Книга: Fedora™ Unleashed, 2008 edition
Configure Access Control
Разделы на этой странице:
- Limit Access for Anonymous Users
- Define User Classes
- Block a Host's Access to the Server
- ftpusers File Purpose Now Implemented in ftpaccess
- Restrict Permissions Based on Group IDs
- Limit Permissions Based on Individual ID
- Restrict the Number of Users in a Class
- Limit the Number of Invalid Password Entries
Configure Access Control
Controlling which users can access the FTP server and how they can do so are critical parts of system security. Use the following entries in the ftpaccess
file to specify to which group the user accessing the server is assigned.
Limit Access for Anonymous Users
This command imposes increased security on the anonymous user:
autogroup <groupname> <class> [<class>]
If the anonymous user is a member of a group, he is allowed access to only files and directories owned by him or his group. The group must be a valid group from /etc/groups
or /var/ftp/etc/groups
.
Define User Classes
This command defines a class of users by the address to which the user is connected:
class <class> <typelist> <addrglob> [<addrglob>]
There might be multiple members for a class of users, and multiple classes might apply to individual members. When multiple classes apply to one user, the first class that applies is used.
The typelist
field is a comma-separated list of the keywords anonymous, guest
, and real. anonymous
applies to the anonymous user, and guest
applies to the guest access account, as specified in the guestgroup
directive. real
defines those users who have a valid entry in the /etc/passwd
file.
The addrglob
field is a regular expression that specifies addresses to which the class is to be applied. The (*
) entry specifies all hosts.
Block a Host's Access to the Server
Sometimes it is necessary to block entire hosts from accessing the server. This can be useful to protect the system from individual hosts or entire blocks of IP addresses, or to force the use of other servers. Use this command to do so:
deny <addrglob> <message_file>
always denies access to hosts that match a given address.
deny
addrglob
is a regular expression field that contains a list of addresses, either numeric or DNS names. This field can also be a file reference that contains a listing of addresses. If an address is a file reference, it must be an absolute file reference; that is, starting with a /
. To ensure that IP addresses can be mapped to a valid domain name, use the !nameserver
parameter.
A sample deny
line resembles the following:
deny *.exodous.net /home/ftp/.message_exodous_deny
This entry denies access to the FTP server from all users who are coming from the exodous.net domain, and displays the message contained in the .message_exoduous_deny
file in the /home/ftp
directory.
ftpusers
File Purpose Now Implemented in ftpaccess
Certain accounts for the system to segment and separate tasks with specific permissions are created during Linux installation. The ftpusers
file (located in /etc/ftpusers
) is where accounts for system purposes are listed. It is possible that the version of wu-ftp
you use with Fedora deprecates the use of this file, and instead implements the specific functionality of this file in the ftpaccess
file with the commands of deny-uid/deny-gid
.
Restrict Permissions Based on Group IDs
The guestgroup
line assigns a given group name or group names to behave exactly like the anonymous user. Here is the command:
guestgroup <groupname> [<groupname>]
This command confines the users to a specific directory structure in the same way anonymous users are confined to /var/ftp
. This command also limits these users to access files for which their assigned group has permissions.
The groupname
parameter can be the name of a group or that group's corresponding group ID (GID). If you use a GID as the groupname
parameter, put a percentage symbol (%
) in front of it. You can use this command to assign permissions to a range of group IDs, as in this example:
guestgroup %500-550
This entry restricts all users with the group IDs 500-550 to being treated as a guest group, rather than individual users. For guestgroup
to work, you must set up the users' home directories with the correct permissions, exactly like the anonymous FTP user.
Limit Permissions Based on Individual ID
The guestuser
line works exactly like the guestgroup
command you just read about, except it specifies a user ID (UID) instead of a group ID. Here's the command:
guestuser <username> [<username>]
This command limits the guest user to files for which the user has privileges. Generally, a user has more privileges than a group, so this type of assignment can be less restrictive than the guestgroup
line.
Restrict the Number of Users in a Class
The limit
command restricts the number of users in a class during given times. Here is the command, which contains fields for specifying a class, a number of users, a time range, and the name of a text file that contains an appropriate message:
limit <class> <n> <times> <message_file>
If the specified number of users from the listed class is exceeded during the given time period, the user sees the contents of the file given in the message_file
parameter.
The times
parameter is somewhat terse. Its format is a comma-delimited string in the form of days, hours. Valid day strings are Su, Mo, Tu, We, Th, Fr, Sa,
and Any
. The hours string is formatted in a 24-hour format. An example is as follows:
limit anonymous 10 MoTuWeThFr,Sa0000-2300 /home/ftp/.message_limit_anon_class
This line limits the anonymous class to 10 concurrent connections on Monday through Friday, and on Saturday from midnight to 11:00 p.m. For example, if the number of concurrent connections is exceeded at 11:00 p.m. on Saturday, the users will see the contents of the file /home/ftp/.message_limit_anon_class
.
Syntax for finer control over limiting user connections can be found in the ftpaccess
man page.
Limit the Number of Invalid Password Entries
This line allows control over how many times a user can enter an invalid password before the FTP server terminates the session:
loginfails <number>
The default for loginfails
is set to 5
. This command prevents users without valid passwords from experimenting until they get it right.
- Configuring DSL Access
- Using .htaccess Configuration Files
- Local GUI Client Access to a Database
- Console Print Control
- Using Commands in the ftpaccess File to Configure wu-ftpd
- Configure System Logging
- Configure Permission Control
- Configure Commands Directed Toward the cdpath
- 3.2 PIC Microcontroller Input-Output Port Programming
- 9.1.3 Control Field
- Практическая работа 53. Запуск Access. Работа с объектами базы данных
- Introduction to Microprocessors and Microcontrollers