环境server版本22.04
客户要求为,搭建sftp协议,实现用户可以远程ssh登陆,可以文件上传,但禁止文件下载和删除。
用户配置
useradd -m -s /bin/bash nodule
目录配置
sudo mkdir -p /data/upload # 目录归属 sudo chown nodule:nodule /data/upload# 只给:写 + 进入,不给读 sudo chmod 733 /data/upload
ssh配置如下
sudo vi /etc/ssh/sshd_config加入如下代码: Match User noduleChrootDirectory /dataForceCommand internal-sftpAllowTcpForwarding noX11Forwarding no
重启ssh服务
sudo systemctl restart ssh
增加监控脚本,用户处理上传后的文件,修改文件权限或文件夹权限,配置不可下载不可删除
#!/bin/bash set -uWATCH_ROOT="/data/sftp/upload/incoming" LOG="/var/log/sftp_recursive_watch.log"# ====================== # 基础检查 # ====================== if ! command -v inotifywait >/dev/null 2>&1; thenecho "inotifywait not found" >&2exit 1 fiif [ ! -d "$WATCH_ROOT" ]; thenecho "WATCH_ROOT not exist: $WATCH_ROOT" >&2exit 1 fi# ====================== # 文件保护逻辑 # ====================== protect_file() {local FILE="$1"[ -f "$FILE" ] || return 0chmod 200 "$FILE" 2>/dev/nullchattr +a "$FILE" 2>/dev/nullecho "$(date '+%F %T') protected file $FILE" >> "$LOG" }# 扫描目录内已有文件 scan_dir_files() {local DIR="$1"find "$DIR" -type f -print0 | while IFS= read -r -d '' f; doprotect_file "$f"done }# ====================== # 监听函数(关键) # ====================== watch_dir() {local DIR="$1"echo "$(date '+%F %T') watching $DIR" >> "$LOG"inotifywait -m \-e create \-e moved_to \-e close_write \--format '%e %f' \"$DIR" 2>>"$LOG" | \while read -r EVENT FILE; dolocal FULL="$DIR/$FILE"# 新目录if [[ "$EVENT" =~ CREATE|MOVED_TO ]] && [ -d "$FULL" ]; thenecho "$(date '+%F %T') new dir $FULL" >> "$LOG"# 先扫一遍已有文件scan_dir_files "$FULL"# 再监听该目录(后台)watch_dir "$FULL" &continuefi# 普通文件if [ -f "$FULL" ]; thensleep 0.2protect_file "$FULL"fidone }# ====================== # 启动流程 # ======================echo "========== watcher start $(date '+%F %T') ==========" >> "$LOG"# 启动前兜底扫描 scan_dir_files "$WATCH_ROOT"# ⚠️ 关键修复点: # 不再使用 find | while(22.04 会产生子 shell) # 使用 process substitution,保证 watcher 不被回收 while IFS= read -r d; dowatch_dir "$d" & done < <(find "$WATCH_ROOT" -type d)echo "$(date '+%F %T') all watchers started" >> "$LOG"# 阻塞主进程(必须) wait
后台执行脚本如下:
sudo nohup bash run01.sh > run01.log 2>&1 &
查找run01进程
wx@wx:~$ ls run01.sh wx@wx:~$ sudo nohup bash run01.sh > run01.log 2>&1 & [1] 2951 wx@wx:~$ ps aux | grep run01 root 2951 0.0 0.1 11496 5656 pts/0 S 10:07 0:00 sudo nohup bash run01.sh root 2952 0.0 0.0 11496 880 pts/3 Ss+ 10:07 0:00 sudo nohup bash run01.sh root 2953 0.0 0.0 7628 3896 pts/3 S 10:07 0:00 bash run01.sh root 2959 0.0 0.0 7368 1892 pts/3 S 10:07 0:00 bash run01.sh root 2963 0.0 0.0 7368 304 pts/3 S 10:07 0:00 bash run01.sh wx 2966 0.0 0.0 6476 2352 pts/0 S+ 10:08 0:00 grep --color=auto run01 wx@wx:~$
sftp 客户端连接测试
wx@wx-VivoBook-ASUSLaptop-X415EA-V4200EA:~/桌面$ ls 001.txt test3 test4 wx@wx-VivoBook-ASUSLaptop-X415EA-V4200EA:~/桌面$ sftp nodule@192.168.166.129 nodule@192.168.166.129's password: Connected to 192.168.166.129. sftp> pwd Remote working directory: / sftp> ls upload sftp> cd upload/ sftp> put 001.txt Uploading 001.txt to /upload/001.txt 001.txt 100% 4 1.3KB/s 00:00 sftp> put -r test* Uploading test3/ to /upload/test3 Entering test3/ 001.txt 100% 4 4.8KB/s 00:00 002.txt 100% 4 5.6KB/s 00:00 003.txt 100% 4 6.6KB/s 00:00 Uploading test4/ to /upload/test4 Entering test4/ 001.txt 100% 4 7.3KB/s 00:00 002.txt 100% 4 7.8KB/s 00:00 003.txt 100% 4 27.3KB/s 00:00 sftp> ls -l --w------- 1 1001 1001 4 Jan 28 10:08 001.txt drwxrwxr-x 2 1001 1001 4096 Jan 28 10:08 test3 drwxrwxr-x 2 1001 1001 4096 Jan 28 10:08 test4 sftp> get 001.txt Fetching /upload/001.txt to 001.txt remote open "/upload/001.txt": Permission denied sftp> get -r test3 Fetching /upload/test3/ to test3 Retrieving /upload/test3 remote open "/upload/test3/003.txt": Permission denied Download of file /upload/test3/003.txt to test3/003.txt failed remote open "/upload/test3/002.txt": Permission denied Download of file /upload/test3/002.txt to test3/002.txt failed remote open "/upload/test3/001.txt": Permission denied Download of file /upload/test3/001.txt to test3/001.txt failed sftp> get -r test4 Fetching /upload/test4/ to test4 Retrieving /upload/test4 remote open "/upload/test4/003.txt": Permission denied Download of file /upload/test4/003.txt to test4/003.txt failed remote open "/upload/test4/002.txt": Permission denied Download of file /upload/test4/002.txt to test4/002.txt failed remote open "/upload/test4/001.txt": Permission denied Download of file /upload/test4/001.txt to test4/001.txt failed sftp> rm 001.txt Removing /upload/001.txt remote delete /upload/001.txt: Permission denied sftp> rm test3 Removing /upload/test3 remote delete /upload/test3: Failure sftp> rm test3/ 001.txt 002.txt 003.txt sftp> rm test3/001.txt Removing /upload/test3/001.txt remote delete /upload/test3/001.txt: Permission denied sftp> rm test4/00 001.txt 002.txt 003.txt sftp> rm test4/001.txt Removing /upload/test4/001.txt remote delete /upload/test4/001.txt: Permission denied sftp>
结果
put上传文件,上传文件夹均成功,get 下载文件和文件夹均失败,rm删除文件夹文件,均失败。
上传后的文件权限检查如下:
wx@wx:~$ sudo ls -l /data/upload/ total 12 --w------- 1 nodule nodule 4 Jan 28 10:08 001.txt drwxrwxr-x 2 nodule nodule 4096 Jan 28 10:08 test3 drwxrwxr-x 2 nodule nodule 4096 Jan 28 10:08 test4 wx@wx:~$ sudo ls -l /data/upload/test3 total 12 --w------- 1 nodule nodule 4 Jan 28 10:08 001.txt --w------- 1 nodule nodule 4 Jan 28 10:08 002.txt --w------- 1 nodule nodule 4 Jan 28 10:08 003.txt wx@wx:~$ sudo ls -l /data/upload/test4 total 12 --w------- 1 nodule nodule 4 Jan 28 10:08 001.txt --w------- 1 nodule nodule 4 Jan 28 10:08 002.txt --w------- 1 nodule nodule 4 Jan 28 10:08 003.txt wx@wx:~$ sudo lsattr /data/upload/ --------------e------- /data/upload/test3 --------------e------- /data/upload/test4 -----a--------e------- /data/upload/001.txt wx@wx:~$ sudo lsattr /data/upload/test3 -----a--------e------- /data/upload/test3/003.txt -----a--------e------- /data/upload/test3/002.txt -----a--------e------- /data/upload/test3/001.txt wx@wx:~$ sudo lsattr /data/upload/test4 -----a--------e------- /data/upload/test4/003.txt -----a--------e------- /data/upload/test4/002.txt -----a--------e------- /data/upload/test4/001.txt wx@wx:~$