服务器评测
本节中要介绍下配置vsftp匿名上传和samba文件共享,这是文件系统上的两个经典的实验,有必要整理整理
1:匿名FTP允许上传,在/var/ftp目录下新建一个incoming目录,允许匿名用户上传数据
[root@server ~]# rpm -qa |grep vsftpd //确认安装了vsftpd,若未安装,则使用yum来安装
vsftpd-2.0.5-16.el5
[root@server ~]# cd /var/ftp/
[root@server ftp]# ls -Z //查看pub的selinux的语境
drwxr-xr-x root root system_u:object_r:public_content_t pub
[root@server ftp]# chgrp ftp incoming/ //设定incoming目录的属主,权限
[root@server ftp]# chmod 730 incoming/
[root@server ftp]# chcon -t public_content_rw_t incoming //允许匿名用户写入incoming目录的selinx语境设定
[root@server ftp]# setsebool -P allow_ftpd_anon_write on //调整selinux关于匿名用户上传的布尔值
[root@server ~]# grep -v ‘^#’ /etc/vsftpd/vsftpd.conf
anonymous_enable=YES //允许匿名用户登录
local_enable=YES //允许本地用户登录
write_enable=YES //允许本地用户写入自己的家目录
local_umask=022 //本地文件反向掩码
anon_upload_enable=YES //允许匿名用户上传,本实验重点
dirmessage_enable=YES //启用登录欢迎消息
xferlog_enable=YES //记录日志
connect_from_port_20=YES //控制端口为tcp 20
chown_uploads=YES //改变匿名用户上传的文件属主,本实验重点
chown_username=daemon //将匿名用户上传的文件属主改为daemon,本实验重点
anon_umask=077 //匿名用户上传文件反向掩码
xferlog_std_format=YES //以标准格式记录日志
listen=YES //监听端口
connect_from_port_20=YES //启用TCP 20端口做为控制端口
[root@server ~]# service vsftpd start //启动服务,并保证下次开机自动启动
Starting vsftpd for vsftpd: [ OK ]
[root@server ~]# chkconfig vsftpd on
客户端测试:
C:\>ftp 192.168.100.20
连接到 192.168.100.20。
220 (vsFTPd 2.0.5)
用户(192.168.100.20:(none)): ftp
331 Please specify the password.
密码:
230 Login successful.
ftp> pwd
257 “/” //默认匿名用户执行chroot,非匿名用户则不执行chroot
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
incoming
pub
226 Directory send OK.
ftp: 收到 15 字节,用时 0.00秒 15000.00千字节/秒。
ftp> cd incoming
250 Directory successfully changed.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Transfer done (but failed to open directory).
ftp> put c:\1.txt
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 File receive OK.
ftp: 发送 5 字节,用时 0.23秒 0.02千字节/秒。
ftp> ls
200 PORT command successful. Consider using PASV. //由于目录设定成730,故没有匿名用户没有ls权限
150 Here comes the directory listing.
226 Transfer done (but failed to open directory).
[root@server incoming]# ll //服务器端验证,权限为600,属主为daemon,ftp主机级的访问控制可以接着tcpwrap和iptables实现
total 8
-rw——- 1 daemon ftp 5 Mar 25 02:49 1.txt
2:samba配置,zhangsan,lisi,wangwu同属于sharedgroup组,在samba中共享/shared目录,要求三个用户都能访问自己的home目录,但wangwu访问不了/shared目录,其他两个用户可以将家目录中的文件存放在/shared目录下共享
[root@server ~]# rpm -qa |grep samba //若未安装,可以使用yum groupinstall -y “Windows File Server”命令安装
system-config-samba-1.2.41-5.el5
samba-common-3.0.33-3.14.el5
samba-client-3.0.33-3.14.el5
samba-3.0.33-3.14.el5
[root@server ~]# groupadd sharedgroup //添加sharedgroup组,并加三个用户加入该组
[root@server ~]# useradd -g sharedgroup -s /sbin/nologin zhangsan
[root@server ~]# useradd -g sharedgroup -s /sbin/nologin lisi
[root@server ~]# useradd -g sharedgroup -s /sbin/nologin wangwu
[root@server ~]# smbpasswd -a zhangsan //将前面创建的三个系统用户加入samba验证数据库
New SMB password:
Retype new SMB password:
Added user zhangsan.
[root@server ~]# smbpasswd -a lisi
New SMB password:
Retype new SMB password:
Added user lisi.
[root@server ~]# smbpasswd -a wangwu
New SMB password:
Retype new SMB password:
Added user wangwu.
[root@server ~]# mkdir /shared //创建shared目录,并修改属组,权限和selinux的语境,布尔值
[root@server ~]# chcon -t samba_share_t /shared
[root@server ~]# chown root.sharedgroup /shared/
[root@server ~]# chmod 2770 /shared/
[root@server ~]# ll -Zd /shared/
drwxrws— root sharedgroup root:object_r:samba_share_t /shared/
[root@server ~]# setsebool -P samba_enable_home_dirs on //若不调整selinux布尔值,则用户无法进入自己的家目录
[root@server ~]# tail -5 /etc/samba/smb.conf //修改samba主配置文件如下
[shared] //共享名
path = /shared //共享的物理路径
comment = share directory //共享注释信息
readonly = no //可写入
valid users = zhangsan lisi //允许访问的用户列表,@sharedgroup代表整个组,基于用户级的访问控制
[root@server ~]# grep ‘security’ /etc/samba/smb.conf |head -1
security = user //samba的认证级别为user
[root@server ~]# grep ‘192.168.100.20’ /etc/samba/smb.conf
hosts allow = 192.168.100.20 127.0.0.1 //只允许本机进行访问,基于主机级的访问控制
[root@server ~]# ifconfig |grep ‘inet addr’
inet addr:192.168.100.20 Bcast:192.168.100.255 Mask:255.255.255.0
inet addr:127.0.0.1 Mask:255.0.0.0
[root@server ~]# service smb start //启动服务,并保证下次开机自动启动
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
[root@server ~]# chkconfig smb on
测试:挂载前可以使用smbclient -L //192.168.100.20 -U zhangsan%123 命令来查看共享状态
[root@server ~]# mkdir /zhang
[root@server ~]# mkdir /li
[root@server ~]# mkdir /wang
[root@server ~]# mount -t cifs -o username=zhangsan,password=123 //192.168.100.20/shared /zhang/ //用户zhangsan挂载
[root@server ~]# mount -t cifs -o username=lisi,password=123 //192.168.100.20/shared /li //用户lisi挂载
[root@server ~]# mount -t cifs -o username=wangwu,password=123 //192.168.100.20/shared /wang //用户wangwu挂载,出现权限问题
mount error 13 = Permission denied
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)
[root@server ~]# df -h //挂载后的状态,以上实现了要求的一半,除了wangwu外,另外两个用户可以访问shared共享
Filesystem Size Used Avail Use% Mounted on
/dev/hda2 38G 1.3G 35G 4% /
/dev/hda1 99M 12M 83M 12% /boot
tmpfs 80M 0 80M 0% /dev/shm
/dev/hdc 2.8G 2.8G 0 100% /mnt
//192.168.100.20/shared
38G 1.3G 35G 4% /zhang
//192.168.100.20/shared
38G 1.3G 35G 4% /li
[root@server ~]# mkdir /zhanghome //两个用户分别挂载自己的共享家目录
[root@server ~]# mkdir /lihome
[root@server ~]# mount -t cifs -o username=zhangsan,password=123 //192.168.100.20/zhangsan /zhanghome/
[root@server ~]# mount -t cifs -o username=lisi,password=123 //192.168.100.20/lisi /lihome/
[root@server ~]# df -h //查看挂载
Filesystem Size Used Avail Use% Mounted on
/dev/hda2 38G 1.3G 35G 4% /
/dev/hda1 99M 12M 83M 12% /boot
tmpfs 80M 0 80M 0% /dev/shm
/dev/hdc 2.8G 2.8G 0 100% /mnt
//192.168.100.20/shared
38G 1.3G 35G 4% /zhang
//192.168.100.20/shared
38G 1.3G 35G 4% /li
//192.168.100.20/zhangsan
38G 1.3G 35G 4% /zhanghome
//192.168.100.20/lisi
38G 1.3G 35G 4% /lihome
[root@server ~]# cd /zhanghome/ //zhangsan用户在自己的家目录下创建一个文件,并将此文件复制到前面挂载的/zhang目录下
[root@server zhanghome]# ls
[root@server zhanghome]# cat > test.txt <<EOF
> if you see this information in shared directory,
> the exam has pass
> good luck for you……..
> EOF
[root@server zhanghome]# cp test.txt /zhang
[root@server zhanghome]# cd /li //在lisi用户挂载的目录中能看到该文件,且权限正确
[root@server li]# ll
total 8
-rwxr–r– 1 zhangsan sharedgroup 93 Mar 25 02:31 test.txt
[root@server li]# cat test.txt
if you see this information in shared directory,
the exam has pass
good luck for you……..
