Documentation for a newer release is available. View Latest

Servidores de Arquivo e Impressão

Este capítulo o orienta através da instalação e configuração do Samba, uma implementação de código aberto do Server Message Block (SMB) e protocolo common Internet File System (CIFS), e vsftpd , o servidor FTP primário fornecido com Fedora. Além disso, explica como usar a ferramenta Impressora para configurar impressoras.

Samba

A documentação para configurar e usar o Samba foi removida por estar desatualizada. Utilize o Red Hat Enterprise Linux 9 Samba documentation em seu lugar.

FTP

O File Transfer Protocol (FTP) é um dos protocolos mais antigos e comumente usados encontrados na Internet hoje. Seu propósito é transferir arquivos de forma confiável entre computadores em uma rede sem exigir que o usuário faça login diretamente no host remoto ou tenha conhecimento de como usar o sistema remoto. Ele permite que os usuários acessem arquivos em sistemas remotos usando um conjunto padrão de comandos simples.

Essa seção estrutura o básico sobre o protocolo 'FTP', assim como as opções de configuração para o servidor 'FTP' primário entregue com Fedora, vsftpd.

O Protoclo de Transferência de Arquivos

No entanto, por causa do 'FTP' ser tão presente na Internet, normalmente é necessário para compartilhar arquivos com o público. Administradores de sistema, devem estar ciente das características únicas do protocolo 'FTP'.

Multiple Ports, Multiple Modes

Unlike most protocols used on the Internet, FTP requires multiple network ports to work properly. When an FTP client application initiates a connection to an FTP server, it opens port 21 on the server — known as the command port. This port is used to issue all commands to the server. Any data requested from the server is returned to the client via a data port. The port number for data connections, and the way in which data connections are initialized, vary depending upon whether the client requests the data in active or passive mode.

Os seguintes definem esses modos:

modo ativo

Modo ativo é o método original usado pelo protocolo 'FTP' para transferência de dados para a aplicação cliente. Quando um modo de transferência de dados é inicializado pelo cliente 'FTP, o servidor começa uma conexão a partir da porta 20 no servidor para o endereço 'IP' e a uma porta não privilegiada (maior que 1024) especificada pelo cliente. Esse acordo significa que a máquina cliente permite a conexão sobre a porta 1024. Com esse crescimento na insegurança nas redes, assim como na Internet, o uso de uma firewall para proteger as máquinas cliente se tornou algo primordial. Por causa dos firewall cliente frequentemente nega conexões provindas do modo ativo do servidor 'FTP', o modo passivo foi inventado.

modo passivo

Modo passivo, assim como o modo ativo, é inicializado pela aplicação cliente 'FTP'. Quando se esta solicitando dados a partir do servidor, o cliente 'FTP' indica que precisa acessar os dados em modo passivo e o servidor prover o endereço 'IP' e uma porta não privilegiada randômica (maior que 1024) no servidor. O cliente então conecta com a porta no servidor para baixar a informação solicitada.

Enquanto o modo passivo resolve problemas de interferência com conexão de dados com o firewall cliente, isso pode complicar a administração do firewall servidor. Você pode reduzir o numero de portas abertas em um servidor limitando a quantidade de portas não privilegiadas no servidor 'FTP'. Isso também pode simplificar a configuração de regras do firewall para o servidor. Veja Network Options para mais informações sobre limitação de portas passivas.

Servidores FTP

Fedora enviados com dois diferentes servidores 'FTP':

  • proftpd - É um servidor FTP altamente configurável, rápido e estável.

  • vsftpd — Uma daemon 'FTP' rápida, seguro que é preferível em servidor 'FTP' para Fedora. O restante dessa seção é focada no vsftpd.

vsftpd

The Very Secure FTP Daemon (vsftpd) is designed from the ground up to be fast, stable, and, most importantly, secure. vsftpd is the only stand-alone FTP server distributed with Fedora, due to its ability to handle large numbers of connections efficiently and securely.

O modelo de segurança utilizado pelo vsftpd possui três aspectos primários:

  • Grande separação de processos privilegiados e não privilegiados — Processos separados lidam com diferentes tarefas, e cada um desses processos executam com os privilégios mínimos requeridos para a tarefa.

  • Tarefas que requerem privilégios elevados são lidados por processos com os privilégios mínimos necessários — Pelo aproveitamento da compatibilidade encontrada na biblioteca 'libcap', tarefas que normalmente requerem privilégio 'root' podem ser executadas mais seguramente do que processos menos privilegiados.

  • Muitos processos executa no chroot jail — Sempre que possível, processos são alterados na raiz do diretório que está sendo compartilhado; esse diretório é então considerado um chroot jail. Por exemplo, se o diretório /var/ftp/ é o diretório primário sendo compartilhado, vsftpd reatribui /var/ftp/ para um novo diretório raiz, conhecido como /. Isso anula qualquer atividade hacker potencialmente malicioso em qualquer diretório não estando contido abaixo do novo diretório raiz.

Use essas práticas de segura que possuem os seguintes efeitos de como vsftpd lida com as requisições:

  • O processo pai executa com os privilégios mínimos requeridos — O processo pai dinamicamente calcula o nível de privilégios requeridos para minimizar o nível de risco. Processos filhos lidam diretamente interagindo com os clientes 'FTP' e executa o mais próximo possível com não privilegiados.

  • Todas as operações que requerem privilégio elevado são lidados por uma processo pai pequeno — Assim como Servidor Apache 'HTTP', vsftpd introduzindo processos filhos não privilegiados para lidar com conexões recebidas. Isso permite que processos pais privilegiados, o menos possível lide com tarefas relativamente pequenas.

  • Todos os requisitos dos processos filhos não privilegiados são não confiáveis pelo processos pai* — Comunicações com os processos filhos são recebidos sobre um soquete, e a validade de qualquer informação dos processos filhos é checado antes de agir.

  • Maioria das interações com clientes 'FTP' é lidado por processos filhos não privilegiados em chroot jail — Porque esses processos filhos não são privilegiados e somente possui acesso para o diretório que está sendo compartilhado, qualquer processo que falha somente permite que o invasor acesse os dados compartilhados.

Arquivos Instalados com vsftpd

O RPM vsftpd instala a daemon (/usr/sbin/vsftpd), sua configuração e arquivos relacionados, assim como diretórios FTP dentro do sistema. As listas seguintes de arquivos e diretórios relacionados a configuração vsftpd:

  • /etc/rc.d/init.d/vsftpd — The initialization script (initscript) used by the systemctl command to start, stop, or reload vsftpd. See Starting and Stopping vsftpd for more information about using this script.

  • /etc/pam.d/vsftpd — The Pluggable Authentication Modules (PAM) configuration file for vsftpd. This file specifies the requirements a user must meet to login to the FTP server. For more information on PAM, refer to the Using Pluggable Authentication Modules (PAM) chapter of the Fedora 37 Managing Single Sign-On and Smart Cards guide.

  • /etc/vsftpd/vsftpd.conf — O arquivo de configuração para o vsftpd. Veja vsftpd Configuration Options para uma lista de opções importantes contido nesse arquivo.

  • /etc/vsftpd/ftpusers — Uma lista de usuários não permitidos para acesso ao vsftpd Por padrão, essa lista inclui o usuários root, bin, e daemon, dentre outros.

  • /etc/vsftpd/user_list — Esse arquivo pode ser configurado para negar ou permitir o acesso a usuários listados, dependendo de qual userlist_deny diretório é definido YES (default) ou NO em /etc/vsftpd/vsftpd.conf. Se /etc/vsftpd/user_list é usado para garantir o acesso a usuários, o nome de usuário listado deve não aparecer em /etc/vsftpd/ftpusers.

  • /var/ftp/ — O diretório contém arquivos servidos pelo vsftpd. Também contém o diretório /var/ftp/pub/ para usuários anônimos. Ambos diretórios são legíveis a todos, mas escrita somente para o usuário root.

Iniciando e Finalizando vsftpd

O RPM vsftpd instala o script /etc/rc.d/init.d/vsftpd, que pode ser acessado usando o comando systemctl.

Para iniciar o servidor como 'root', digite:

systemctl start vsftpd.service

Para finalizar o servidor como 'root', digite:

systemctl stop vsftpd.service

A opção [option]`restart`é uma maneira rápida de parar e então iniciar o vsftpd. Essa é uma maneira mais eficiente de fazer com que as alterações na configuração tenha efeito após editar o arquivo de configuração vsftpd.

Para reiniciar o servidor como 'root', digite:

systemctl restart vsftpd.service

A opção condrestart (conditional restart) somente começa vsftpd se está atualmente em execução. Essa opção é útil para scripts, porque não inicia a daemon se não está em execução.

Para reiniciar condicionalmente o servidor como 'root', digite:

systemctl condrestart vsftpd.service

By default, the vsftpd service does not start automatically at boot time. To configure the vsftpd service to start at boot time, use a service manager such as systemctl. See Services and Daemons for more information on how to configure services in Fedora.

Configuring the Firewall for FTP

By default, firewalld blocks incoming FTP connections. To allow FTP connections, as root type:

firewall-cmd --add-service=ftp

The change will be applied immediately, but will be lost next time firewalld is reloaded or the system restarted. To make it permanent, type:

firewall-cmd --permanent --add-service=ftp

For more information on configuring firewalld, see the Red Hat Enterprise Linux 7 Security Guide.

Starting Multiple Copies of vsftpd

Sometimes one computer is used to serve multiple FTP domains. This is a technique called multihoming. One way to multihome using vsftpd is by running multiple copies of the daemon, each with its own configuration file.

Para isso, primeiro atribua todos os 'IP' relevantes para os dispositivos de rede ou todos os dispositivos de rede apelidados no sistema. Para mais informações sobre configurar dispositivos de rede, dispositivos apelidados, e informações adicionais sobre scripts de configuração de rede, referência Fedora Networking Guide.

Próximo, o servidor DNS para os domínios 'FTP' precisam ser configurados para enxergar a máquina correta. Para mais informações sobre BIND e seus arquivos de configuração, referência Fedora Networking Guide.

Se há mais configurações presente nos arquivos no diretório /etc/vsftpd, chame systemctl start vsftpd.service resultados em /etc/rc.d/init.d/vsftpd o script init inicializa o mesmo número de processos assim como número de arquivos de configuração. Cada arquivo de configuração deve haver um nome único no diretório /etc/vsftpd/ e deve ser de leitura e escrita somente para 'root'.

vsftpd Opções de Configuração

Although vsftpd may not offer the level of customization other widely available FTP servers have, it offers enough options to fill most administrator’s needs. The fact that it is not overly feature-laden limits configuration and programmatic errors.

Todas as configurações vsftpd são lidados pelo arquivo de configuração, /etc/vsftpd/vsftpd.conf. Cada diretriz esta em cada linha dentro do arquivo e segue o seguinte formato:

directive=value

Para cada diretiva, substitua directive com uma diretiva válida e value com um valor valido.

Não use espaços

Não deve haver nenhum espaço entre directive, símbolo igual, e value na diretriz.

Linhas comentadas podem ser precedidas por uma assinatura hash (#) e são ignorada pela daemon.

Para uma lista completa de todas as diretivas disponíveis, referido na página principal vsftpd.conf.

Protegendo o serviço vsftpd

Para uma visão geral dos modos de proteção do vsftpd, veja o Red Hat Enterprise Linux 7 Security Guide.

Os seguidores são uma lista de alguns das mais importantes diretivas dentro do /etc/vsftpd/vsftpd.conf. Todas as diretivas não explicitamente encontrada or comentada dentro do arquivo de configuração vsftpd's e são definidas como valor padrão.

Daemon Options

The following is a list of directives which control the overall behavior of the vsftpd daemon.

  • listen — Quando ativado, vsftpd executa o modo autônomo. Fedora definindo esse valor para YES. Esse diretivo não pode ser usado em conjunto com a diretiva listen_ipv6.

    O valor padrão é NO.

  • listen_ipv6 — Quando ativado vsftpd executa em modo autônomo, mas escuta somente soquetes IPv6. Para diretivas que não estão sendo usadas em conjunção com a diretiva listen.

    O valor padrão é NO.

  • session_support — When enabled, vsftpd attempts to maintain login sessions for each user through Pluggable Authentication Modules (PAM). For more information, refer to the Using Pluggable Authentication Modules (PAM) chapter of the Red Hat Enterprise Linux 6 Managing Single Sign-On and Smart Cards and the PAM man pages. . If session logging is not necessary, disabling this option allows vsftpd to run with less processes and lower privileges.

    O valor padrão é YES.

Log In Options and Access Controls

The following is a list of directives which control the login behavior and access control mechanisms.

  • anonymous_enable — Quando ativado, usuários anônimos são permitidos de fazer o acesso. Os nomes de usuários anonymous e`ftp` são aceitos.

    O valor padrão é YES.

    Veja Anonymous User Options para uma lista das diretivas que afetam os usuários anônimos.

  • banned_email_file — Se a diretiva deny_email_enable está definida com YES, essa diretiva especifica o arquivo que contém a lista de senhas de email anônimos que não são permitidos acesso ao servidor.

    O valor padrão é /etc/vsftpd/banned_emails.

  • banner_file — Especifica o arquivo que contém o texto exibido quando uma conexão é estabelecida ao servidor. Essa opção substitui qualquer texto especificado na diretiva ftpd_banner.

    Não há um valor padrão para essa diretiva.

  • cmds_allowed — Especifica uma lista delimitada por vírgula de comandos FTP permitidas pelo servidor. Todos os outros comandos são rejeitados.

    Não há um valor padrão para essa diretiva.

  • deny_email_enable — Quando ativado, qualquer usuário anônimo utilizando senhas de e-mail especifica no /etc/vsftpd/banned_emails são negados o acesso ao servidor. O nome do arquivo referenciado por essa diretiva pode ser especificada usando a diretiva banned_email_file.

    O valor padrão é NO.

  • ftpd_banner — Quando ativado, o trecho especificado dentro dessa diretiva é exibida quando uma conexão é estabelecida com o servidor. Essa opção pode ser substituída pela diretiva banner_file.

    Por padrão vsftpd exibe essa faixa padrão.

  • local_enable — Quando ativado, os usuários locais são permitidos de acessar o sistema.

    O valor padrão é YES.

    Veja Local User Options para uma lista de diretivas que afetam os usuários local.

  • pam_service_name — Especifica os nomes de serviço PAM pelo vsftpd.

    O valor padrão é ftp. Nota, em Fedora, o valor é definido pelo vsftpd.

  • O valor padrão é NO. Note, em Fedora, o valor é definido por YES.

  • userlist_deny — Quando usado em conjunção com a diretiva userlist_enable e definida como NO, todos os usuários são negados o acesso a menos que o nome de acesso esteja listado no arquivo especificado pela diretiva userlist_file. Porque o acesso está negado antes que o cliente solicite por uma senha, configuração dessa diretiva para NO evita usuários locais de submeter uma senha não criptografada pela Internet.

    O valor padrão é YES.

  • userlist_enable — Quando ativado, os usuários listados no arquivo especificado pela diretiva userlist_file são negado o acesso. Porque o acesso é negado antes que o cliente seja solicitado por uma senha, evitando que os usuários de submeter uma senha não criptografada pela Internet.

    O valor padrão é NO, no entanto sob Fedora é o valor definido por YES.

  • userlist_file — Especifica o arquivo referenciado pelo vsftpd quando a diretiva userlist_enable está ativada.

    O valor padrão é /etc/vsftpd/user_list e foi criada durante a instalação.

Anonymous User Options

The following lists directives which control anonymous user access to the server. To use these options, the anonymous_enable directive must be set to YES.

  • anon_mkdir_write_enable — Quando ativado em conjunção com a diretiva write_enable, usuários anônimos são permitidos de criar novos diretórios dentro de um diretório pai com permissões de escrita.

    O valor padrão é NO.

  • anon_root — Specifies the directory vsftpd changes to after an anonymous user logs in.

    Não há um valor padrão para essa diretiva.

  • anon_upload_enable — Quando ativado em conjunção com a diretiva write_enable, usuários anônimos são permitidos de carregar arquivos dentro de um diretório pai com permissões de escrita.

    O valor padrão é NO.

  • anon_world_readable_only — Quando ativado, usuários anônimos são permitidos somente de baixar arquivos de leitura.

    O valor padrão é YES.

  • ftp_username — Specifies the local user account (listed in /etc/passwd) used for the anonymous FTP user. The home directory specified in /etc/passwd for the user is the root directory of the anonymous FTP user.

    O valor padrão é ftp.

  • no_anon_password — Quando ativado, usuários anônimos não são solicitado por uma senha.

    O valor padrão é NO.

  • secure_email_list_enable — When enabled, only a specified list of email passwords for anonymous logins are accepted. This is a convenient way to offer limited security to public content without the need for virtual users.

    Anonymous logins are prevented unless the password provided is listed in /etc/vsftpd/email_passwords. The file format is one password per line, with no trailing white spaces.

    O valor padrão é NO.

Local User Options

The following lists directives which characterize the way local users access the server. To use these options, the local_enable directive must be set to YES.

  • chmod_enable — When enabled, the FTP command SITE CHMOD is allowed for local users. This command allows the users to change the permissions on files.

    O valor padrão é YES.

  • chroot_list_enable — When enabled, the local users listed in the file specified in the chroot_list_file directive are placed in a chroot jail upon log in.

    If enabled in conjunction with the chroot_local_user directive, the local users listed in the file specified in the chroot_list_file directive are not placed in a chroot jail upon log in.

    O valor padrão é NO.

  • chroot_list_file — Specifies the file containing a list of local users referenced when the chroot_list_enable directive is set to YES.

    The default value is /etc/vsftpd/chroot_list.

  • chroot_local_user — When enabled, local users are change-rooted to their home directories after logging in.

    O valor padrão é NO.

    Avoid enabling the chroot_local_user option

    Enabling chroot_local_user opens up a number of security issues, especially for users with upload privileges. For this reason, it is not recommended.

  • guest_enable — When enabled, all non-anonymous users are logged in as the user guest, which is the local user specified in the guest_username directive.

    O valor padrão é NO.

  • guest_username — Specifies the username the guest user is mapped to.

    O valor padrão é ftp.

  • local_root — Specifies the directory vsftpd changes to after a local user logs in.

    Não há um valor padrão para essa diretiva.

  • local_umask — Specifies the umask value for file creation. Note that the default value is in octal form (a numerical system with a base of eight), which includes a “0” prefix. Otherwise the value is treated as a base-10 integer.

    The default value is 022.

  • passwd_chroot_enable — When enabled in conjunction with the chroot_local_user directive, vsftpd change-roots local users based on the occurrence of the /./ in the home directory field within /etc/passwd.

    O valor padrão é NO.

  • user_config_dir — Specifies the path to a directory containing configuration files bearing the name of local system users that contain specific setting for that user. Any directive in the user’s configuration file overrides those found in /etc/vsftpd/vsftpd.conf.

    Não há um valor padrão para essa diretiva.

Directory Options

The following lists directives which affect directories.

  • dirlist_enable — When enabled, users are allowed to view directory lists.

    O valor padrão é YES.

  • dirmessage_enable — When enabled, a message is displayed whenever a user enters a directory with a message file. This message resides within the current directory. The name of this file is specified in the message_file directive and is .message by default.

    O valor padrão é NO. Note, em Fedora, o valor é definido por YES.

  • force_dot_files — When enabled, files beginning with a dot (.) are listed in directory listings, with the exception of the . and .. files.

    O valor padrão é NO.

  • hide_ids — When enabled, all directory listings show ftp as the user and group for each file.

    O valor padrão é NO.

  • message_file — Specifies the name of the message file when using the dirmessage_enable directive.

    The default value is .message.

  • text_userdb_names — When enabled, text usernames and group names are used in place of UID and GID entries. Enabling this option may slow performance of the server.

    O valor padrão é NO.

  • use_localtime — When enabled, directory listings reveal the local time for the computer instead of GMT.

    O valor padrão é NO.

File Transfer Options

The following lists directives which affect directories.

  • download_enable — When enabled, file downloads are permitted.

    O valor padrão é YES.

  • chown_uploads — When enabled, all files uploaded by anonymous users are owned by the user specified in the chown_username directive.

    O valor padrão é NO.

  • chown_username — Specifies the ownership of anonymously uploaded files if the chown_uploads directive is enabled.

    The default value is root.

  • write_enable — When enabled, FTP commands which can change the file system are allowed, such as DELE, RNFR, and STOR.

    O valor padrão é YES.

Logging Options

The following lists directives which affect vsftpd's logging behavior.

  • dual_log_enable — When enabled in conjunction with xferlog_enable, vsftpd writes two files simultaneously: a wu-ftpd-compatible log to the file specified in the xferlog_file directive (/var/log/xferlog by default) and a standard vsftpd log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log by default).

    O valor padrão é NO.

  • log_ftp_protocol — When enabled in conjunction with xferlog_enable and with xferlog_std_format set to NO, all FTP commands and responses are logged. This directive is useful for debugging.

    O valor padrão é NO.

  • syslog_enable — When enabled in conjunction with xferlog_enable, all logging normally written to the standard vsftpd log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log by default) is sent to the system logger instead under the FTPD facility.

    O valor padrão é NO.

  • vsftpd_log_file — Specifies the vsftpd log file. For this file to be used, xferlog_enable must be enabled and xferlog_std_format must either be set to NO or, if xferlog_std_format is set to YES, dual_log_enable must be enabled. It is important to note that if syslog_enable is set to YES, the system log is used instead of the file specified in this directive.

    The default value is /var/log/vsftpd.log.

  • xferlog_enable — When enabled, vsftpd logs connections (vsftpd format only) and file transfer information to the log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log by default). If xferlog_std_format is set to YES, file transfer information is logged but connections are not, and the log file specified in xferlog_file (/var/log/xferlog by default) is used instead. It is important to note that both log files and log formats are used if dual_log_enable is set to YES.

    O valor padrão é NO. Note, em Fedora, o valor é definido por YES.

  • xferlog_file — Specifies the wu-ftpd-compatible log file. For this file to be used, xferlog_enable must be enabled and xferlog_std_format must be set to YES. It is also used if dual_log_enable is set to YES.

    The default value is /var/log/xferlog.

  • xferlog_std_format — When enabled in conjunction with xferlog_enable, only a wu-ftpd-compatible file transfer log is written to the file specified in the xferlog_file directive (/var/log/xferlog by default). It is important to note that this file only logs file transfers and does not log connections to the server.

    O valor padrão é NO. Note, em Fedora, o valor é definido por YES.

Maintaining compatibility with older log file formats

To maintain compatibility with log files written by the older wu-ftpd FTP server, the xferlog_std_format directive is set to YES under Fedora. However, this setting means that connections to the server are not logged.

To both log connections in vsftpd format and maintain a wu-ftpd-compatible file transfer log, set dual_log_enable to YES.

If maintaining a wu-ftpd-compatible file transfer log is not important, either set xferlog_std_format to NO, comment the line with a hash sign (#), or delete the line entirely.

Network Options

The following lists directives which affect how vsftpd interacts with the network.

  • accept_timeout — Specifies the amount of time for a client using passive mode to establish a connection.

    The default value is 60.

  • anon_max_rate — Specifies the maximum data transfer rate for anonymous users in bytes per second.

    The default value is 0, which does not limit the transfer rate.

  • connect_from_port_20 When enabled, vsftpd runs with enough privileges to open port 20 on the server during active mode data transfers. Disabling this option allows vsftpd to run with less privileges, but may be incompatible with some FTP clients.

    O valor padrão é NO. Note, em Fedora, o valor é definido por YES.

  • connect_timeout — Specifies the maximum amount of time a client using active mode has to respond to a data connection, in seconds.

    The default value is 60.

  • data_connection_timeout — Specifies maximum amount of time data transfers are allowed to stall, in seconds. Once triggered, the connection to the remote client is closed.

    The default value is 300.

  • ftp_data_port — Specifies the port used for active data connections when connect_from_port_20 is set to YES.

    The default value is 20.

  • idle_session_timeout — Specifies the maximum amount of time between commands from a remote client. Once triggered, the connection to the remote client is closed.

    The default value is 300.

  • listen_address — Specifies the IP address on which vsftpd listens for network connections.

    Não há um valor padrão para essa diretiva.

    Running multiple copies of vsftpd

    If running multiple copies of vsftpd serving different IP addresses, the configuration file for each copy of the vsftpd daemon must have a different value for this directive. See Starting Multiple Copies of vsftpd for more information about multihomed FTP servers.

  • listen_address6 — Specifies the IPv6 address on which vsftpd listens for network connections when listen_ipv6 is set to YES.

    Não há um valor padrão para essa diretiva.

    Running multiple copies of vsftpd

    If running multiple copies of vsftpd serving different IP addresses, the configuration file for each copy of the vsftpd daemon must have a different value for this directive. See Starting Multiple Copies of vsftpd for more information about multihomed FTP servers.

  • listen_port — Specifies the port on which vsftpd listens for network connections.

    The default value is 21.

  • local_max_rate — Specifies the maximum rate data is transferred for local users logged into the server in bytes per second.

    The default value is 0, which does not limit the transfer rate.

  • max_clients — Specifies the maximum number of simultaneous clients allowed to connect to the server when it is running in standalone mode. Any additional client connections would result in an error message.

    The default value is 0, which does not limit connections.

  • max_per_ip — Specifies the maximum of clients allowed to connected from the same source IP address.

    The default value is 0, which does not limit connections.

  • pasv_address — Specifies the IP address for the public facing IP address of the server for servers behind Network Address Translation (NAT) firewalls. This enables vsftpd to hand out the correct return address for passive mode connections.

    Não há um valor padrão para essa diretiva.

  • pasv_enable — When enabled, passive mode connects are allowed.

    O valor padrão é YES.

  • pasv_max_port — Specifies the highest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.

    The default value is 0, which does not limit the highest passive port range. The value must not exceed 65535.

  • pasv_min_port — Specifies the lowest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.

    The default value is 0, which does not limit the lowest passive port range. The value must not be lower 1024.

  • pasv_promiscuous — When enabled, data connections are not checked to make sure they are originating from the same IP address. This setting is only useful for certain types of tunneling.

    Avoid enabling the pasv_promiscuous option

    Do not enable this option unless absolutely necessary as it disables an important security feature which verifies that passive mode connections originate from the same IP address as the control connection that initiates the data transfer.

    O valor padrão é NO.

  • port_enable — When enabled, active mode connects are allowed.

    O valor padrão é YES.

Recursos adicionais

For more information about vsftpd, refer to the following resources.

Documentação Instalada

  • The /usr/share/doc/vsftpd/ directory — This directory contains a README with basic information about the software. The TUNING file contains basic performance tuning tips and the SECURITY/ directory contains information about the security model employed by vsftpd.

  • vsftpd related man pages — There are a number of man pages for the daemon and configuration files. The following lists some of the more important man pages.

    Server Applications

    • man vsftpd — Describes available command line options for vsftpd.

    Arquivos de Configuração

    • man vsftpd.conf — Contains a detailed list of options available within the configuration file for vsftpd.

    • man 5 hosts_access — Describes the format and options available within the TCP wrappers configuration files: hosts.allow and hosts.deny.

Useful Websites

Configuração de Impressora

The Printers configuration tool serves for printer configuring, maintenance of printer configuration files, print spool directories and print filters, and printer classes management.

A ferramenta é baseada no Sistema Comum de Impressão Unix (CUPS). Se você atualizou o sistema de uma versão anterior do Fedora que usava o CUPS, o processo de atualização preservou as impressoras configuradas.

Using the CUPS web application or command-line tools

You can perform the same and additional operations on printers directly from the CUPS web application or command line. To access the application, in a web browser, go to http://localhost:631/. For CUPS manuals refer to the links on the Home tab of the web site.

Starting the Printers Configuration Tool

With the Printers configuration tool you can perform various operations on existing printers and set up new printers. You can also use CUPS directly (go to http://localhost:631/ to access the CUPS web application).

To start the Printers configuration tool if using the GNOME desktop, press the Super key to enter the Activities Overview, type Printers, and then press Enter. The Printers configuration tool appears. The Super key appears in a variety of guises, depending on the keyboard and other hardware, but often as either the Windows or Command key, and typically to the left of the Spacebar.

The Printers window depicted in Printers Configuration window appears.

Printers Configuration window
Figura 1. Printers Configuration window

Starting Printer Setup

Printer setup process varies depending on the printer queue type.

If you are setting up a local printer connected with USB, the printer is discovered and added automatically. You will be prompted to confirm the packages to be installed and provide an administrator or the root user password. Local printers connected with other port types and network printers need to be set up manually.

Follow this procedure to start a manual printer setup:

  1. Start the Printers configuration tool (refer to Starting the Printers Configuration Tool).

  2. Select Unlock to enable changes to be made. In the Authentication Required box, type an administrator or the root user password and confirm.

  3. Select the plus sign to open the Add a New Printer dialog. Select the printer from the list or enter its address below.

Adding a Local Printer

Follow this procedure to add a local printer connected with other than a serial port:

  1. Open the Add a New Printer dialog (refer to Starting Printer Setup).

  2. If the device does not appear automatically, select the port to which the printer is connected in the list on the left (such as Serial Port #1 or LPT #1).

  3. On the right, enter the connection properties:

    for Enter URI

    URI (for example file:/dev/lp0)

    for Serial Port

    Baud Rate

Parity

Data Bits

Flow Control

Adding a local printer
Figura 2. Adding a local printer

  1. Click Forward.

  2. Select the printer model. See Selecting the Printer Model and Finishing for details.

Adding an AppSocket/HP JetDirect printer

Follow this procedure to add an AppSocket/HP JetDirect printer:

  1. Open the Add a New Printer dialog (refer to Starting the Printers Configuration Tool).

  2. In the list on the left, select Network Printer  AppSocket/HP JetDirect.

  3. On the right, enter the connection settings:

    Hostname

    Printer host name or IP address.

    Port Number

    Printer port listening for print jobs (9100 by default).

Adding a JetDirect Printer
Figura 3. Adding a JetDirect printer

  1. Click Forward.

  2. Select the printer model. See Selecting the Printer Model and Finishing for details.

Adding an IPP Printer

An IPP printer is a printer attached to a different system on the same TCP/IP network. The system this printer is attached to may either be running CUPS or simply configured to use IPP.

If a firewall is enabled on the printer server, then the firewall must be configured to allow incoming TCP connections on port 631. Note that the CUPS browsing protocol allows client machines to discover shared CUPS queues automatically. To enable this, the firewall on the client machine must be configured to allow incoming UDP packets on port 631.

Follow this procedure to add an IPP printer:

  1. Open the Printers dialog (refer to Starting Printer Setup).

  2. In the list of devices on the left, select Network Printer and Internet Printing Protocol (ipp) or Internet Printing Protocol (https).

  3. On the right, enter the connection settings:

    Host

    The host name of the IPP printer.

    Queue

    The queue name to be given to the new queue (if the box is left empty, a name based on the device node will be used).

Networked IPP Printer
Figura 4. Adding an IPP printer

  1. Optionally, click Verify to detect the printer.

  2. Click Forward to continue.

  3. Select the printer model. See Selecting the Printer Model and Finishing for details.

Adding an LPD/LPR Host or Printer

Follow this procedure to add an LPD/LPR host or printer:

  1. Open the New Printer dialog (refer to Starting Printer Setup).

  2. In the list of devices on the left, select Network Printer  LPD/LPR Host or Printer.

  3. On the right, enter the connection settings:

    Host

    The host name of the LPD/LPR printer or host.

Optionally, click Probe to find queues on the LPD host.

Queue

The queue name to be given to the new queue (if the box is left empty, a name based on the device node will be used).

Adding an LPD/LPR Printer
Figura 5. Adding an LPD/LPR printer

  1. Click Forward to continue.

  2. Select the printer model. See Selecting the Printer Model and Finishing for details.

Adding a Samba (SMB) printer

Follow this procedure to add a Samba printer:

Installing the samba-client package

Note that in order to add a Samba printer, you need to have the samba-client package installed. You can do so by running, as root:

dnf install samba-client

For more information on installing packages with DNF, refer to Installing Packages.

  1. Open the New Printer dialog (refer to Starting Printer Setup).

  2. In the list on the left, select Network Printer  Windows Printer via SAMBA.

  3. Enter the SMB address in the smb:// field. Use the format computer name/printer share. In Adding a SMB printer, the computer name is dellbox and the printer share is r2.

SMB Printer
Figura 6. Adding a SMB printer

  1. Click Browse to see the available workgroups/domains. To display only queues of a particular host, type in the host name (NetBios name) and click Browse.

  2. Select either of the options:

    1. Prompt user if authentication is required: user name and password are collected from the user when printing a document.

    2. Set authentication details now: provide authentication information now so it is not required later. In the Username field, enter the user name to access the printer. This user must exist on the SMB system, and the user must have permission to access the printer. The default user name is typically guest for Windows servers, or nobody for Samba servers.

  3. Enter the Password (if required) for the user specified in the Username field.

Be careful when choosing a password

Samba printer user names and passwords are stored in the printer server as unencrypted files readable by root and the Linux Printing Daemon, lpd. Thus, other users that have root access to the printer server can view the user name and password you use to access the Samba printer.

Therefore, when you choose a user name and password to access a Samba printer, it is advisable that you choose a password that is different from what you use to access your local Fedora system.

If there are files shared on the Samba print server, it is recommended that they also use a password different from what is used by the print queue.

  1. Click Verify to test the connection. Upon successful verification, a dialog box appears confirming printer share accessibility.

  2. Click Forward.

  3. Select the printer model. See Selecting the Printer Model and Finishing for details.

Selecting the Printer Model and Finishing

Once you have properly selected a printer connection type, the system attempts to acquire a driver. If the process fails, you can locate or search for the driver resources manually.

Follow this procedure to provide the printer driver and finish the installation:

  1. In the window displayed after the automatic driver detection has failed, select one of the following options:

    1. Select printer from database — the system chooses a driver based on the selected make of your printer from the list of Makes. If your printer model is not listed, choose Generic.

    2. Provide PPD file — the system uses the provided PostScript Printer Description (PPD) file for installation. A PPD file may also be delivered with your printer as being normally provided by the manufacturer. If the PPD file is available, you can choose this option and use the browser bar below the option description to select the PPD file.

    3. Search for a printer driver to download — enter the make and model of your printer into the Make and model field to search on OpenPrinting.org for the appropriate packages.

Selecting a printer brand from the printer database brands.
Figura 7. Selecting a printer brand

  1. Depending on your previous choice provide details in the area displayed below:

    • Printer brand for the Select printer from database option.

    • PPD file location for the Provide PPD file option.

    • Printer make and model for the Search for a printer driver to download option.

  2. Click Forward to continue.

  3. If applicable for your option, window shown in Selecting a printer model appears. Choose the corresponding model in the Models column on the left.

Selecting a printer driver

On the right, the recommended printer driver is automatically selected; however, you can select another available driver. The print driver processes the data that you want to print into a format the printer can understand. Since a local printer is attached directly to your computer, you need a printer driver to process the data that is sent to the printer.
Selecting a Printer Model with a Driver Menu
Figura 8. Selecting a printer model

  1. Click Forward.

  2. Under the Describe Printer enter a unique name for the printer in the Printer Name field. The printer name can contain letters, numbers, dashes (-), and underscores (_); it must not contain any spaces. You can also use the Description and Location fields to add further printer information. Both fields are optional, and may contain spaces.

Printer Setup
Figura 9. Printer setup

  1. Click Apply to confirm your printer configuration and add the print queue if the settings are correct. Click Back to modify the printer configuration.

  2. After the changes are applied, a dialog box appears allowing you to print a test page. Click Print Test Page to print a test page now. Alternatively, you can print a test page later as described in Printing a Test Page.

Printing a Test Page

After you have set up a printer or changed a printer configuration, print a test page to make sure the printer is functioning properly:

  1. Right-click the printer in the Printing window and click Properties.

  2. In the Properties window, click Settings on the left.

  3. On the displayed Settings tab, click the Print Test Page button.

Modifying Existing Printers

To delete an existing printer, in the Printer configuration window, select the printer and go to Printer  Delete. Confirm the printer deletion. Alternatively, press the Delete key.

To set the default printer, right-click the printer in the printer list and click the Set As Default button in the context menu.

The Settings Page

To change printer driver configuration, double-click the corresponding name in the Printer list and click the Settings label on the left to display the Settings page.

You can modify printer settings such as make and model, print a test page, change the device location (URI), and more.

Settings Page
Figura 10. Settings page

The Policies Page

Click the Policies button on the left to change settings in printer state and print output.

You can select the printer states, configure the Error Policy of the printer (you can decide to abort the print job, retry, or stop it if an error occurs).

You can also create a banner page (a page that describes aspects of the print job such as the originating printer, the user name from the which the job originated, and the security status of the document being printed): click the Starting Banner or Ending Banner drop-down menu and choose the option that best describes the nature of the print jobs (for example, confidential).

Sharing Printers

On the Policies page, you can mark a printer as shared: if a printer is shared, users published on the network can use it. To allow the sharing function for printers, go to Server  Settings and select Publish shared printers connected to this system.

Policies Page
Figura 11. Policies page

Make sure that the firewall allows incoming TCP connections to port 631, the port for the Network Printing Server (IPP) protocol. To allow IPP traffic through the firewall on Fedora 37, make use of firewalld's IPP service. To do so, proceed as follows:

Enabling IPP Service in firewalld

  1. To start the graphical firewall-config tool, press the Super key to enter the Activities Overview, type firewall and then press Enter. The Firewall Configuration window opens. You will be prompted for an administrator or root password.

Alternatively, to start the graphical firewall configuration tool using the command line, enter the following command as root user:

~]# firewall-config

The Firewall Configuration window opens.

Look for the word “Connected” in the lower left corner. This indicates that the firewall-config tool is connected to the user space daemon, firewalld.

To immediately change the current firewall settings, ensure the drop-down selection menu labeled Configuration is set to Runtime. Alternatively, to edit the settings to be applied at the next system start, or firewall reload, select Permanent from the drop-down list.

  1. Select the Zones tab and then select the firewall zone to correspond with the network interface to be used. The default is the public zone. The Interfaces tab shows what interfaces have been assigned to a zone.

  2. Select the Services tab and then select the ipp service to enable sharing. The ipp-client service is required for accessing network printers.

  3. Close the firewall-config tool.

The Access Control Page

You can change user-level access to the configured printer on the Access Control page. Click the Access Control label on the left to display the page. Select either Allow printing for everyone except these users or Deny printing for everyone except these users and define the user set below: enter the user name in the text box and click the Add button to add the user to the user set.

Access Control Page
Figura 12. Access Control page
The Printer Options Page

The Printer Options page contains various configuration options for the printer media and output, and its content may vary from printer to printer. It contains general printing, paper, quality, and printing size settings.

Printer Options Page
Figura 13. Printer Options page
Job Options Page

On the Job Options page, you can detail the printer job options. Click the Job Options label on the left to display the page. Edit the default settings to apply custom job options, such as number of copies, orientation, pages per side, scaling (increase or decrease the size of the printable area, which can be used to fit an oversize print area onto a smaller physical sheet of print medium), detailed text options, and custom job options.

Job Options Page
Figura 14. Job Options page
Ink/Toner Levels Page

The Ink/Toner Levels page contains details on toner status if available and printer status messages. Click the Ink/Toner Levels label on the left to display the page.

Ink/Toner Levels Page
Figura 15. Ink/Toner Levels page

Managing Print Jobs

When you send a print job to the printer daemon, such as printing a text file from Emacs or printing an image from GIMP, the print job is added to the print spool queue. The print spool queue is a list of print jobs that have been sent to the printer and information about each print request, such as the status of the request, the job number, and more.

During the printing process, messages informing about the process appear in the notification area.

GNOME Print Status
Figura 16. GNOME Print Status

To cancel, hold, release, reprint or authenticate a print job, select the job in the GNOME Print Status and on the Job menu, click the respective command.

To view the list of print jobs in the print spool from a shell prompt, type the command lpstat -o. The last few lines look similar to the following:

Exemplo 1. Example of lpstat -o output
$ lpstat -o
Charlie-60              twaugh            1024   Tue 08 Feb 2011 16:42:11 GMT
Aaron-61                twaugh            1024   Tue 08 Feb 2011 16:42:44 GMT
Ben-62                  root              1024   Tue 08 Feb 2011 16:45:42 GMT

If you want to cancel a print job, find the job number of the request with the command lpstat -o and then use the command cancel job number. For example, cancel 60 would cancel the print job in Example of lpstat -o output. You cannot cancel print jobs that were started by other users with the cancel command. However, you can enforce deletion of such job by issuing the cancel -U root job_number command. To prevent such canceling, change the printer operation policy to Authenticated to force root authentication.

You can also print a file directly from a shell prompt. For example, the command lp sample.txt prints the text file sample.txt. The print filter determines what type of file it is and converts it into a format the printer can understand.

Recursos adicionais

To learn more about printing on Fedora, see the following resources.

Documentação Instalada

man lp

The manual page for the lpr command that allows you to print files from the command line.

man cancel

The manual page for the command-line utility to remove print jobs from the print queue.

man mpage

The manual page for the command-line utility to print multiple pages on one sheet of paper.

man cupsd

The manual page for the CUPS printer daemon.

man cupsd.conf

The manual page for the CUPS printer daemon configuration file.

man classes.conf

The manual page for the class configuration file for CUPS.

man lpstat

The manual page for the lpstat command, which displays status information about classes, jobs, and printers.

Useful Websites

https://wiki.linuxfoundation.org/openprinting/start

Open Printing contains a large amount of information about printing in Linux.

https://www.cups.org/

Documentation, FAQs, and newsgroups about CUPS.

Want to help? Learn how to contribute to Fedora Docs