免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 1319 | 回复: 0
打印 上一主题 下一主题

SOLARIS有关ftp/telnet的配置文件 [复制链接]

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2006-12-10 23:32 |只看该作者 |倒序浏览
   
    系统安装好了,默认情况下除root用户外的其他用户ftp/telnet是可用的,如果需要对ftp/telnet做一些调整,需要修改配置文件,ftp/telnet涉及到的文件有下面一些。

    首先,控制能否telnet/ftp的配置文件是/etc/inetd.conf,下面两句是允许ftp/telnet,如果注释掉,则所有用户都不能ftp/telnet.修改了inetd.conf文件需kill -HUP pid对inetd进程重启(pid用命令查看ps -ef|grep inetd)。ftp/telnet端口是在/etc/services文件配置的。
ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd
telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd

    附:配置文件inetd.conf的内容如下

#ident "@(#)inetd.conf 1.45 02/11/05 SMI" /* SVr4.0 1.5 */
#
# Copyright 1989-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
#
#
# Configuration file for inetd(1M).  See inetd.conf(4).
#
# To re-configure the running inetd process, edit this file, then
# send the inetd process a SIGHUP.
#
# Syntax for socket-based Internet services:
#        
#
# Syntax for TLI-based Internet services:
#
#   tli     
#
# IPv6 and inetd.conf
# By specifying a  value of tcp6 or udp6 for a service, inetd will
# pass the given daemon an AF_INET6 socket.  The following daemons have
# been modified to be able to accept AF_INET6 sockets
#
# ftp telnet shell login exec tftp finger printer
#
# and service connection requests coming from either IPv4 or IPv6-based
# transports.  Such modified services do not normally require separate
# configuration lines for tcp or udp.  For documentation on how to do this
# for other services, see the Solaris System Administration Guide.
#
# You must verify that a service supports IPv6 before specifying  as
# tcp6 or udp6.  Also, all inetd built-in commands (time, echo, discard,
# daytime, chargen) require the specification of  as tcp6 or udp6
#
# The remote shell server (shell) and the remote execution server
# (exec) must have an entry for both the "tcp" and "tcp6"  values.
#
# Ftp and telnet are standard Internet services.
#
ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd
telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd
#
# Tnamed serves the obsolete IEN-116 name server protocol.
#
name dgram udp wait root /usr/sbin/in.tnamed in.tnamed
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
shell stream tcp nowait root /usr/sbin/in.rshd in.rshd
#shell stream tcp6 nowait root /usr/sbin/in.rshd in.rshd
login stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogind
exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd
exec stream tcp6 nowait root /usr/sbin/in.rexecd in.rexecd
comsat dgram udp wait root /usr/sbin/in.comsat in.comsat
talk dgram udp wait root /usr/sbin/in.talkd in.talkd
#
# Must run as root (to read /etc/shadow); "-n" turns off logging in utmp/wtmp.
#
uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd
#
# Tftp service is provided primarily for booting.  Most sites run this
# only on machines acting as "boot servers."
#
tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers."  Many sites choose to disable
# some or all of these services to improve security.
#
finger stream tcp6 nowait nobody /usr/sbin/in.fingerd in.fingerd
#systat stream tcp nowait root /usr/bin/ps  ps -ef
#netstat stream tcp nowait root /usr/bin/netstat  netstat -f inet
#
# Time service is used for clock synchronization.
#
time stream tcp6 nowait root internal
time dgram udp6 wait root internal
#
# Echo, discard, daytime, and chargen are used primarily for testing.
#
echo stream tcp6 nowait root internal
echo dgram udp6 wait root internal
discard stream tcp6 nowait root internal
discard dgram udp6 wait root internal
daytime stream tcp6 nowait root internal
daytime dgram udp6 wait root internal
chargen stream tcp6 nowait root internal
chargen dgram udp6 wait root internal
#
#
# RPC services syntax:
#  /  rpc/   \
#   
#
#  can be either "tli" or "stream" or "dgram".
# For "stream" and "dgram" assume that the endpoint is a socket descriptor.
#  can be either a nettype or a netid or a "*". The value is
# first treated as a nettype. If it is not a valid nettype then it is
# treated as a netid. The "*" is a short-hand way of saying all the
# transports supported by this system, ie. it equates to the "visible"
# nettype. The syntax for  is:
# *||{[,]}
# For example:
# dummy/1 tli rpc/circuit_v,udp wait root /tmp/test_svc test_svc
#
# Solstice system and network administration class agent server
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
#
# Rquotad supports UFS disk quotas for NFS clients
#
rquotad/1 tli rpc/datagram_v wait root /usr/lib/nfs/rquotad rquotad
#
# The rusers service gives out user information.  Sites concerned
# with security may choose to disable it.
#
rusersd/2-3 tli rpc/datagram_v,circuit_v wait root /usr/lib/netsvc/rusers/rpc.rusersd rpc.rusersd
#
# The spray server is used primarily for testing.
#
sprayd/1 tli rpc/datagram_v wait root /usr/lib/netsvc/spray/rpc.sprayd rpc.sprayd
#
# The rwall server allows others to post messages to users on this machine.
#
walld/1  tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld
#
# Rstatd is used by programs such as perfmeter.
#
rstatd/2-4 tli   rpc/datagram_v wait root /usr/lib/netsvc/rstat/rpc.rstatd rpc.rstatd
#
# The rexd server provides only minimal authentication and is often not run
#
#rexd/1          tli  rpc/tcp wait root /usr/sbin/rpc.rexd     rpc.rexd
#
# rpc.cmsd is a data base daemon which manages calendar data backed
# by files in /var/spool/calendar
#
#
# Sun ToolTalk Database Server
#
100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
#
# UFS-aware service daemon
#
#ufsd/1 tli rpc/* wait root /usr/lib/fs/ufs/ufsd ufsd -p
#
# Sun KCMS Profile Server
#
100221/1 tli rpc/tcp wait root /usr/openwin/bin/kcms_server kcms_server
#
# Sun Font Server
#
fs  stream tcp wait nobody /usr/openwin/lib/fs.auto fs
#
# CacheFS Daemon
#
100235/1 tli rpc/ticotsord wait root /usr/lib/fs/cachefs/cachefsd cachefsd
#
# Kerberos V5 Warning Message Daemon
#
100134/1 tli rpc/ticotsord wait root /usr/lib/krb5/ktkt_warnd ktkt_warnd
#
# Print Protocol Adaptor - BSD listener
#
printer  stream tcp6 nowait root /usr/lib/print/in.lpd in.lpd
#
# GSS Daemon
#
100234/1 tli rpc/ticotsord wait root /usr/lib/gss/gssd gssd
#
# AMI Daemon
#
100146/1 tli rpc/ticotsord wait root /usr/lib/security/amiserv amiserv
100147/1 tli rpc/ticotsord wait root /usr/lib/security/amiserv amiserv
#
# OCF (Smart card) Daemon
#
100150/1 tli rpc/ticotsord wait root /usr/sbin/ocfserv ocfserv
dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd
sun-dr stream tcp wait root /usr/lib/dcs dcs
sun-dr stream tcp6 wait root /usr/lib/dcs dcs
300326/4 tli rpc/tcp wait root /platform/SUNW,Ultra-Enterprise-10000/lib/dr_daemon dr_daemon
    第二,root用户的ftp/telnet,默认情况下root用户是不允许ftp/telnet的,修改/etc/ftpusers配置文件,将root用户注释掉,则root用户才可以ftp,如果想让某个用户不能ftp,可以将其加到这个文件中来。
    ftpusers文件内容如下
#root
daemon
bin
sys
adm
lp
uucp
nuucp
listen
nobody
noaccess
nobody4

修改/etc/default/login配置文件,找到CONSOLE=/dev/console,将其注释掉,就可以用root用户telnet了。

    附:/etc/default/login配置文件

# ident "@(#)login.dfl  1.13    03/01/10 SMI"
#
# Copyright 1989-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# Set the TZ environment variable of the shell.
#
#TIMEZONE=EST5EDT
# ULIMIT sets the file size limit for the login.  Units are disk blocks.
# The default of zero means no limit.
#
#ULIMIT=0
# If CONSOLE is set, root can only login on that device.
# Comment this line out to allow remote login by root.
#
# CONSOLE=/dev/console
# PASSREQ determines if login requires a password.
#
PASSREQ=YES
# ALTSHELL determines if the SHELL environment variable should be set
#
ALTSHELL=YES
# PATH sets the initial shell PATH variable
#
#PATH=/usr/bin:
# SUPATH sets the initial shell PATH variable for root
#
#SUPATH=/usr/sbin:/usr/bin
# TIMEOUT sets the number of seconds (between 0 and 900) to wait before
# abandoning a login session.
#
#TIMEOUT=300
# UMASK sets the initial shell file creation mode mask.  See umask(1).
#
#UMASK=022
# SYSLOG determines whether the syslog(3) LOG_AUTH facility should be used
# to log all root logins at level LOG_NOTICE and multiple failed login
# attempts at LOG_CRIT.
#
SYSLOG=YES
# SLEEPTIME controls the number of seconds that the command should
# wait before printing the "login incorrect" message when a
# bad password is provided.  The range is limited from
# 0 to 5 seconds.
#
#SLEEPTIME=4
# DISABLETIME  If present, and greater than zero, the number of seconds
# login will wait after RETRIES failed attempts or the PAM framework returns
# PAM_ABORT. Default is 20. Minimum is 0. No maximum is imposed.
#
#DISABLETIME=20
# RETRIES determines the number of failed logins that will be
# allowed before login exits.
#
#RETRIES=5
#
# The SYSLOG_FAILED_LOGINS variable is used to determine how many failed
# login attempts will be allowed by the system before a failed login
# message is logged, using the syslog(3) LOG_NOTICE facility.  For example,
# if the variable is set to 0, login will log -all- failed login attempts.
#
#SYSLOG_FAILED_LOGINS=5
    第三,如果想让某个用户只能ftp,不能telnet。可以先把/etc/passwd文件中该用户的shell改成/usr/sbin/nologin,然后再在/etc目录下建一个shells文件,里面加入/usr/sbin/nologin。

    附:/etc/passwd文件

root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x Nobody:/:
ssmon:x:60000:60001:Sun StorEdge(tm) Configuration Service Monitor:/:/bin/false
ssadmin:x:59999:60001:Sun StorEdge(tm) Configuration Service Admin:/:/bin/false
ssconfig:x:59998:60001:Sun StorEdge(tm) Configuration Service Config:/:/bin/false
informix:x:1001:100::/usr/informix:/bin/csh
oracle:x:1002:102::/opt/oracle:/bin/csh
learn:x:1007:104::/export/home/learn:/bin/csh



转载请注明详细出处,谢谢合作^_^


本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/20228/showart_213146.html
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP