has existed"
return 1
else
LOG "$USERNAME not exist, will add it"
return 0
fi
}

is_vsftp_installed() {
if [ ! -f "$FTPCONF" ]; then
LOG "vsftp not installed"
return 1
else
return 0
fi
}

install_vsftp_rpm() {
cd $HOME_PATH
pkg_name=`ls vsftpd*|head -1`
rpm -ivh $pkg_name
}

check_current_user(){
id | grep root 2>&1 >/dev/null
if [ $? -ne 0 ];then
echo "This script should be executed by root"
exit 1
fi
}

add_to_config(){
egrep "$1" $2>/dev/null
if [ $? -ne 0 ]; then
echo $1>>$2
fi
}

set_ftp_config(){
sed -i 's/^anonymous_enable=YES/anonymous_enable=NO/g;s/^#ls_recurse_enable=YES/ls_recurse_enable=YES/g;s/^#chroot_local_user=YES/chroot_local_user=YES/g;s/^#chroot_list_enable=YES/chroot_list_enable=YES/g' $FTPCONF
add_to_config "userlist_deny=NO" $FTPCONF
add_to_config $USERNAME $FTPUSRCFGDIR/user_list
add_to_config "local_root=/var/vsftp/" $FTPCONF
add_to_config "user_config_dir=$FTPUSRCFGDIR" $FTPCONF
add_to_config "allow_writeable_chroot=YES" $FTPCONF
add_to_config "ftpd_banner=CMS ftp" $FTPCONF

add_to_config "guest_enable=YES" $FTPCONF
add_to_config "guest_username=zte" $FTPCONF
add_to_config "virtual_use_local_privs=YES" $FTPCONF

echo "local_root=$USERHOME">$FTPUSRCFGDIR/$USERNAME

sed -i "/chroot_list_file=/ c chroot_list_file=/etc/vsftpd/chroot_list" $FTPCONF
echo -e "$USERNAME\nftpadmin" > $FTPUSRCFGDIR/chroot_list
}

make_ftp_versiondir(){
if [ ! -d "$USERHOME/versions" ]; then
mkdir $USERHOME/versions
chown -R $USERNAME $USERHOME/versions
chgrp -R $GROUP $USERHOME/versions
chmod -R 777 $USERHOME/versions
fi
}

make_ftp_repodir(){
if [ ! -d "$USERHOME/repos" ]; then
mkdir $USERHOME/repos
chown -R $USERNAME $USERHOME/repos
chgrp -R $GROUP $USERHOME/repos
chmod -R 777 $USERHOME/repos
fi
}

set_autorun(){
echo "/usr/sbin/vsftpd">>/etc/rc.d/rc.local
}

setSelinuxState(){
if [ -f /etc/selinux/config ]; then
selinuxState=`getenforce`
if [ $(echo $selinuxState | tr '[A-Z]' '[a-z]') == "enforcing" ] ; then
setenforce 0
fi
cat /etc/selinux/config | grep "SELINUX=" | grep -v "^#" >/dev/null
if [ $? -eq 0 ]; then
sed -i 's/SELINUX=permissive\|SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
fi
fi
}

#script begin
setSelinuxState

if ! is_vsftp_installed ; then
install_vsftp_rpm
fi

check_current_user
if need_add_user;then
add_ftp_user
else
echo $PASSWORD| passwd --stdin $USERNAME
fi
if [ -f "$FTPCONF" ]; then
set_ftp_config
fi
make_ftp_versiondir
make_ftp_repodir
set_autorun
#start vsftpd, no systemctl in docker
/usr/sbin/vsftpd
#script end

 

posted @ 2019-05-16 19:28  DaShuZang  阅读(103)  评论(0)    收藏  举报