pure-ftpd中如何使用symlink

在pure-ftpd中,为了安全起见,通常会限制chroot,即用户只能其在home目录下浏览,通常绑定别的目录到用户目录下就只能使用mount –bind了。而有时为了文件组织便利,又有使用symlink的需求。

在pure-ftpd的faq里,明确提到:

* Chrooted users can follow symlinks outside the chroot jail?

-> People can create symbolic links to ‘/’ and escape their home directory!

There are two chroot implementations in pure-ftpd:

– The traditional one, based upon your kernel chroot() system call. This
is the default. With that one, symbolic links can only point inside the
chroot jail, or they won’t be followed.

– The ‘virtual chroot’ implementation. With that feature, users *can*
follow all symbolic links, even when they don’t point inside the jail. This
is very handy to set up directories shared by multiple users. Binary
packages are compiled with virtual chroot by default.

To enable the virtual chroot feature when you are compiling the server, use
the –with-virtualchroot with ./configure . If you want a restricted chroot,
don’t include –with-virtualchroot.

Please note that the FTP server will never let people create new symbolic
links. Symbolic links have to be already there to be followed. Or if your
users can create symbolic links through Perl or PHP scripts, your hosting
platform is really badly configured. People can install any web file
browser, they don’t need FTP to look at your system files. Recompile PHP
without POSIX functions and run all Perl scripts chrooted.

可以看到,pure-ftpd支持一种virtualchroot方法,还可以支持symlink,这就是我们想要的效果。

在ubuntu中,可以在/etc/default/pure-ftpd-common修改,保证:

VIRTUALCHROOT=true

然后就可以使用symlink了。但要注意,在构建symlink时,必须使用绝对路径,而不能使用相对路径。(因为使用相对路径后,系统就不知道你是相对的哪个路径了)


已发布

分类

来自

评论

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注