vsftpd.conf.5 34 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058
  1. .TH VSFTPD.CONF 5
  2. .SH NAME
  3. vsftpd.conf \- config file for vsftpd
  4. .SH DESCRIPTION
  5. vsftpd.conf may be used to control various aspects of vsftpd's behaviour. By
  6. default, vsftpd looks for this file at the location
  7. .BR /etc/vsftpd.conf .
  8. However, you may override this by specifying a command line argument to
  9. vsftpd. The command line argument is the pathname of the configuration file
  10. for vsftpd. This behaviour is useful because you may wish to use an advanced
  11. inetd such as
  12. .BR xinetd
  13. to launch vsftpd with different configuration files on a per virtual host
  14. basis.
  15. .SH FORMAT
  16. The format of vsftpd.conf is very simple. Each line is either a comment or
  17. a directive. Comment lines start with a # and are ignored. A directive line
  18. has the format:
  19. option=value
  20. It is important to note that it is an error to put any space between the
  21. option, = and value.
  22. Each setting has a compiled in default which may be modified in the
  23. configuration file.
  24. .SH BOOLEAN OPTIONS
  25. Below is a list of boolean options. The value for a boolean option may be set
  26. to
  27. .BR YES
  28. or
  29. .BR NO .
  30. .TP
  31. .B allow_anon_ssl
  32. Only applies if
  33. .BR ssl_enable
  34. is active. If set to YES, anonymous users will be allowed to use secured SSL
  35. connections.
  36. Default: NO
  37. .TP
  38. .B anon_mkdir_write_enable
  39. If set to YES, anonymous users will be permitted to create new directories
  40. under certain conditions. For this to work, the option
  41. .BR write_enable
  42. must be activated, and the anonymous ftp user must have write permission on
  43. the parent directory.
  44. Default: NO
  45. .TP
  46. .B anon_other_write_enable
  47. If set to YES, anonymous users will be permitted to perform write operations
  48. other than upload and create directory, such as deletion and renaming. This
  49. is generally not recommended but included for completeness.
  50. Default: NO
  51. .TP
  52. .B anon_upload_enable
  53. If set to YES, anonymous users will be permitted to upload files under certain
  54. conditions. For this to work, the option
  55. .BR write_enable
  56. must be activated, and the anonymous ftp user must have write permission on
  57. desired upload locations. This setting is also required for virtual users to
  58. upload; by default, virtual users are treated with anonymous (i.e. maximally
  59. restricted) privilege.
  60. Default: NO
  61. .TP
  62. .B anon_world_readable_only
  63. When enabled, anonymous users will only be allowed to download files which
  64. are world readable. This is recognising that the ftp user may own files,
  65. especially in the presence of uploads.
  66. Default: YES
  67. .TP
  68. .B anonymous_enable
  69. Controls whether anonymous logins are permitted or not. If enabled,
  70. both the usernames
  71. .BR ftp
  72. and
  73. .BR anonymous
  74. are recognised as anonymous logins.
  75. Default: YES
  76. .TP
  77. .B ascii_download_enable
  78. When enabled, ASCII mode data transfers will be honoured on downloads.
  79. Default: NO
  80. .TP
  81. .B ascii_upload_enable
  82. When enabled, ASCII mode data transfers will be honoured on uploads.
  83. Default: NO
  84. .TP
  85. .B async_abor_enable
  86. When enabled, a special FTP command known as "async ABOR" will be enabled.
  87. Only ill advised FTP clients will use this feature. Additionally, this feature
  88. is awkward to handle, so it is disabled by default. Unfortunately, some FTP
  89. clients will hang when cancelling a transfer unless this feature is available,
  90. so you may wish to enable it.
  91. Default: NO
  92. .TP
  93. .B background
  94. When enabled, and vsftpd is started in "listen" mode, vsftpd will background
  95. the listener process. i.e. control will immediately be returned to the shell
  96. which launched vsftpd.
  97. Default: NO
  98. .TP
  99. .B check_shell
  100. Note! This option only has an effect for non-PAM builds of vsftpd. If disabled,
  101. vsftpd will not check /etc/shells for a valid user shell for local logins.
  102. Default: YES
  103. .TP
  104. .B chmod_enable
  105. When enabled, allows use of the SITE CHMOD command. NOTE! This only applies
  106. to local users. Anonymous users never get to use SITE CHMOD.
  107. Default: YES
  108. .TP
  109. .B chown_uploads
  110. If enabled, all anonymously uploaded files will have the ownership changed
  111. to the user specified in the setting
  112. .BR chown_username .
  113. This is useful from an administrative, and perhaps security, standpoint.
  114. Default: NO
  115. .TP
  116. .B chroot_list_enable
  117. If activated, you may provide a list of local users who are placed in a
  118. chroot() jail in their home directory upon login. The meaning is slightly
  119. different if chroot_local_user is set to YES. In this case, the list becomes
  120. a list of users which are NOT to be placed in a chroot() jail.
  121. By default, the file containing this list is
  122. /etc/vsftpd.chroot_list, but you may override this with the
  123. .BR chroot_list_file
  124. setting.
  125. Default: NO
  126. .TP
  127. .B chroot_local_user
  128. If set to YES, local users will be (by default) placed in a chroot() jail in
  129. their home directory after login.
  130. .BR Warning:
  131. This option has security implications, especially if the users have upload
  132. permission, or shell access. Only enable if you know what you are doing.
  133. Note that these security implications are not vsftpd specific. They apply to
  134. all FTP daemons which offer to put local users in chroot() jails.
  135. Default: NO
  136. .TP
  137. .B connect_from_port_20
  138. This controls whether PORT style data connections use port 20 (ftp-data) on
  139. the server machine. For security reasons, some clients may insist that this
  140. is the case. Conversely, disabling this option enables vsftpd to run with
  141. slightly less privilege.
  142. Default: NO (but the sample config file enables it)
  143. .TP
  144. .B debug_ssl
  145. If true, OpenSSL connection diagnostics are dumped to the vsftpd log file.
  146. (Added in v2.0.6).
  147. Default: NO
  148. .TP
  149. .B delete_failed_uploads
  150. If true, any failed upload files are deleted. (Added in v2.0.7).
  151. Default: NO
  152. .TP
  153. .B deny_email_enable
  154. If activated, you may provide a list of anonymous password e-mail responses
  155. which cause login to be denied. By default, the file containing this list is
  156. /etc/vsftpd.banned_emails, but you may override this with the
  157. .BR banned_email_file
  158. setting.
  159. Default: NO
  160. .TP
  161. .B dirlist_enable
  162. If set to NO, all directory list commands will give permission denied.
  163. Default: YES
  164. .TP
  165. .B dirmessage_enable
  166. If enabled, users of the FTP server can be shown messages when they first
  167. enter a new directory. By default, a directory is scanned for the
  168. file .message, but that may be overridden with the configuration setting
  169. .BR message_file .
  170. Default: NO (but the sample config file enables it)
  171. .TP
  172. .B download_enable
  173. If set to NO, all download requests will give permission denied.
  174. Default: YES
  175. .TP
  176. .B dual_log_enable
  177. If enabled, two log files are generated in parallel, going by default to
  178. .BR /var/log/xferlog
  179. and
  180. .BR /var/log/vsftpd.log .
  181. The former is a wu-ftpd style transfer log, parseable by standard tools. The
  182. latter is vsftpd's own style log.
  183. Default: NO
  184. .TP
  185. .B force_dot_files
  186. If activated, files and directories starting with . will be shown in directory
  187. listings even if the "a" flag was not used by the client. This override
  188. excludes the "." and ".." entries.
  189. Default: NO
  190. .TP
  191. .B force_anon_data_ssl
  192. Only applies if
  193. .BR ssl_enable
  194. is activated. If activated, all anonymous logins are forced to use a secure
  195. SSL connection in order to send and receive data on data connections.
  196. Default: NO
  197. .TP
  198. .B force_anon_logins_ssl
  199. Only applies if
  200. .BR ssl_enable
  201. is activated. If activated, all anonymous logins are forced to use a secure
  202. SSL connection in order to send the password.
  203. Default: NO
  204. .TP
  205. .B force_local_data_ssl
  206. Only applies if
  207. .BR ssl_enable
  208. is activated. If activated, all non-anonymous logins are forced to use a secure
  209. SSL connection in order to send and receive data on data connections.
  210. Default: YES
  211. .TP
  212. .B force_local_logins_ssl
  213. Only applies if
  214. .BR ssl_enable
  215. is activated. If activated, all non-anonymous logins are forced to use a secure
  216. SSL connection in order to send the password.
  217. Default: YES
  218. .TP
  219. .B guest_enable
  220. If enabled, all non-anonymous logins are classed as "guest" logins. A guest
  221. login is remapped to the user specified in the
  222. .BR guest_username
  223. setting.
  224. Default: NO
  225. .TP
  226. .B hide_ids
  227. If enabled, all user and group information in directory listings will be
  228. displayed as "ftp".
  229. Default: NO
  230. .TP
  231. .B implicit_ssl
  232. If enabled, an SSL handshake is the first thing expect on all connections
  233. (the FTPS protocol). To support explicit SSL and/or plain text too, a
  234. separate vsftpd listener process should be run.
  235. Default: NO
  236. .TP
  237. .B listen
  238. If enabled, vsftpd will run in standalone mode. This means that vsftpd must
  239. not be run from an inetd of some kind. Instead, the vsftpd executable is
  240. run once directly. vsftpd itself will then take care of listening for and
  241. handling incoming connections.
  242. Default: NO
  243. .TP
  244. .B listen_ipv6
  245. Like the listen parameter, except vsftpd will listen on an IPv6 socket instead
  246. of an IPv4 one. This parameter and the listen parameter are mutually
  247. exclusive.
  248. Default: NO
  249. .TP
  250. .B local_enable
  251. Controls whether local logins are permitted or not. If enabled, normal
  252. user accounts in /etc/passwd (or wherever your PAM config references) may be
  253. used to log in. This must be enable for any non-anonymous login to work,
  254. including virtual users.
  255. Default: NO
  256. .TP
  257. .B lock_upload_files
  258. When enabled, all uploads proceed with a write lock on the upload file. All
  259. downloads proceed with a shared read lock on the download file. WARNING!
  260. Before enabling this, be aware that malicious readers could starve a writer
  261. wanting to e.g. append a file.
  262. Default: YES
  263. .TP
  264. .B log_ftp_protocol
  265. When enabled, all FTP requests and responses are logged, providing the option
  266. xferlog_std_format is not enabled. Useful for debugging.
  267. Default: NO
  268. .TP
  269. .B ls_recurse_enable
  270. When enabled, this setting will allow the use of "ls -R". This is a minor
  271. security risk, because a ls -R at the top level of a large site may consume
  272. a lot of resources.
  273. Default: NO
  274. .TP
  275. .B mdtm_write
  276. When enabled, this setting will allow MDTM to set file modification times
  277. (subject to the usual access checks).
  278. Default: YES
  279. .TP
  280. .B no_anon_password
  281. When enabled, this prevents vsftpd from asking for an anonymous password -
  282. the anonymous user will log straight in.
  283. Default: NO
  284. .TP
  285. .B no_log_lock
  286. When enabled, this prevents vsftpd from taking a file lock when writing to log
  287. files. This option should generally not be enabled. It exists to workaround
  288. operating system bugs such as the Solaris / Veritas filesystem combination
  289. which has been observed to sometimes exhibit hangs trying to lock log files.
  290. Default: NO
  291. .TP
  292. .B one_process_model
  293. If you have a Linux 2.4 kernel, it is possible to use a different security
  294. model which only uses one process per connection. It is a less pure security
  295. model, but gains you performance. You really don't want to enable this unless
  296. you know what you are doing, and your site supports huge numbers of
  297. simultaneously connected users.
  298. Default: NO
  299. .TP
  300. .B passwd_chroot_enable
  301. If enabled, along with
  302. .BR chroot_local_user
  303. , then a chroot() jail location may be specified on a per-user basis. Each
  304. user's jail is derived from their home directory string in /etc/passwd. The
  305. occurrence of /./ in the home directory string denotes that the jail is at that
  306. particular location in the path.
  307. Default: NO
  308. .TP
  309. .B pasv_addr_resolve
  310. Set to YES if you want to use a hostname (as opposed to IP address) in the
  311. .BR pasv_address
  312. option.
  313. Default: NO
  314. .TP
  315. .B pasv_enable
  316. Set to NO if you want to disallow the PASV method of obtaining a data
  317. connection.
  318. Default: YES
  319. .TP
  320. .B pasv_promiscuous
  321. Set to YES if you want to disable the PASV security check that ensures the
  322. data connection originates from the same IP address as the control connection.
  323. Only enable if you know what you are doing! The only legitimate use for this
  324. is in some form of secure tunnelling scheme, or perhaps to facilitate FXP
  325. support.
  326. Default: NO
  327. .TP
  328. .B port_enable
  329. Set to NO if you want to disallow the PORT method of obtaining a data
  330. connection.
  331. Default: YES
  332. .TP
  333. .B port_promiscuous
  334. Set to YES if you want to disable the PORT security check that ensures that
  335. outgoing data connections can only connect to the client. Only enable if
  336. you know what you are doing!
  337. Default: NO
  338. .TP
  339. .B require_cert
  340. If set to yes, all SSL client connections are required to present a client
  341. certificate. The degree of validation applied to this certificate is
  342. controlled by
  343. .BR validate_cert
  344. (Added in v2.0.6).
  345. Default: NO
  346. .TP
  347. .B require_ssl_reuse
  348. If set to yes, all SSL data connections are required to exhibit SSL session
  349. reuse (which proves that they know the same master secret as the control
  350. channel). Although this is a secure default, it may break many FTP clients,
  351. so you may want to disable it. For a discussion of the consequences, see
  352. http://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html
  353. (Added in v2.1.0).
  354. Default: YES
  355. .TP
  356. .B run_as_launching_user
  357. Set to YES if you want vsftpd to run as the user which launched vsftpd. This is
  358. useful where root access is not available. MASSIVE WARNING! Do NOT enable this
  359. option unless you totally know what you are doing, as naive use of this option
  360. can create massive security problems. Specifically, vsftpd does not / cannot
  361. use chroot technology to restrict file access when this option is set (even if
  362. launched by root). A poor substitute could be to use a
  363. .BR deny_file
  364. setting such as {/*,*..*}, but the reliability of this cannot compare to
  365. chroot, and should not be relied on.
  366. If using this option, many restrictions on other options
  367. apply. For example, options requiring privilege such as non-anonymous logins,
  368. upload ownership changing, connecting from port 20 and listen ports less than
  369. 1024 are not expected to work. Other options may be impacted.
  370. Default: NO
  371. .TP
  372. .B secure_email_list_enable
  373. Set to YES if you want only a specified list of e-mail passwords for anonymous
  374. logins to be accepted. This is useful as a low-hassle way of restricting
  375. access to low-security content without needing virtual users. When enabled,
  376. anonymous logins are prevented unless the password provided is listed in the
  377. file specified by the
  378. .BR email_password_file
  379. setting. The file format is one password per line, no extra whitespace. The
  380. default filename is /etc/vsftpd.email_passwords.
  381. Default: NO
  382. .TP
  383. .B session_support
  384. This controls whether vsftpd attempts to maintain sessions for logins. If
  385. vsftpd is maintaining sessions, it will try and update utmp and wtmp. It
  386. will also open a pam_session if using PAM to authenticate, and only close
  387. this upon logout. You may wish to disable this if you do not need session
  388. logging, and you wish to give vsftpd more opportunity to run with less
  389. processes and / or less privilege. NOTE - utmp and wtmp support is only
  390. provided with PAM enabled builds.
  391. Default: NO
  392. .TP
  393. .B setproctitle_enable
  394. If enabled, vsftpd will try and show session status information in the system
  395. process listing. In other words, the reported name of the process will change
  396. to reflect what a vsftpd session is doing (idle, downloading etc). You
  397. probably want to leave this off for security purposes.
  398. Default: NO
  399. .TP
  400. .B ssl_enable
  401. If enabled, and vsftpd was compiled against OpenSSL, vsftpd will support secure
  402. connections via SSL. This applies to the control connection (including login)
  403. and also data connections. You'll need a client with SSL support too. NOTE!!
  404. Beware enabling this option. Only enable it if you need it. vsftpd can make no
  405. guarantees about the security of the OpenSSL libraries. By enabling this
  406. option, you are declaring that you trust the security of your installed
  407. OpenSSL library.
  408. Default: NO
  409. .TP
  410. .B ssl_request_cert
  411. If enabled, vsftpd will request (but not necessarily require; see
  412. .BR require_cert) a certificate on incoming SSL connections. Normally this
  413. should not cause any trouble at all, but IBM zOS seems to have issues.
  414. (New in v2.0.7).
  415. Default: YES
  416. .TP
  417. .B ssl_sslv2
  418. Only applies if
  419. .BR ssl_enable
  420. is activated. If enabled, this option will permit SSL v2 protocol connections.
  421. TLS v1 connections are preferred.
  422. Default: NO
  423. .TP
  424. .B ssl_sslv3
  425. Only applies if
  426. .BR ssl_enable
  427. is activated. If enabled, this option will permit SSL v3 protocol connections.
  428. TLS v1 connections are preferred.
  429. Default: NO
  430. .TP
  431. .B ssl_tlsv1
  432. Only applies if
  433. .BR ssl_enable
  434. is activated. If enabled, this option will permit TLS v1 protocol connections.
  435. TLS v1 connections are preferred.
  436. Default: YES
  437. .TP
  438. .B strict_ssl_read_eof
  439. If enabled, SSL data uploads are required to terminate via SSL, not an
  440. EOF on the socket. This option is required to be sure that an attacker did
  441. not terminate an upload prematurely with a faked TCP FIN. Unfortunately, it
  442. is not enabled by default because so few clients get it right. (New in v2.0.7).
  443. Default: NO
  444. .TP
  445. .B strict_ssl_write_shutdown
  446. If enabled, SSL data downloads are required to terminate via SSL, not an
  447. EOF on the socket. This is off by default as I was unable to find a single
  448. FTP client that does this. It is minor. All it affects is our ability to tell
  449. whether the client confirmed full receipt of the file. Even without this option,
  450. the client is able to check the integrity of the download. (New in v2.0.7).
  451. Default: NO
  452. .TP
  453. .B syslog_enable
  454. If enabled, then any log output which would have gone to /var/log/vsftpd.log
  455. goes to the system log instead. Logging is done under the FTPD facility.
  456. Default: NO
  457. .TP
  458. .B tcp_wrappers
  459. If enabled, and vsftpd was compiled with tcp_wrappers support, incoming
  460. connections will be fed through tcp_wrappers access control. Furthermore,
  461. there is a mechanism for per-IP based configuration. If tcp_wrappers sets
  462. the VSFTPD_LOAD_CONF environment variable, then the vsftpd session will try
  463. and load the vsftpd configuration file specified in this variable.
  464. Default: NO
  465. .TP
  466. .B text_userdb_names
  467. By default, numeric IDs are shown in the user and group fields of directory
  468. listings. You can get textual names by enabling this parameter. It is off
  469. by default for performance reasons.
  470. Default: NO
  471. .TP
  472. .B tilde_user_enable
  473. If enabled, vsftpd will try and resolve pathnames such as ~chris/pics, i.e. a
  474. tilde followed by a username. Note that vsftpd will always resolve the
  475. pathnames ~ and ~/something (in this case the ~ resolves to the initial
  476. login directory). Note that ~user paths will only resolve if the file
  477. .BR /etc/passwd
  478. may be found within the _current_ chroot() jail.
  479. Default: NO
  480. .TP
  481. .B use_localtime
  482. If enabled, vsftpd will display directory listings with the time in your
  483. local time zone. The default is to display GMT. The times returned by the
  484. MDTM FTP command are also affected by this option.
  485. Default: NO
  486. .TP
  487. .B use_sendfile
  488. An internal setting used for testing the relative benefit of using the
  489. sendfile() system call on your platform.
  490. Default: YES
  491. .TP
  492. .B userlist_deny
  493. This option is examined if
  494. .B userlist_enable
  495. is activated. If you set this setting to NO, then users will be denied login
  496. unless they are explicitly listed in the file specified by
  497. .BR userlist_file .
  498. When login is denied, the denial is issued before the user is asked for a
  499. password.
  500. Default: YES
  501. .TP
  502. .B userlist_enable
  503. If enabled, vsftpd will load a list of usernames, from the filename given by
  504. .BR userlist_file .
  505. If a user tries to log in using a name in this file, they will be denied
  506. before they are asked for a password. This may be useful in preventing
  507. cleartext passwords being transmitted. See also
  508. .BR userlist_deny .
  509. Default: NO
  510. .TP
  511. .B validate_cert
  512. If set to yes, all SSL client certificates received must validate OK.
  513. Self-signed certs do not constitute OK validation. (New in v2.0.6).
  514. Default: NO
  515. .TP
  516. .B virtual_use_local_privs
  517. If enabled, virtual users will use the same privileges as local users. By
  518. default, virtual users will use the same privileges as anonymous users, which
  519. tends to be more restrictive (especially in terms of write access).
  520. Default: NO
  521. .TP
  522. .B write_enable
  523. This controls whether any FTP commands which change the filesystem are allowed
  524. or not. These commands are: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE.
  525. Default: NO
  526. .TP
  527. .B xferlog_enable
  528. If enabled, a log file will be maintained detailling uploads and downloads.
  529. By default, this file will be placed at /var/log/vsftpd.log, but this location
  530. may be overridden using the configuration setting
  531. .BR vsftpd_log_file .
  532. Default: NO (but the sample config file enables it)
  533. .TP
  534. .B xferlog_std_format
  535. If enabled, the transfer log file will be written in standard xferlog format,
  536. as used by wu-ftpd. This is useful because you can reuse existing transfer
  537. statistics generators. The default format is more readable, however. The
  538. default location for this style of log file is /var/log/xferlog, but you may
  539. change it with the setting
  540. .BR xferlog_file .
  541. Default: NO
  542. .SH NUMERIC OPTIONS
  543. Below is a list of numeric options. A numeric option must be set to a non
  544. negative integer. Octal numbers are supported, for convenience of the umask
  545. options. To specify an octal number, use 0 as the first digit of the number.
  546. .TP
  547. .B accept_timeout
  548. The timeout, in seconds, for a remote client to establish connection with
  549. a PASV style data connection.
  550. Default: 60
  551. .TP
  552. .B anon_max_rate
  553. The maximum data transfer rate permitted, in bytes per second, for anonymous
  554. clients.
  555. Default: 0 (unlimited)
  556. .TP
  557. .B anon_umask
  558. The value that the umask for file creation is set to for anonymous users. NOTE! If you want to specify octal values, remember the "0" prefix otherwise the
  559. value will be treated as a base 10 integer!
  560. Default: 077
  561. .TP
  562. .B chown_upload_mode
  563. The file mode to force for chown()ed anonymous uploads. (Added in v2.0.6).
  564. Default: 0600
  565. .TP
  566. .B connect_timeout
  567. The timeout, in seconds, for a remote client to respond to our PORT style
  568. data connection.
  569. Default: 60
  570. .TP
  571. .B data_connection_timeout
  572. The timeout, in seconds, which is roughly the maximum time we permit data
  573. transfers to stall for with no progress. If the timeout triggers, the remote
  574. client is kicked off.
  575. Default: 300
  576. .TP
  577. .B delay_failed_login
  578. The number of seconds to pause prior to reporting a failed login.
  579. Default: 1
  580. .TP
  581. .B delay_successful_login
  582. The number of seconds to pause prior to allowing a successful login.
  583. Default: 0
  584. .TP
  585. .B file_open_mode
  586. The permissions with which uploaded files are created. Umasks are applied
  587. on top of this value. You may wish to change to 0777 if you want uploaded
  588. files to be executable.
  589. Default: 0666
  590. .TP
  591. .B ftp_data_port
  592. The port from which PORT style connections originate (as long as the poorly
  593. named
  594. .BR connect_from_port_20
  595. is enabled).
  596. Default: 20
  597. .TP
  598. .B idle_session_timeout
  599. The timeout, in seconds, which is the maximum time a remote client may spend
  600. between FTP commands. If the timeout triggers, the remote client is kicked
  601. off.
  602. Default: 300
  603. .TP
  604. .B listen_port
  605. If vsftpd is in standalone mode, this is the port it will listen on for
  606. incoming FTP connections.
  607. Default: 21
  608. .TP
  609. .B local_max_rate
  610. The maximum data transfer rate permitted, in bytes per second, for local
  611. authenticated users.
  612. Default: 0 (unlimited)
  613. .TP
  614. .B local_umask
  615. The value that the umask for file creation is set to for local users. NOTE! If
  616. you want to specify octal values, remember the "0" prefix otherwise the value
  617. will be treated as a base 10 integer!
  618. Default: 077
  619. .TP
  620. .B max_clients
  621. If vsftpd is in standalone mode, this is the maximum number of clients which
  622. may be connected. Any additional clients connecting will get an error message.
  623. Default: 0 (unlimited)
  624. .TP
  625. .B max_login_fails
  626. After this many login failures, the session is killed.
  627. Default: 3
  628. .TP
  629. .B max_per_ip
  630. If vsftpd is in standalone mode, this is the maximum number of clients which
  631. may be connected from the same source internet address. A client will get an
  632. error message if they go over this limit.
  633. Default: 0 (unlimited)
  634. .TP
  635. .B pasv_max_port
  636. The maximum port to allocate for PASV style data connections. Can be used to
  637. specify a narrow port range to assist firewalling.
  638. Default: 0 (use any port)
  639. .TP
  640. .B pasv_min_port
  641. The minimum port to allocate for PASV style data connections. Can be used to
  642. specify a narrow port range to assist firewalling.
  643. Default: 0 (use any port)
  644. .TP
  645. .B trans_chunk_size
  646. You probably don't want to change this, but try setting it to something like
  647. 8192 for a much smoother bandwidth limiter.
  648. Default: 0 (let vsftpd pick a sensible setting)
  649. .SH STRING OPTIONS
  650. Below is a list of string options.
  651. .TP
  652. .B anon_root
  653. This option represents a directory which vsftpd will try to change into
  654. after an anonymous login. Failure is silently ignored.
  655. Default: (none)
  656. .TP
  657. .B banned_email_file
  658. This option is the name of a file containing a list of anonymous e-mail
  659. passwords which are not permitted. This file is consulted if the option
  660. .BR deny_email_enable
  661. is enabled.
  662. Default: /etc/vsftpd.banned_emails
  663. .TP
  664. .B banner_file
  665. This option is the name of a file containing text to display when someone
  666. connects to the server. If set, it overrides the banner string provided by
  667. the
  668. .BR ftpd_banner
  669. option.
  670. Default: (none)
  671. .TP
  672. .B ca_certs_file
  673. This option is the name of a file to load Certificate Authority certs from, for
  674. the purpose of validating client certs. The loaded certs are also advertised
  675. to the client, to cater for TLSv1.0 clients such as the z/OS FTP client.
  676. Regrettably, the default SSL CA cert
  677. paths are not used, because of vsftpd's use of restricted filesystem spaces
  678. (chroot). (Added in v2.0.6).
  679. Default: (none)
  680. .TP
  681. .B chown_username
  682. This is the name of the user who is given ownership of anonymously uploaded
  683. files. This option is only relevant if another option,
  684. .BR chown_uploads ,
  685. is set.
  686. Default: root
  687. .TP
  688. .B chroot_list_file
  689. The option is the name of a file containing a list of local users which
  690. will be placed in a chroot() jail in their home directory. This option is
  691. only relevant if the option
  692. .BR chroot_list_enable
  693. is enabled. If the option
  694. .BR chroot_local_user
  695. is enabled, then the list file becomes a list of users to NOT place in a
  696. chroot() jail.
  697. Default: /etc/vsftpd.chroot_list
  698. .TP
  699. .B cmds_allowed
  700. This options specifies a comma separated list of allowed FTP commands (post
  701. login. USER, PASS and QUIT and others are always allowed pre-login). Other
  702. commands are rejected. This is a powerful method of really locking down an
  703. FTP server. Example: cmds_allowed=PASV,RETR,QUIT
  704. Default: (none)
  705. .TP
  706. .B cmds_denied
  707. This options specifies a comma separated list of denied FTP commands (post
  708. login. USER, PASS, QUIT and others are always allowed pre-login). If a command
  709. appears on both this and
  710. .BR cmds_allowed
  711. then the denial takes precedence. (Added in v2.1.0).
  712. Default: (none)
  713. .TP
  714. .B deny_file
  715. This option can be used to set a pattern for filenames (and directory names
  716. etc.) which should not be accessible in any way. The affected items are not
  717. hidden, but any attempt to do anything to them (download, change into
  718. directory, affect something within directory etc.) will be denied. This option
  719. is very simple, and should not be used for serious access control - the
  720. filesystem's permissions should be used in preference. However, this option
  721. may be useful in certain virtual user setups. In particular aware that if
  722. a filename is accessible by a variety of names (perhaps due to symbolic
  723. links or hard links), then care must be taken to deny access to all the names.
  724. Access will be denied to items if their name contains the string given by
  725. hide_file, or if they match the regular expression specified by hide_file.
  726. Note that vsftpd's regular expression matching code is a simple implementation
  727. which is a subset of full regular expression functionality. Because of this,
  728. you will need to carefully and exhaustively test any application of this
  729. option. And you are recommended to use filesystem permissions for any
  730. important security policies due to their greater reliability. Supported
  731. regex syntax is any number of *, ? and unnested {,} operators. Regex
  732. matching is only supported on the last component of a path, e.g. a/b/? is
  733. supported but a/?/c is not.
  734. Example: deny_file={*.mp3,*.mov,.private}
  735. Default: (none)
  736. .TP
  737. .B dsa_cert_file
  738. This option specifies the location of the DSA certificate to use for SSL
  739. encrypted connections.
  740. Default: (none - an RSA certificate suffices)
  741. .TP
  742. .B dsa_private_key_file
  743. This option specifies the location of the DSA private key to use for SSL
  744. encrypted connections. If this option is not set, the private key is expected
  745. to be in the same file as the certificate.
  746. Default: (none)
  747. .TP
  748. .B email_password_file
  749. This option can be used to provide an alternate file for usage by the
  750. .BR secure_email_list_enable
  751. setting.
  752. Default: /etc/vsftpd.email_passwords
  753. .TP
  754. .B ftp_username
  755. This is the name of the user we use for handling anonymous FTP. The home
  756. directory of this user is the root of the anonymous FTP area.
  757. Default: ftp
  758. .TP
  759. .B ftpd_banner
  760. This string option allows you to override the greeting banner displayed
  761. by vsftpd when a connection first comes in.
  762. Default: (none - default vsftpd banner is displayed)
  763. .TP
  764. .B guest_username
  765. See the boolean setting
  766. .BR guest_enable
  767. for a description of what constitutes a guest login. This setting is the
  768. real username which guest users are mapped to.
  769. Default: ftp
  770. .TP
  771. .B hide_file
  772. This option can be used to set a pattern for filenames (and directory names
  773. etc.) which should be hidden from directory listings. Despite being hidden,
  774. the files / directories etc. are fully accessible to clients who know what
  775. names to actually use. Items will be hidden if their names contain the string
  776. given by hide_file, or if they match the regular expression specified by
  777. hide_file. Note that vsftpd's regular expression matching code is a simple
  778. implementation which is a subset of full regular expression functionality.
  779. See
  780. .BR deny_file
  781. for details of exactly what regex syntax is supported.
  782. Example: hide_file={*.mp3,.hidden,hide*,h?}
  783. Default: (none)
  784. .TP
  785. .B listen_address
  786. If vsftpd is in standalone mode, the default listen address (of all local
  787. interfaces) may be overridden by this setting. Provide a numeric IP address.
  788. Default: (none)
  789. .TP
  790. .B listen_address6
  791. Like listen_address, but specifies a default listen address for the IPv6
  792. listener (which is used if listen_ipv6 is set). Format is standard IPv6
  793. address format.
  794. Default: (none)
  795. .TP
  796. .B local_root
  797. This option represents a directory which vsftpd will try to change into
  798. after a local (i.e. non-anonymous) login. Failure is silently ignored.
  799. Default: (none)
  800. .TP
  801. .B message_file
  802. This option is the name of the file we look for when a new directory is
  803. entered. The contents are displayed to the remote user. This option is
  804. only relevant if the option
  805. .BR dirmessage_enable
  806. is enabled.
  807. Default: .message
  808. .TP
  809. .B nopriv_user
  810. This is the name of the user that is used by vsftpd when it wants to be
  811. totally unprivileged. Note that this should be a dedicated user, rather
  812. than nobody. The user nobody tends to be used for rather a lot of important
  813. things on most machines.
  814. Default: nobody
  815. .TP
  816. .B pam_service_name
  817. This string is the name of the PAM service vsftpd will use.
  818. Default: ftp
  819. .TP
  820. .B pasv_address
  821. Use this option to override the IP address that vsftpd will advertise in
  822. response to the PASV command. Provide a numeric IP address, unless
  823. .BR pasv_addr_resolve
  824. is enabled, in which case you can provide a hostname which will be DNS
  825. resolved for you at startup.
  826. Default: (none - the address is taken from the incoming connected socket)
  827. .TP
  828. .B rsa_cert_file
  829. This option specifies the location of the RSA certificate to use for SSL
  830. encrypted connections.
  831. Default: /usr/share/ssl/certs/vsftpd.pem
  832. .TP
  833. .B rsa_private_key_file
  834. This option specifies the location of the RSA private key to use for SSL
  835. encrypted connections. If this option is not set, the private key is expected
  836. to be in the same file as the certificate.
  837. Default: (none)
  838. .TP
  839. .B secure_chroot_dir
  840. This option should be the name of a directory which is empty. Also, the
  841. directory should not be writable by the ftp user. This directory is used
  842. as a secure chroot() jail at times vsftpd does not require filesystem access.
  843. Default: /usr/share/empty
  844. .TP
  845. .B ssl_ciphers
  846. This option can be used to select which SSL ciphers vsftpd will allow for
  847. encrypted SSL connections. See the
  848. .BR ciphers
  849. man page for further details. Note that restricting ciphers can be a useful
  850. security precaution as it prevents malicious remote parties forcing a cipher
  851. which they have found problems with.
  852. Default: DES-CBC3-SHA
  853. .TP
  854. .B user_config_dir
  855. This powerful option allows the override of any config option specified in
  856. the manual page, on a per-user basis. Usage is simple, and is best illustrated
  857. with an example. If you set
  858. .BR user_config_dir
  859. to be
  860. .BR /etc/vsftpd_user_conf
  861. and then log on as the user "chris", then vsftpd will apply the settings in
  862. the file
  863. .BR /etc/vsftpd_user_conf/chris
  864. for the duration of the session. The format of this file is as detailed in
  865. this manual page! PLEASE NOTE that not all settings are effective on a
  866. per-user basis. For example, many settings only prior to the user's session
  867. being started. Examples of settings which will not affect any behviour on
  868. a per-user basis include listen_address, banner_file, max_per_ip, max_clients,
  869. xferlog_file, etc.
  870. Default: (none)
  871. .TP
  872. .B user_sub_token
  873. This option is useful is conjunction with virtual users. It is used to
  874. automatically generate a home directory for each virtual user, based on a
  875. template. For example, if the home directory of the real user specified via
  876. .BR guest_username
  877. is
  878. .BR /home/virtual/$USER ,
  879. and
  880. .BR user_sub_token
  881. is set to
  882. .BR $USER ,
  883. then when virtual user fred logs in, he will end up (usually chroot()'ed) in
  884. the directory
  885. .BR /home/virtual/fred .
  886. This option also takes affect if
  887. .BR local_root
  888. contains
  889. .BR user_sub_token .
  890. Default: (none)
  891. .TP
  892. .B userlist_file
  893. This option is the name of the file loaded when the
  894. .BR userlist_enable
  895. option is active.
  896. Default: /etc/vsftpd.user_list
  897. .TP
  898. .B vsftpd_log_file
  899. This option is the name of the file to which we write the vsftpd style
  900. log file. This log is only written if the option
  901. .BR xferlog_enable
  902. is set, and
  903. .BR xferlog_std_format
  904. is NOT set. Alternatively, it is written if you have set the option
  905. .BR dual_log_enable .
  906. One further complication - if you have set
  907. .BR syslog_enable ,
  908. then this file is not written and output is sent to the system log instead.
  909. Default: /var/log/vsftpd.log
  910. .TP
  911. .B xferlog_file
  912. This option is the name of the file to which we write the wu-ftpd style
  913. transfer log. The transfer log is only written if the option
  914. .BR xferlog_enable
  915. is set, along with
  916. .BR xferlog_std_format .
  917. Alternatively, it is written if you have set the option
  918. .BR dual_log_enable .
  919. Default: /var/log/xferlog
  920. .SH AUTHOR
  921. scarybeasts@gmail.com