0135-0138.html
来自「linux-unix130.linux.and.unix.ebooks130 l」· HTML 代码 · 共 537 行
HTML
537 行
<HTML>
<HEAD>
<TITLE>Developer.com - Online Reference Library - 0672311739:RED HAT LINUX 2ND EDITION:FTP</TITLE>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<SCRIPT>
<!--
function displayWindow(url, width, height) {
var Win = window.open(url,"displayWindow",'width=' + width +
',height=' + height + ',resizable=1,scrollbars=yes');
}
//-->
</SCRIPT>
</HEAD>
-->
<!-- ISBN=0672311739 //-->
<!-- TITLE=RED HAT LINUX 2ND EDITION //-->
<!-- AUTHOR=DAVID PITTS ET AL //-->
<!-- PUBLISHER=MACMILLAN //-->
<!-- IMPRINT=SAMS PUBLISHING //-->
<!-- PUBLICATION DATE=1998 //-->
<!-- CHAPTER=08 //-->
<!-- PAGES=0131-0152 //-->
<!-- UNASSIGNED1 //-->
<!-- UNASSIGNED2 //-->
<P><CENTER>
<a href="0131-0134.html">Previous</A> | <a href="../ewtoc.html">Table of Contents</A> | <a href="0139-0141.html">Next</A>
</CENTER></P>
<A NAME="PAGENUM-135"><P>Page 135</P></A>
<CENTER>
<TABLE BGCOLOR="#FFFF99">
<TR><TD><B>
TIP
</B></TD></TR>
<TR><TD>
<BLOCKQUOTE>
When editing any of the files in the /etc directory (FTP related or not), comment the
file liberally. Keeping an edit history at the end of the file listing of who last edited the
file, when they did it, and what they changed is a good way to track down problems as well
as problem makers!
</BLOCKQUOTE></TD></TR>
</TABLE></CENTER>
<H4>
Controlling Access—The /etc/ftpaccess File
</H4>
<P>The /etc/ftpaccess file is the primary means of controlling who and how many users
access your server. Each line in the file controls either defines an attribute or sets its value.
</P>
<P>The following commands control access:
</P>
<UL>
<LI> class
<LI> autogroup
<LI> deny
<LI> guestgroup
<LI> limit
<LI> loginfails
<LI> private
</UL>
<P>The following commands control what information
the server tells clients:
</P>
<UL>
<LI> banner
<LI> email
<LI> message
<LI> readme
</UL>
<P>These commands control logging capabilities:
</P>
<UL>
<LI> log commands
<LI> log transfers
</UL>
<P>The following are miscellaneous commands:
</P>
<UL>
<LI> alias
<LI> cdpath
<LI> compress
<LI> tar
<LI> shutdown
</UL>
<A NAME="PAGENUM-136"><P>Page 136</P></A>
<P>Permissions controls are set by the following commands:
</P>
<UL>
<LI> chmod
<LI> delete
<LI> overwrite
<LI> rename
<LI> umask
<LI> passwd-check
<LI> path-filter
<LI> upload
</UL>
<H4><A NAME="ch08_ 6">
Controlling User Access
</A></H4>
<P>The ability to control who may and may not enter your site is a critical component in
fine-tuning your anonymous FTP server. The following commands define the criteria used to
determine in which group each user should be placed.
</P>
<H5><A NAME="ch08_ 7">
class
</A></H5>
<P>The class command defines a class of users who can access your FTP server. You can define
as many classes as you want. Each class line comes in the form
</P>
<!-- CODE SNIP //-->
<PRE>
class <classname> <typelist>
<addrglob> [<addrglob> ...]
</PRE>
<!-- END CODE SNIP //-->
<P>where <classname> is the name of the class you are defining,
<typelist> is the type of user you are allowing into the class, and
<addrglob> is the range of IP addresses allowed access to
that class.
</P>
<P>The <typelist> is a comma-delimited list in
which each entry has one of three values:
anonymous, guest, or real. Anonymous users are, of course, any users who connect to the
server as user anonymous or ftp and want to access only publicly available files. Guest users are
special because they do not have accounts on the system per se, but they do have special access to
key parts of the guest group. (See the description of the
guestgroup command later in this chapter for additional details.) Real users must have accounts on the FTP server and are
authenticated accordingly.
</P>
<P><addrglob> takes the form of a regular expression where
* implies all sites. Several <addrglob>s can be associated with a particular class.
</P>
<H5><A NAME="ch08_ 8">
The line
</A></H5>
<!-- CODE SNIP //-->
<PRE>
class anonclass anonymous *
</PRE>
<!-- END CODE SNIP //-->
<P>defines the class anonclass, which contains only anonymous users. They can originate
their connections from anywhere on the network.
</P>
<A NAME="PAGENUM-137"><P>Page 137</P></A>
<P>On the other hand, the line
</P>
<!-- CODE SNIP //-->
<PRE>
class localclass real 192.168.42.*
</PRE>
<!-- END CODE SNIP //-->
<P>allows only real users with accounts on the FTP server access to their accounts via FTP if
they are coming from the local area network.
</P>
<H5><A NAME="ch08_ 9">
autogroup
</A></H5>
<P>The autogroup command is used to control access to anonymous users more tightly by
automatically assigning them a certain group permission when they log in. The format of
the autogroup line is
</P>
<!-- CODE SNIP //-->
<PRE>
autogroup <groupname> <class>
[<class> ...]
</PRE>
<!-- END CODE SNIP //-->
<P>where <groupname> is the name of the group to which you want the anonymous users set,
and <class> is a name of a class defined using the
class command. You can have multiple <class> entries for an autogroup. Only the anonymous users referenced in
<class> will be affected by autogroup.
</P>
<P>Remember that the group to which you are giving the users permission must be in the
/etc/group file.
</P>
<H5><A NAME="ch08_ 10">
deny
</A></H5>
<P>The deny command allows you to explicitly deny service to certain hosts based on either
their names, IP addresses, or whether their hosts' names can be reverse-resolved via DNS. The
format of the deny command is
</P>
<!-- CODE SNIP //-->
<PRE>
deny <addrglob> <message_file>
</PRE>
<!-- END CODE SNIP //-->
<P>where <addrglob> is a regular expression containing the addresses that are to be denied
and <message_file> is the filename containing a message that should be displayed to the hosts
when they connect.
</P>
<P>The following is a sample deny line:
</P>
<!-- CODE SNIP //-->
<PRE>
deny evilhacker.domain.com /home/ftp/.message.no.evil.hackers
</PRE>
<!-- END CODE SNIP //-->
<P>This line displays the contents of the file
/home/ftp/.message.no.evil.hackers to anyone trying to connect via FTP from
evilhacker.domain.com. To deny users access based on
whether their IP addresses can be reverse-resolved to their hostnames, use the string
!nameserved for the <addrglob> entry.
</P>
<H5><A NAME="ch08_ 11">
guestgroup
</A></H5>
<P>The guestgroup command is useful when you have real users but want them to have only
restrictive FTP privileges. The format of the command is
</P>
<!-- CODE SNIP //-->
<PRE>
guestgroup <groupname> [<groupname> ...]
</PRE>
<!-- END CODE SNIP //-->
<P>where <groupname> is the name of the group (as taken from
/etc/group) that you want restricted.
</P>
<A NAME="PAGENUM-138"><P>Page 138</P></A>
<P>When a user's group is restricted, the user is treated much like an anonymous visitor;
hence, the same setups needed for anonymous visitors must be performed in this user's account.
The user's password entry is also a little different in the directory field.
</P>
<P>The field for the user's home directory is broken up by the
/./ characters. Before the split characters is the effective root directory, and after the split characters is the user's relative
home directory. For example, consider the following password entry:
</P>
<!-- CODE SNIP //-->
<PRE>
user1:encrypted password:500:128:User 1:/ftp/./user1:/bin/ftponly
</PRE>
<!-- END CODE SNIP //-->
<P>Here, /ftp is the user's new relative root directory
(bin, etc, and lib directories would need to be created under
/ftp for the ls command and other necessary libraries), and
/ftp/user1 is the user's home directory.
</P>
<H5><A NAME="ch08_ 12">
limit
</A></H5>
<P>The limit command allows you to control the number of users who log in to the system
via FTP by class and time of day. This capability is especially useful if you have a popular
archive but the system needs to be available to your users during business hours. The format of
the limit command is
</P>
<!-- CODE SNIP //-->
<PRE>
limit <class> <n> <times>
<message_file>
</PRE>
<!-- END CODE SNIP //-->
<P>where <class> is the class to limit,
<n> is the maximum number of people allowed in that
class, <times> is the time during which the limit is in effect, and
<message_file> is the file that should be displayed to the client when the maximum limit is reached.
</P>
<P>The format of the <times> parameter is somewhat complex. The parameter is in the form of
a comma-delimited string, where each option is for a separate day. Sunday through
Saturday take the form Su, Mo, Tu, We, Th, Fr, and
Sa, respectively, and all the weekdays can be
referenced as Wk. Time should be kept in military format without a colon separating the hours and
minutes. A range is specified by the dash character.
</P>
<P>For example, to limit the class anonfolks to 10 from Monday through Thursday, all day,
and Friday from midnight to 5:00 p.m., you would use the following
limit line:
</P>
<!-- CODE SNIP //-->
<PRE>
limit anonfolks 10 MoTuWeTh,Fr0000-1700 /home/ftp/.message.too_many
</PRE>
<!-- END CODE SNIP //-->
<P>In this case, if the limit is hit, the contents of the file
/home/ftp/.message.too_many are displayed to the connecting user.
</P>
<H5><A NAME="ch08_ 13">
loginfails
</A></H5>
<P>The loginfails command allows you to set the number of failed login attempts clients
can make before disconnecting them. By default, this number is five; however, you can set it
by using the command
</P>
<!-- CODE SNIP //-->
<PRE>
loginfails <n>
</PRE>
<!-- END CODE SNIP //-->
<P><CENTER>
<a href="0131-0134.html">Previous</A> | <a href="../ewtoc.html">Table of Contents</A> | <a href="0139-0141.html">Next</A>
</CENTER></P>
</td>
</tr>
</table>
<!-- begin footer information -->
</body></html>⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?