|
在hp-ux中,一般默认采用的是wu-ftp程序,察看/etc/inetd.conf,默认内容如下:
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l
用户要求:创建ftp用户
ftp_acct密码为ftp_acct,上传文件到/datafile/ftp_out/acct,不能访问其他目录和telnet
ftp_up密码为ftp_acct, 上传文件到/datafile/ftp_out/up,不能访问其他目录和telnet
其他用户仍然拥有默认的ftp功能。
首先需要修改/etc/inetd.conf文件,让其能够使用/etc/ftpd/ftpaccess,即通过这个文件来控制对ftp的访问,默认是不使用这个文件的,即
系统中存在的合法用户都可以使用ftp。
首先把/etc/inetd.conf修改为:
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -a -l -u 000
其中-a表示使用/etc/ftpd/ftpaccess文件,-u 000表示ftp用户上传文件的umask为000。
然后修改/etc/passwd文件,加入条目,密码是通过passwd命令生成的。
ftp_acct:BtqiMKXfVfSxA:200:200::/datafile/ftp_out/acct/./:/bin/false
ftp_up:8hlCYvP7qQS7I:201:201::/datafile/ftp_out/up/./:/bin/false
修改/etc/group文件,加入条目:
ftp_acct::200:ftp_acct
ftp_up::201:ftp_up
然后到/datafile/ftp_out目录中创建:
#cd /datafile/ftp_out
#mkdir -p acct/usr/bin
#mkdir -p up/usr/bin
#mkdir -p up/etc
#mkdir -p acct/etc
#cp /etc/passwd acct/etc/. (把passwd中除ftp_acct的用户条目删掉)
#cp /etc/group acct/etc/. (把group中除ftp_acct的条目删掉)
#cp /sbin/ls acct/usr/bin/.
#cp /bin/pwd acct/usr/bin/.
#cp /etc/passwd up/etc/. (把passwd中除ftp_up的用户条目删掉)
#cp /etc/group up/etc/. (把group中除ftp_up的条目删掉)
#cp /sbin/ls up/usr/bin/.
#cp /bin/pwd up/usr/bin/.
#chown -R ftp_acct:ftp_acct acct
#chown -R ftp_up:ftp_up up
然后到/etc/ftpd目录
#cd /etc/ftpd
#touch ftpgroups
#more ftpaccess 内容如下:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# @(#)B.11.11_LR
#
loginfails 2
class all real,guest,anonymous *
limit local 20 Any /etc/msgs/msg.toomany
limit remote 100 SaSu|Any1800-0600 /etc/msgs/msg.toomany
limit remote 60 Any /etc/msgs/msg.toomany
readme README* login
readme README* cwd=*
message /welcome.msg login
message .message cwd=*
compress yes local remote
tar yes local remote
# allow use of private file for SITE GROUP and SITE GPASS?
private yes
# passwd-check []
passwd-check rfc822 warn
log commands real
log transfers anonymous,real inbound,outbound
shutdown /etc/shutmsg
# all the following default to "yes" for everybody
delete yes guest,anonymous # delete permission?
overwrite yes guest,anonymous # overwrite permission?
rename no guest,anonymous # rename permission?
chmod no anonymous # chmod permission?
umask no anonymous # umask permission?
# specify the upload directory information
upload /var/ftp * no
upload /var/ftp /incoming yes root daemon 0600 dirs
upload /var/ftp /bin no
upload /var/ftp /etc no
# directory aliases
alias inc /incoming
# cdpath
cdpath /incoming
cdpath /pub
cdpath /
# path-filter...
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
# specify which group of users will be treated as "guests".
guestgroup ftp_acct ftp_up
email haha@haha.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
然后修改/etc/shells文件:
#more /etc/shells
/bin/false
/sbin/sh
/usr/bin/sh
然后重新刷新inetd进程
#inetd -c
然后测试ftp_acct的ftp和telnet,如下:
gxhh5#[/datafile/ftp_out/up/etc]ftp 10.187.1.122
Connected to 10.187.1.122.
220 gxhh5 FTP server (Version 1.1.214.4(PHNE_29461) Thu Nov 20 06:40:06 GMT 2003) ready.
Name (10.187.1.122:root): ftp_acct
331 Password required for ftp_acct.
Password:
230 User ftp_acct logged in. Access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /usr/bin/ls.
total 16
-rwxrwxrwx 1 ftp_acct ftp_acct 2 Jun 2 22:09 a.log
drwxrwxrwx 2 ftp_acct ftp_acct 96 Jun 2 21:33 etc
drwxrwxrwx 3 ftp_acct ftp_acct 96 Jun 2 21:10 usr
226 Transfer complete.
ftp> by
221 Goodbye.
测试telnet:
gxhh5#[/datafile/ftp_out/up/etc]telnet 10.187.1.122
Trying...
Connected to 10.187.1.122.
Escape character is '^]'.
Local flow control on
Telnet TERMINAL-SPEED option ON
HP-UX gxhh5 B.11.11 U 9000/800 (ta)
login: ftp_acct
Password:
Please wait...checking for disk quotas
Connection closed by foreign host.
gxhh5#[/datafile/ftp_out/up/etc]
可见ftp_acct、ftp_up用户ftp登录受限,telnet不能登录,
而除这两个用户外的其他用户ftp和telnet均正常,要求的配置已经满足。 |
|