{"id":4902,"date":"2025-10-09T22:40:21","date_gmt":"2025-10-09T14:40:21","guid":{"rendered":"https:\/\/dasmz.com\/?p=4902"},"modified":"2025-10-10T00:20:20","modified_gmt":"2025-10-09T16:20:20","slug":"debian-ubuntu%e7%b3%bb%e7%bb%9f%e4%b8%8b%ef%bc%8c%e9%85%8d%e7%bd%ae%e5%b9%b6%e4%bd%bf%e7%94%a8sftp%ef%bc%8c%e5%88%86%e7%94%a8%e6%88%b7%e5%88%86%e7%9b%ae%e5%bd%95","status":"publish","type":"post","link":"https:\/\/dasmz.com\/?p=4902","title":{"rendered":"Debian\/Ubuntu\u7cfb\u7edf\u4e0b\uff0c\u914d\u7f6e\u5e76\u4f7f\u7528SFTP\uff0c\u5206\u7528\u6237\u5206\u76ee\u5f55"},"content":{"rendered":"\n

\u524d\u7f00\u3001\u6587\u6863\u4fee\u6539\u8bb0\u5f55<\/strong><\/p>\n\n\n\n

20251009 \u521d\u59cb\u5316\u7f16\u8f91\u6b64\u6587\u7ae0\uff0c\u5b8c\u7a3f<\/pre>\n\n\n\n
\u7ae0\u82821\u3001\u9700\u6c42\u63cf\u8ff0<\/strong><\/p>\n\n\n\n
Debian\/Ubuntu\u7684Linux\u7cfb\u7edf\u5185\uff0cSFTP\u6743\u9650\u5206\u914d\u95ee\u9898\uff0c\u7528\u6237user1 \u53ef\u4ee5\u8bbf\u95ee \/data\/user1 \u8def\u5f84\u548c \/data\/share\u8def\u5f84\uff0c \u7528\u6237user2\u53ef\u4ee5\u8bbf\u95ee\/data\/user2\u548c\/data\/share\u8def\u5f84\uff0c\u8fd9\u6837\uff0c\u6bcf\u4e2a\u7528\u6237\u53ef\u4ee5\u62e5\u6709\u81ea\u5df1\u72ec\u7acb\u7684\u5b58\u50a8\u76ee\u5f55\uff0c\u4e5f\u53ef\u4ee5\u6709\u5171\u4eab\u7684\u76ee\u5f55\u8bbf\u95ee\u6743\u9650<\/p>\n\n\n\n
\u7ae0\u82822\u3001\u73af\u5883\u63cf\u8ff0<\/p>\n\n\n\n
\u4eca\u65e5\u7684\u6d4b\u8bd5\u73af\u5883 Debian 12\u76841\u53f0Linux\u670d\u52a1\u5668\uff0c\u4f5c\u4e3a\u6587\u4ef6\u670d\u52a1\u5668\uff0c\/data\u76ee\u5f55\u6709\u505a\u5b8c\u8f6fRAID\u540e\u7684500GB\u7a7a\u95f4\uff0c\u57fa\u672c\u4e0d\u6015\u4e22\u5931\u6587\u4ef6\u7684\u54e6\u3002<\/p>\n\n\n\n
\u5178\u578b\u7684 SFTP \u7528\u6237\u76ee\u5f55\u6743\u9650\u9694\u79bb + \u5171\u4eab\u76ee\u5f55\u6743\u9650\u8bbe\u8ba1<\/p>\n\n\n\n
user1 \u53ea\u80fd\u8bbf\u95ee \/data\/user1 \u548c \/data\/share\nuser2 \u53ea\u80fd\u8bbf\u95ee \/data\/user2 \u548c \/data\/share\n\u4e24\u4e2a\u7528\u6237\u4e92\u76f8\u4e0d\u80fd\u8bbf\u95ee\u5bf9\u65b9\u7684\u79c1\u6709\u76ee\u5f55\n\/data\/share \u4e3a\u516c\u5171\u5171\u4eab\u76ee\u5f55\uff08\u6743\u9650\uff1a\u53ef\u8bfb\u5199\uff09<\/pre>\n\n\n\n
\u6700\u5b89\u5168\u548c\u63a8\u8350\u7684\u65b9\u6cd5\u662f\u4f7f\u7528 sshd_config \u914d\u7f6e SFTP Chroot Jail\uff0c\u7136\u540e\u5229\u7528 Bind Mount \u6765\u6302\u8f7d\u5171\u4eab\u76ee\u5f55\u3002\n\n\u7528 Chroot \u9650\u5236 SFTP \u7528\u6237\u7684\u6839\u76ee\u5f55\uff1b\n\u7528\u7ec4\uff08group\uff09\u63a7\u5236\u5171\u4eab\u76ee\u5f55\u8bbf\u95ee\uff1b\n\u8c03\u6574\u76ee\u5f55\u6743\u9650\uff08chmod \/ chown\uff09\uff1b\n\u4fee\u6539 SSH \u914d\u7f6e\u6765\u9650\u5b9a SFTP \u884c\u4e3a\u3002<\/pre>\n\n\n\n
\u7ae0\u82823\u3001\u914d\u7f6e\u8fc7\u7a0b\uff0c\u72ec\u4eab\u76ee\u5f55+\u5171\u4eab\u76ee\u5f55\uff08\u53ef\u8bfb\u5199\uff09<\/p>\n\n\n\n
\/\/ \u521b\u5efa Chroot \u6839\u76ee\u5f55\uff0c\u521b\u5efa\u7528\u6237\u5b9e\u9645\u6570\u636e\u76ee\u5f55\uff0c\u8bbe\u7f6e chroot \u76ee\u5f55\u6743\u9650\uff08\u5fc5\u987b\u7531 root \u62e5\u6709\u4e14\u4e0d\u53ef\u5199\uff09<\/p>\n\n\n\n
mkdir -p \/sftp\/user1\nmkdir -p \/sftp\/user2\n\nmkdir -p \/data\/user1\nmkdir -p \/data\/user2\nmkdir -p \/data\/share\n\nchown root:root \/sftp\/user1 \/sftp\/user2\nchmod 755 \/sftp\/user1 \/sftp\/user2<\/pre>\n\n\n\n
\u914d\u7f6e sshd\uff0c\u5b9e\u73b0 chroot jail\uff0c\u7f16\u8f91 SSH \u914d\u7f6e\u6587\u4ef6 \/etc\/ssh\/sshd_config \uff0c \u6ce8\u91ca\u6389\u9ed8\u8ba4\u7684 Subsystem \u884c\uff0c\u4f7f\u8be5\u884c\u8bed\u6cd5\u5931\u6548\u3002<\/p>\n\n\n\n
# Subsystem sftp \/usr\/lib\/openssh\/sftp-server<\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u79fb\u52a8\u5230\u6587\u4ef6\u672b\u5c3e\uff0c\u589e\u52a0\u76f8\u5173\u914d\u7f6e\uff0c\u589e\u52a0sftp\u7528\u6237\u7ec4sftp_users\u7684\u914d\u7f6e\uff0c\u7981\u6b62\u767b\u5f55\u7cfb\u7edf\uff0c\u4ec5\u5141\u8bb8sftp<\/p>\n\n\n\n
# \u4f7f\u7528\u5185\u90e8 sftp-server \u5b9e\u73b0 Chroot \u529f\u80fd\nSubsystem sftp internal-sftp\n\n# \u4e3a SFTP \u7528\u6237\u5b9a\u4e49\u5339\u914d\u7ec4\nMatch Group sftp_users\n    # \u5f3a\u5236\u4f7f\u7528 internal-sftp\n    ForceCommand internal-sftp\n    # \u7981\u6b62 TTY \u548c X11 \u8f6c\u53d1\n    PermitTTY no\n    X11Forwarding no\n    # \u8bbe\u7f6e Chroot \u6839\u76ee\u5f55\uff0c%h \u4f1a\u88ab\u66ff\u6362\u4e3a\u7528\u6237\u7684\u4e3b\u76ee\u5f55\n    ChrootDirectory %h\n    # \u5141\u8bb8\u7528\u6237\u7684\u4e3b\u76ee\u5f55\u5185\u6709\u8bfb\u5199\u6743\u9650\n    AllowTcpForwarding no<\/pre>\n\n\n\n
\u6ce8\u91ca\uff1a\u8fd9\u91cc\u7684 %h \u662f\u4e00\u4e2a\u53d8\u91cf\uff0c\u5b83\u5c06\u4f7f\u7528 \/etc\/passwd \u4e2d\u5b9a\u4e49\u7684\u7528\u6237\u4e3b\u76ee\u5f55\uff08Home Directory\uff09<\/em><\/p>\n\n\n\n
\u7ee7\u7eed\u914d\u7f6e\uff0c\u5728\u7cfb\u7edf\u91cc\u589e\u52a0\u7528\u6237\u7684\u7ec4\uff0c\u521b\u5efa\u4e0d\u540c\u7528\u6237\u5e76\u8bbe\u7f6e\u4e3b\u76ee\u5f55\u548c\u7ec4<\/p>\n\n\n\n
groupadd sftp_users\n\nuseradd -m -d \/sftp\/user1 -s \/sbin\/nologin -g sftp_users user1\npasswd user1\n\nuseradd -m -d \/sftp\/user2 -s \/sbin\/nologin -g sftp_users user2\npasswd user2\n\nchown user1:sftp_users \/data\/user1\nchown user2:sftp_users \/data\/user2\nchmod 700 \/data\/user1\nchmod 700 \/data\/user2\n\nchown root:sftp_users \/data\/share\nchmod 770 \/data\/share\n\n<\/pre>\n\n\n\n
\u6ce8\u91ca\uff1a\u7528\u6237\u7684 Home \u76ee\u5f55\u5fc5\u987b\u8bbe\u7f6e\u4e3a Chroot Jail \u7684\u6839\u76ee\u5f55<\/em><\/p>\n\n\n\n
\u53c2\u6570 -m: \u521b\u5efa\u7528\u6237\u4e3b\u76ee\u5f55\uff08\u5373 \/sftp\/user1\uff09<\/em><\/p>\n\n\n\n
\u53c2\u6570 -d \/sftp\/user1: \u6307\u5b9a\u4e3b\u76ee\u5f55\u4e3a Chroot \u6839\u76ee\u5f55<\/em><\/p>\n\n\n\n
\u53c2\u6570 -s \/sbin\/nologin: \u7981\u6b62\u7528\u6237\u901a\u8fc7 SSH \u767b\u5f55 Shell\uff0c\u53ea\u80fd\u8fdb\u884c SFTP<\/em><\/p>\n\n\n\n
\u8bbe\u7f6e Bind Mount \u6302\u8f7d\u70b9\uff0c\u5728\u6bcf\u4e2a\u7528\u6237\u7684 Chroot \u6839\u76ee\u5f55\u4e0b\u521b\u5efa\u6302\u8f7d\u70b9\uff08\u76ee\u6807\u76ee\u5f55\uff09\uff0c\u5c06\u5b9e\u9645\u6570\u636e\u76ee\u5f55\u6302\u8f7d\u5230 Chroot \u5185\u90e8\u7684\u5165\u53e3<\/p>\n\n\n\n
mkdir \/sftp\/user1\/user1_files\nmkdir \/sftp\/user1\/share\n\nmount --bind \/data\/user1 \/sftp\/user1\/user1_files\nmount --bind \/data\/share \/sftp\/user1\/share\n\nmkdir \/sftp\/user2\/user2_files\nmkdir \/sftp\/user2\/share\n\nmount --bind \/data\/user2 \/sftp\/user2\/user2_files\nmount --bind \/data\/share \/sftp\/user2\/share<\/pre>\n\n\n\n
\u7f16\u8f91 \/etc\/fstab \u6587\u4ef6\uff0c\u4f7f\u6302\u8f7d\u5728\u7cfb\u7edf\u91cd\u542f\u540e\u4ecd\u7136\u751f\u6548\uff0c\u7f16\u8f91\/etc\/fstab \u4e2d\u6dfb\u52a0\u4ee5\u4e0b\u56db\u884c<\/p>\n\n\n\n
\/data\/user1      \/sftp\/user1\/user1_files  none bind 0 0\n\/data\/share      \/sftp\/user1\/share        none bind 0 0\n\n\/data\/user2      \/sftp\/user2\/user2_files  none bind 0 0\n\/data\/share      \/sftp\/user2\/share        none bind 0 0<\/pre>\n\n\n\n
\u8bbe\u7f6e\u76ee\u5f55\u6743\u9650\uff0c\u9700\u8981\u786e\u4fdd\u7528\u6237\u5bf9\u5b9e\u9645\u6570\u636e\u76ee\u5f55<\/strong>\u6709\u6b63\u786e\u7684\u8bfb\u5199\u6743\u9650\uff0c\u8bbe\u7f6e\u7528\u6237\u79c1\u6709\u76ee\u5f55\u7684\u6743\u9650<\/p>\n\n\n\n
chown user1:user1 \/data\/user1\nchmod 700 \/data\/user1\n\nchown user2:user2 \/data\/user2\nchmod 700 \/data\/user2<\/pre>\n\n\n\n
\u8bbe\u7f6e\u5171\u4eab\u76ee\u5f55\u7684\u6743\u9650<\/p>\n\n\n\n
groupadd sftp_users\nusermod -aG sftp_users user1\nusermod -aG sftp_users user2\n\n# \u8bbe\u7f6e \/data\/share \u76ee\u5f55\nchown root:sftp_users \/data\/share\nchmod 770 \/data\/share <\/pre>\n\n\n\n
\u91cd\u542f\u670d\u52a1\u5e76\u6d4b\u8bd5<\/p>\n\n\n\n
systemctl restart sshd<\/pre>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
\u6ce8\u91ca\uff1a\u7528\u6237\u767b\u5f55\u540e\uff0c\u5176 SFTP \u6839\u76ee\u5f55\u5c31\u662f \/sftp\/userN<\/code>\uff0c\u4ed6\u4eec\u5c06\u53ea\u80fd\u770b\u5230 userN_files<\/code> \u548c share<\/code> \u76ee\u5f55<\/em><\/p>\n\n\n\n
\u7ae0\u82824\u3001\u914d\u7f6e\u8fc7\u7a0b\uff0c\u589e\u52a0\u53ea\u8bfb\u7684\u5171\u4eab\u76ee\u5f55<\/p>\n\n\n\n
\u53ea\u8bfb\u5171\u4eab\u76ee\u5f55 \/data\/iso<\/code> \uff0c \u91cc\u9762\u653e\u7684\u4e00\u4e9biso\u6587\u4ef6\uff0c\u8fd9\u4e2a\u4e00\u822c\u7528\u6237\uff0c\u53ea\u8bfb\u5373\u53ef\u3002<\/p>\n\n\n\n
\u521b\u5efa\u76ee\u5f55\uff0c\u5e76\u8bbe\u7f6e\u6743\u9650\uff1a<\/strong> \u8bbe\u7f6e\u5b83\u4e3a root<\/code> \u62e5\u6709\u4e14\u4e0d\u53ef\u5199\u3002<\/p>\n\n\n\n
mkdir -p \/data\/iso\n\nchown root:sftp_users \/data\/iso\nchmod 750 \/data\/iso                  # \u786e\u4fdd\u6240\u6709\u7528\u6237\u53ef\u8bfb\u3001\u53ef\u6267\u884c\uff08\u8fdb\u5165\u76ee\u5f55\uff09<\/pre>\n\n\n\n
\u5728 Chroot \u5185\u90e8\u521b\u5efa\u6302\u8f7d\u70b9<\/p>\n\n\n\n
mkdir \/sftp\/user1\/iso_ro\nmkdir \/sftp\/user2\/iso_ro<\/pre>\n\n\n\n
\u6267\u884c\u53ea\u8bfb Bind Mount<\/p>\n\n\n\n
systemctl daemon-reload\nmount --bind \/data\/iso \/sftp\/user1\/iso_ro -o ro\nmount --bind \/data\/iso \/sftp\/user2\/iso_ro -o ro<\/pre>\n\n\n\n
\u6301\u4e45\u5316 Bind Mount\uff08\u7cfb\u7edf\u91cd\u542f\u540e\u4ecd\u7136\u751f\u6548\uff09\uff0c\u7f16\u8f91 \/etc\/fstab \u6587\u4ef6\uff0c\u6dfb\u52a0\u4ee5\u4e0b\u4e24\u884c<\/p>\n\n\n\n
\/data\/iso      \/sftp\/user1\/iso_ro       none bind,ro 0 0\n\/data\/iso      \/sftp\/user2\/iso_ro       none bind,ro 0 0<\/pre>\n\n\n\n
\u6ce8\u91ca\uff1abind,ro<\/code> \u786e\u4fdd\u4e86\u6302\u8f7d\u7684\u6301\u4e45\u6027\u548c\u53ea\u8bfb\u5c5e\u6027<\/em><\/p>\n\n\n\n
\u603b\u7ed3\uff1a<\/p>\n\n\n\n
\u79c1\u6709\u76ee\u5f55 (\/data\/user1, \/data\/user2)\uff1a\u901a\u8fc7 chown \u548c chmod 700 \u5b9e\u73b0\u72ec\u5360\u8bfb\u5199\u3002\n\n\u5171\u4eab\u76ee\u5f55 (\/data\/share)\uff1a\u901a\u8fc7 sftp_share \u7ec4\u548c chmod 2770 \u5b9e\u73b0\u7ec4\u5185\u8bfb\u5199\u3002\n\n\u53ea\u8bfb\u76ee\u5f55 (\/data\/iso)\uff1a\u901a\u8fc7 mount --bind -o ro \u5b9e\u73b0\u53ea\u8bfb\u8bbf\u95ee\u3002<\/pre>\n\n\n\n
\u9644\u5f551\u3001\u89c6\u9891\u64cd\u4f5c\u6f14\u793a<\/strong><\/p>\n\n\n\n
\u9644\u5f552\u3001@Dasmz<\/strong><\/p>\n\n\n\n
\u535a\u5ba2\u5185\uff0c\u6240\u6709\u6559\u7a0b\u4e3a\u624b\u6253\u539f\u521b\u6559\u7a0b\uff0c\u5982\u679c\u6280\u672f\u6559\u7a0b\u5bf9\u60a8\u6709\u6240\u5e2e\u52a9\uff0c\u6b22\u8fce\u6253\u8d4f\u4f5c\u8005\u3002\u6280\u672f\u5c42\u9762\uff0c\u95fb\u9053\u6709\u5148\u540e\uff0c\u5982\u6709\u758f\u6f0f\u3001\u9519\u8bef\uff0c\u6b22\u8fce\u6307\u6b63\u3002\u6280\u672f\u535a\u5ba2\u7684\u5185\u5bb9\uff0c\u4e00\u822c\u5177\u6709\u4e00\u5b9a\u7684\u73af\u5883\u4f9d\u8d56\uff0c\u5177\u6709\u4e00\u5b9a\u7684\u5e74\u4ee3\u4f9d\u8d56\uff0c\u914c\u60c5\u53c2\u8003\u5176\u4e2d\u7684\u5185\u5bb9\uff0c\u8bf7\u52ff\u5b8c\u5168\u7167\u642c\u7167\u6284\u3002<\/p>\n\n\n\n
\u5bf9\u4e8e\u535a\u5ba2\u5185\u5df2\u63d0\u53ca\u7684\u4e13\u4e1a\u77e5\u8bc6\uff0c\u5982\u679c\u9700\u8981\u6280\u672f\u6307\u5bfc\uff0c\u6b22\u8fce\u8054\u7cfb\u6211\uff0c\u4ec5\u9700\u652f\u4ed8\u5de5\u65f6\u8d39<\/p>\n\n\n\n
Twitter: Dasmz<\/a><\/p>\n\n\n\n
Youtube: @DasmzStudio<\/a><\/p>\n\n\n\n
Telegram: @Dasmz<\/a><\/p>\n\n\n
\n
\"Donate\"
\u4e91\u4e5e\u8ba8<\/figcaption><\/figure><\/div>","protected":false},"excerpt":{"rendered":"
\u524d\u7f00\u3001\u6587\u6863\u4fee\u6539\u8bb0\u5f55 20251009 \u521d\u59cb\u5316\u7f16\u8f91\u6b64\u6587\u7ae0\uff0c\u5b8c\u7a3f \u7ae0\u82821\u3001\u9700\u6c42\u63cf\u8ff0 Debian\/Ubuntu\u7684L […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/dasmz.com\/index.php?rest_route=\/wp\/v2\/posts\/4902"}],"collection":[{"href":"https:\/\/dasmz.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dasmz.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dasmz.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dasmz.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4902"}],"version-history":[{"count":32,"href":"https:\/\/dasmz.com\/index.php?rest_route=\/wp\/v2\/posts\/4902\/revisions"}],"predecessor-version":[{"id":4957,"href":"https:\/\/dasmz.com\/index.php?rest_route=\/wp\/v2\/posts\/4902\/revisions\/4957"}],"wp:attachment":[{"href":"https:\/\/dasmz.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4902"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dasmz.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4902"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dasmz.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4902"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}