當前位置

HW3-File server & Backup

作業需求

• 環境建立
• File server
• Pure-ftpd uploadscript with RC
• ZFS & Backup

環境建立

• Pure-ftpd
• ZFS-ACL

測試連接

• 建立測試用檔案
• 使用 lftp
• 使用 curl

File server

• 修改設定 pure-ftpd.conf

  # 檔案權限遮罩, 拔掉其他使用者執行權限, 以及拔除資料夾複寫之權限(其他人)
  # File creation mask. <umask for files>:<umask for dirs> .
  # 177:077 if you feel paranoid.
  Umask                        133:002
  
  # Disallow downloads of files owned by the "ftp" system user;
  # files that were uploaded but not validated by a local admin.
  AntiWarez                    no 
  

• Use pure-ftpd to build a file server; create 3 directories under /home/ftp

  1. /home/ftp/public

     • Everyone can download & upload file

       • client cmd

         # upload by anonymous
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://10.113.0.1/public/> -T './testfile'
         
         # check file
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://10.113.0.1/public/>
         
         # download by anonymous
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://10.113.0.1/public/testfile> -O
         
         # download by vuser ftp-vip1
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://ftp-vip1:[email protected]/public/testfile>
         

     • Everyone can mkdir, rmdir, delete except anonymous

       • server cmd

         install -d -m 775 -o sysadm -g ftpuser /home/ftp/public
         

       • client cmd

         # mkdir testdir by vuser ftp-vip1
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://ftp-vip1:[email protected]> -Q '-MKD public/testdir/'
         
         # mkdir testdir1 by ruser sysadm
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://sysadm:[email protected]> -Q '-MKD public/testdir1/'
         
         # mkdir testdir2 by anonymous, 會失敗
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://10.113.0.1> -Q '-MKD public/testdir2/'
         
         # list dir by anonymous
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://sysadm:[email protected]/public/>
         
         # rmdir testdir1 by anonymous, 會失敗(umask 拔掉權限了)
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://10.113.0.1> -Q '-RMD public/testdir'
         
         # rmdir testdir by vuser sysadm
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://sysadm:[email protected]> -Q '-RMD public/testdir1'
         
         # rmdir testdir1 by vuser ftp-vip1
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://ftp-vip1:[email protected]> -Q '-RMD public/testdir'
         

  2. /home/ftp/upload

     • Everyone can upload & download(跟前一題一樣)
     • Everyone can mkdir except anonymous
     • Everyone can only delete & rmdir their own file or directory except anonymous and sysadm

       • server cmd

         # 為資料夾權限設定特殊的第四碼 sticky bit，以讓每個使用者只能寫入個別檔案，經過 pure-ftp 還是會被 Umask 給遮罩著(113:002)
         install -d -m 1775 -o sysadm -g ftpuser /home/ftp/upload
         
         # 設定 zfs 的 acl, 以讓 sysadm 獲得該資料夾下所有權
         setfacl -m u:sysadm:full_set:fd:allow /home/ftp
         

       • client cmd

         # mkdir testdir by vuser ftp-vip1
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://ftp-vip1:[email protected]> -Q '-MKD upload/testdir/'
         
         # mkdir testdir1 by ruser sysadm
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://sysadm:[email protected]> -Q '-MKD upload/testdir1/'
         
         # mkdir testdi2 by vuser ftp-vip2
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://ftp-vip2:[email protected]> -Q '-MKD upload/testdir2/'
         
         # list dir by anonymous
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://sysadm:[email protected]/upload/>
         
         # rmdir testdir by vuser
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://ftp-vip1:[email protected]> -Q '-RMD upload/testdir'
         
         # rmdir testdir1 by vuser ftp-vip1, 會因為 owner 不是 sysadm 而失敗
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://ftp-vip1:[email protected]> -Q '-RMD upload/testdir1'
         
         # rmdir testdir2 by sysadm, 管理員最大
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://sysadm:[email protected]> -Q '-RMD upload/testdir2'
         

  3. /home/ftp/hidden:

     • Create a directory called “treasure” inside hidden
     • Create a file called “secret” inside hidden/treasure
     • Anonymous can’t list /home/ftp/hidden but can enter hidden/treasure and show hidden/treasure/secret

       • server cmd

         install -d -m 751 -o sysadm -g vip /home/ftp/hidden
         install -d -m 755 -o sysadm -g vip /home/ftp/hidden/treasure
         
         echo "This SECRET create on `date`." > /home/ftp/hidden/treasure/secret
         chown sysadm:vip /home/ftp/hidden/treasure/secret
         chmod 744 /home/ftp/hidden/treasure/secret
         

       • client cmd

         # 匿名的情況下看不到在 hidden/ 下的任何東西
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://10.113.0.1/hidden/>
         
         # 匿名的情況下看的到在 hidden/treasure 下的任何東西
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://10.113.0.1/hidden/treasure/>
         
         # 匿名的情況下看的到在 hidden/treasure/secret 的內容
         curl -k --ssl --ftp-ssl-ccc-mode active <ftp://10.113.0.1/hidden/treasure/secret>
         

• Create users

  1. Create a system user “sysadm”
     • Can login by SSH
     • Password is your IP without dots, e.g. password=1011301 when IP=10.113.0.1
     • Full access to /home/ftp and subdirectories under “ftp”
  2. Create two virtual users “ftp-vip1”, “ftp-vip2”
     • Password is your IP without dots, e.g. password=1011301 when IP=10.113.0.1
     • Can only delete files in /home/ftp/upload which are created by themselves
     • Other permissions are same as sysadm
  3. Anonymous with no password
     • Can’t create any directories, and can’t delete any files & directories
     • Can’t list /home/ftp/hidden but can enter hidden/treasure and show hidden/treasure/secret

• Other requirements

  • Your ftp server should support Explicit FTP over TLS (FTPES)
  • All accounts are chrooted (/home/ftp is the root directory)

  

ZFS & Backup

• Enable ZFS service