--- /dev/null
+.TH VSFTPD.CONF 5
+.SH NAME
+vsftpd.conf, the config file for vsftpd
+.SH DESCRIPTION
+vsftpd.conf may be used to control various aspects of vsftpd's behaviour. By
+default, vsftpd looks for this file at the location
+.BR /etc/vsftpd.conf .
+However, you may override this by specifying a command line argument to
+vsftpd. The command line argument is the pathname of the configuration file
+for vsftpd. This behaviour is useful because you may wish to use an advanced
+inetd such as
+.BR xinetd
+to launch vsftpd with different configuration files on a per virtual host
+basis.
+
+.SH FORMAT
+The format of vsftpd.conf is very simple. Each line is either a comment or
+a directive. Comment lines start with a # and are ignored. A directive line
+has the format:
+
+option=value
+
+It is important to note that it is an error to put any space between the
+option, = and value.
+
+Each setting has a compiled in default which may be modified in the
+configuration file.
+
+.SH BOOLEAN OPTIONS
+Below is a list of boolean options. The value for a boolean option may be set
+to
+.BR YES
+or
+.BR NO .
+
+.TP
+.B anon_mkdir_write_enable
+If set to YES, anonymous users will be permitted to create new directories
+under certain conditions. For this to work, the option
+.BR write_enable
+must be activated, and the anonymous ftp user must have write permission on
+the parent directory.
+
+Default: NO
+.TP
+.B anon_other_write_enable
+If set to YES, anonymous users will be permitted to perform write operations
+other than upload and create directory, such as deletion and renaming. This
+is generally not recommended but included for completeness.
+
+Default: NO
+.TP
+.B anon_upload_enable
+If set to YES, anonymous users will be permitted to upload files under certain
+conditions. For this to work, the option
+.BR write_enable
+must be activated, and the anonymous ftp user must have write permission on
+desired upload locations.
+
+Default: NO
+.TP
+.B anon_world_readable_only
+When enabled, anonymous users will only be allowed to download files which
+are world readable. This is recognising that the ftp user may own files,
+especially in the presence of uploads.
+
+Default: YES
+.TP
+.B anonymous_enable
+Controls whether anonymous logins are permitted or not. If enabled,
+both the usernames
+.BR ftp
+and
+.BR anonymous
+are recognised as anonymous logins.
+
+Default: YES
+.TP
+.B ascii_download_enable
+When enabled, ASCII mode data transfers will be honoured on downloads.
+
+Default: NO
+.TP
+.B ascii_upload_enable
+When enabled, ASCII mode data transfers will be honoured on uploads.
+
+Default: NO
+.TP
+.B async_abor_enable
+When enabled, a special FTP command known as "async ABOR" will be enabled.
+Only ill advised FTP clients will use this feature. Additionally, this feature
+is awkward to handle, so it is disabled by default. Unfortunately, some FTP
+clients will hang when cancelling a transfer unless this feature is available,
+so you may wish to enable it.
+
+Default: NO
+.TP
+.B background
+When enabled, and vsftpd is started in "listen" mode, vsftpd will background
+the listener process. i.e. control will immediately be returned to the shell
+which launched vsftpd.
+
+Default: NO
+.TP
+.B check_shell
+Note! This option only has an effect for non-PAM builds of vsftpd. If disabled,
+vsftpd will not check /etc/shells for a valid user shell for local logins.
+
+Default: YES
+.TP
+.B chmod_enable
+When enables, allows use of the SITE CHMOD command. NOTE! This only applies
+to local users. Anonymous users never get to use SITE CHMOD.
+
+Default: YES
+.TP
+.B chown_uploads
+If enabled, all anonymously uploaded files will have the ownership changed
+to the user specified in the setting
+.BR chown_username .
+This is useful from an administrative, and perhaps security, standpoint.
+
+Default: NO
+.TP
+.B chroot_list_enable
+If activated, you may provide a list of local users who are placed in a
+chroot() jail in their home directory upon login. The meaning is slightly
+different if chroot_local_user is set to YES. In this case, the list becomes
+a list of users which are NOT to be placed in a chroot() jail.
+By default, the file containing this list is
+/etc/vsftpd.chroot_list, but you may override this with the
+.BR chroot_list_file
+setting.
+
+Default: NO
+.TP
+.B chroot_local_user
+If set to YES, local users will be (by default) placed in a chroot() jail in
+their home directory after login.
+.BR Warning:
+This option has security implications, especially if the users have upload
+permission, or shell access. Only enable if you know what you are doing.
+Note that these security implications are not vsftpd specific. They apply to
+all FTP daemons which offer to put local users in chroot() jails.
+
+Default: NO
+.TP
+.B connect_from_port_20
+This controls whether PORT style data connections use port 20 (ftp-data) on
+the server machine. For security reasons, some clients may insist that this
+is the case. Conversely, disabling this option enables vsftpd to run with
+slightly less privilege.
+
+Default: NO (but the sample config file enables it)
+.TP
+.B deny_email_enable
+If activated, you may provide a list of anonymous password e-mail responses
+which cause login to be denied. By default, the file containing this list is
+/etc/vsftpd.banned_emails, but you may override this with the
+.BR banned_email_file
+setting.
+
+Default: NO
+.TP
+.B dirlist_enable
+If set to NO, all directory list commands will give permission denied.
+
+Default: YES
+.TP
+.B dirmessage_enable
+If enabled, users of the FTP server can be shown messages when they first
+enter a new directory. By default, a directory is scanned for the
+file .message, but that may be overridden with the configuration setting
+.BR message_file .
+
+Default: NO (but the sample config file enables it)
+.TP
+.B download_enable
+If set to NO, all download requests will give permission denied.
+
+Default: YES
+.TP
+.B dual_log_enable
+If enabled, two log files are generated in parallel, going by default to
+.BR /var/log/xferlog
+and
+.BR /var/log/vsftpd.log .
+The former is a wu-ftpd style transfer log, parseable by standard tools. The
+latter is vsftpd's own style log.
+
+Default: NO
+.TP
+.B force_dot_files
+If activated, files and directories starting with . will be shown in directory
+listings even if the "a" flag was not used by the client. This override
+excludes the "." and ".." entries.
+
+Default: NO
+.TP
+.B guest_enable
+If enabled, all non-anonymous logins are classed as "guest" logins. A guest
+login is remapped to the user specified in the
+.BR guest_username
+setting.
+
+Default: NO
+.TP
+.B hide_ids
+If enabled, all user and group information in directory listings will be
+displayed as "ftp".
+
+Default: NO
+.TP
+.B listen
+If enabled, vsftpd will run in standalone mode. This means that vsftpd must
+not be run from an inetd of some kind. Instead, the vsftpd executable is
+run once directly. vsftpd itself will then take care of listening for and
+handling incoming connections.
+
+Default: NO
+.TP
+.B listen_ipv6
+Like the listen parameter, except vsftpd will listen on an IPv6 socket instead
+of an IPv4 one. This parameter and the listen parameter are mutually
+exclusive.
+
+Default: NO
+.TP
+.B local_enable
+Controls whether local logins are permitted or not. If enabled, normal
+user accounts in /etc/passwd may be used to log in.
+
+Default: NO
+.TP
+.B log_ftp_protocol
+When enabled, all FTP requests and responses are logged, providing the option
+xferlog_std_format is not enabled. Useful for debugging.
+
+Default: NO
+.TP
+.B ls_recurse_enable
+When enabled, this setting will allow the use of "ls -R". This is a minor
+security risk, because a ls -R at the top level of a large site may consume
+a lot of resources.
+
+Default: NO
+.TP
+.B no_anon_password
+When enabled, this prevents vsftpd from asking for an anonymous password -
+the anonymous user will log straight in.
+
+Default: NO
+.TP
+.B one_process_model
+If you have a Linux 2.4 kernel, it is possible to use a different security
+model which only uses one process per connection. It is a less pure security
+model, but gains you performance. You really don't want to enable this unless
+you know what you are doing, and your site supports huge numbers of
+simultaneously connected users.
+
+Default: NO
+.TP
+.B passwd_chroot_enable
+If enabled, along with
+.BR chroot_local_user
+, then a chroot() jail location may be specified on a per-user basis. Each
+user's jail is derived from their home directory string in /etc/passwd. The
+occurrence of /./ in the home directory string denotes that the jail is at that
+particular location in the path.
+
+Default: NO
+.TP
+.B pasv_enable
+Set to NO if you want to disallow the PASV method of obtaining a data
+connection.
+
+Default: YES
+.TP
+.B pasv_promiscuous
+Set to YES if you want to disable the PASV security check that ensures the
+data connection originates from the same IP address as the control connection.
+Only enable if you know what you are doing! The only legitimate use for this
+is in some form of secure tunnelling scheme, or perhaps to facilitate FXP
+support.
+
+Default: NO
+.TP
+.B port_enable
+Set to NO if you want to disallow the PORT method of obtaining a data
+connection.
+
+Default: YES
+.TP
+.B port_promiscuous
+Set to YES if you want to disable the PORT security check that ensures that
+outgoing data connections can only connect to the client. Only enable if
+you know what you are doing!
+
+Default: NO
+.TP
+.B secure_email_list_enable
+Set to YES if you want only a specified list of e-mail passwords for anonymous
+logins to be accepted. This is useful as a low-hassle way of restricting
+access to low-security content without needing virtual users. When enabled,
+anonymous logins are prevented unless the password provided is listed in the
+file specified by the
+.BR email_password_file
+setting. The file format is one password per line, no extra whitespace. The
+default filename is /etc/vsftpd.email_passwords.
+
+Default: NO
+.TP
+.B session_support
+This controls whether vsftpd attempts to maintain sessions for logins. If
+vsftpd is maintaining sessions, it will try and update utmp and wtmp. It
+will also open a pam_session if using PAM to authenticate, and only close
+this upon logout. You may wish to disable this if you do not need session
+logging, and you wish to give vsftpd more opportunity to run with less
+processes and / or less privilege. NOTE - utmp and wtmp support is only
+provided with PAM enabled builds.
+
+Default: YES
+.TP
+.B setproctitle_enable
+If enabled, vsftpd will try and show session status information in the system
+process listing. In other words, the reported name of the process will change
+to reflect what a vsftpd session is doing (idle, downloading etc). You
+probably want to leave this off for security purposes.
+
+Default: NO
+.TP
+.B syslog_enable
+If enabled, then any log output which would have gone to /var/log/vsftpd.log
+goes to the system log instead. Logging is done under the FTPD facility.
+
+Default: NO
+.TP
+.B tcp_wrappers
+If enabled, and vsftpd was compiled with tcp_wrappers support, incoming
+connections will be fed through tcp_wrappers access control. Furthermore,
+there is a mechanism for per-IP based configuration. If tcp_wrappers sets
+the VSFTPD_LOAD_CONF environment variable, then the vsftpd session will try
+and load the vsftpd configuration file specified in this variable.
+
+Default: NO
+.TP
+.B text_userdb_names
+By default, numeric IDs are shown in the user and group fields of directory
+listings. You can get textual names by enabling this parameter. It is off
+by default for performance reasons.
+
+Default: NO
+.TP
+.B use_localtime
+If enabled, vsftpd will display directory listings with the the time in your
+local time zone. The default is to display GMT. The times returned by the
+MDTM FTP command are also affected by this option.
+
+Default: NO
+.TP
+.B use_sendfile
+An internal setting used for testing the relative benefit of using the
+sendfile() system call on your platform.
+
+Default: YES
+.TP
+.B userlist_deny
+This option is examined if
+.B userlist_enable
+is activated. If you set this setting to NO, then users will be denied login
+unless they are explicitly listed in the file specified by
+.BR userlist_file .
+When login is denied, the denial is issued before the user is asked for a
+password.
+
+Default: YES
+.TP
+.B userlist_enable
+If enabled, vsftpd will load a list of usernames, from the filename given by
+.BR userlist_file .
+If a user tries to log in using a name in this file, they will be denied
+before they are asked for a password. This may be useful in preventing
+cleartext passwords being transmitted. See also
+.BR userlist_deny .
+
+Default: NO
+.TP
+.B virtual_use_local_privs
+If enabled, virtual users will use the same privileges as local users. By
+default, virtual users will use the same privileges as anonymous users, which
+tends to be more restrictive (especially in terms of write access).
+
+Default: NO
+.TP
+.B write_enable
+This controls whether any FTP commands which change the filesystem are allowed
+or not. These commands are: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE.
+
+Default: NO
+.TP
+.B xferlog_enable
+If enabled, a log file will be maintained detailling uploads and downloads.
+By default, this file will be placed at /var/log/vsftpd.log, but this location
+may be overridden using the configuration setting
+.BR vsftpd_log_file .
+
+Default: NO (but the sample config file enables it)
+.TP
+.B xferlog_std_format
+If enabled, the transfer log file will be written in standard xferlog format,
+as used by wu-ftpd. This is useful because you can reuse existing transfer
+statistics generators. The default format is more readable, however. The
+default location for this style of log file is /var/log/xferlog, but you may
+change it with the setting
+.BR xferlog_file .
+
+Default: NO
+
+.SH NUMERIC OPTIONS
+Below is a list of numeric options. A numeric option must be set to a non
+negative integer. Octal numbers are supported, for convenience of the umask
+options. To specify an octal number, use 0 as the first digit of the number.
+
+.TP
+.B accept_timeout
+The timeout, in seconds, for a remote client to establish connection with
+a PASV style data connection.
+
+Default: 60
+.TP
+.B anon_max_rate
+The maximum data transfer rate permitted, in bytes per second, for anonymous
+clients.
+
+Default: 0 (unlimited)
+.TP
+.B anon_umask
+The value that the umask for file creation is set to for anonymous users. NOTE! If you want to specify octal values, remember the "0" prefix otherwise the
+value will be treated as a base 10 integer!
+
+Default: 077
+.TP
+.B connect_timeout
+The timeout, in seconds, for a remote client to respond to our PORT style
+data connection.
+
+Default: 60
+.TP
+.B data_connection_timeout
+The timeout, in seconds, which is roughly the maximum time we permit data
+transfers to stall for with no progress. If the timeout triggers, the remote
+client is kicked off.
+
+Default: 300
+.TP
+.B file_open_mode
+The permissions with which uploaded files are created. Umasks are applied
+on top of this value. You may wish to change to 0777 if you want uploaded
+files to be executable.
+
+Default: 0666
+.TP
+.B ftp_data_port
+The port from which PORT style connections originate (as long as the poorly
+named
+.BR connect_from_port_20
+is enabled).
+
+Default: 20
+.TP
+.B idle_session_timeout
+The timeout, in seconds, which is the maximum time a remote client may spend
+between FTP commands. If the timeout triggers, the remote client is kicked
+off.
+
+Default: 300
+.TP
+.B listen_port
+If vsftpd is in standalone mode, this is the port it will listen on for
+incoming FTP connections.
+
+Default: 21
+.TP
+.B local_max_rate
+The maximum data transfer rate permitted, in bytes per second, for local
+authenticated users.
+
+Default: 0 (unlimited)
+.TP
+.B local_umask
+The value that the umask for file creation is set to for local users. NOTE! If
+you want to specify octal values, remember the "0" prefix otherwise the value
+will be treated as a base 10 integer!
+
+Default: 077
+.TP
+.B max_clients
+If vsftpd is in standalone mode, this is the maximum number of clients which
+may be connected. Any additional clients connecting will get an error message.
+
+Default: 0 (unlimited)
+.TP
+.B max_per_ip
+If vsftpd is in standalone mode, this is the maximum number of clients which
+may be connected from the same source internet address. A client will get an
+error message if they go over this limit.
+
+Default: 0 (unlimited)
+.TP
+.B pasv_max_port
+The maximum port to allocate for PASV style data connections. Can be used to
+specify a narrow port range to assist firewalling.
+
+Default: 0 (use any port)
+.TP
+.B pasv_min_port
+The minimum port to allocate for PASV style data connections. Can be used to
+specify a narrow port range to assist firewalling.
+
+Default: 0 (use any port)
+.TP
+.B trans_chunk_size
+You probably don't want to change this, but try setting it to something like
+8192 for a much smoother bandwidth limiter.
+
+Default: 0 (let vsftpd pick a sensible setting)
+
+.SH STRING OPTIONS
+Below is a list of string options.
+
+.TP
+.B anon_root
+This option represents a directory which vsftpd will try to change into
+after an anonymous login. Failure is silently ignored.
+
+Default: (none)
+.TP
+.B banned_email_file
+This option is the name of a file containing a list of anonymous e-mail
+passwords which are not permitted. This file is consulted if the option
+.BR deny_email_enable
+is enabled.
+
+Default: /etc/vsftpd.banned_emails
+.TP
+.B banner_file
+This option is the name of a file containing text to display when someone
+connects to the server. If set, it overrides the banner string provided by
+the
+.BR ftpd_banner
+option.
+
+Default: (none)
+.TP
+.B chown_username
+This is the name of the user who is given ownership of anonymously uploaded
+files. This option is only relevant if another option,
+.BR chown_uploads ,
+is set.
+
+Default: root
+.TP
+.B chroot_list_file
+The option is the name of a file containing a list of local users which
+will be placed in a chroot() jail in their home directory. This option is
+only relevant if the option
+.BR chroot_list_enable
+is enabled. If the option
+.BR chroot_local_user
+is enabled, then the list file becomes a list of users to NOT place in a
+chroot() jail.
+
+Default: /etc/vsftpd.chroot_list
+.TP
+.B cmds_allowed
+This options specifies a comma separated list of allowed FTP commands (post
+login. USER, PASS and QUIT are always allowed pre-login). Other
+commands are rejected. This is a powerful method of really locking down an
+FTP server. Example: cmds_allowed=PASV,RETR,QUIT
+
+Default: (none)
+.TP
+.B deny_file
+This option can be used to set a pattern for filenames (and directory names
+etc.) which should not be accessible in any way. The affected items are not
+hidden, but any attempt to do anything to them (download, change into
+directory, affect something within directory etc.) will be denied. This option
+is very simple, and should not be used for serious access control - the
+filesystem's permissions should be used in preference. However, this option
+may be useful in certain virtual user setups. In particular aware that if
+a filename is accessible by a variety of names (perhaps due to symbolic
+links or hard links), then care must be taken to deny access to all the names.
+Access will be denied to items if their name contains the string given by
+hide_file, or if they match the regular expression specified by hide_file.
+Note that vsftpd's regular expression matching code is a simple implementation
+which is a subset of full regular expression functionality. Because of this,
+you will need to carefully and exhaustively test any application of this
+option. And you are recommended to use filesystem permissions for any
+important security policies due to their greater reliability. Example:
+deny_file={*.mp3,*.mov,.private}
+
+Default: (none)
+.TP
+.B email_password_file
+This option can be used to provide an alternate file for usage by the
+.BR secure_email_list_enable
+setting.
+
+Default: /etc/vsftpd.email_passwords
+.TP
+.B ftp_username
+This is the name of the user we use for handling anonymous FTP. The home
+directory of this user is the root of the anonymous FTP area.
+
+Default: ftp
+.TP
+.B ftpd_banner
+This string option allows you to override the greeting banner displayed
+by vsftpd when a connection first comes in.
+
+Default: (none - default vsftpd banner is displayed)
+.TP
+.B guest_username
+See the boolean setting
+.BR guest_enable
+for a description of what constitutes a guest login. This setting is the
+real username which guest users are mapped to.
+
+Default: ftp
+.TP
+.B hide_file
+This option can be used to set a pattern for filenames (and directory names
+etc.) which should be hidden from directory listings. Despite being hidden,
+the files / directories etc. are fully accessible to clients who know what
+names to actually use. Items will be hidden if their names contain the string
+given by hide_file, or if they match the regular expression specified by
+hide_file. Note that vsftpd's regular expression matching code is a simple
+implementation which is a subset of full regular expression functionality.
+Example: hide_file={*.mp3,.hidden,hide*,h?}
+
+Default: (none)
+.TP
+.B listen_address
+If vsftpd is in standalone mode, the default listen address (of all local
+interfaces) may be overridden by this setting. Provide a numeric IP address.
+
+Default: (none)
+.TP
+.B listen_address6
+Like listen_address, but specifies a default listen address for the IPv6
+listener (which is used if listen_ipv6 is set). Format is standard IPv6
+address format.
+
+Default: (none)
+.TP
+.B local_root
+This option represents a directory which vsftpd will try to change into
+after a local (i.e. non-anonymous) login. Failure is silently ignored.
+
+Default: (none)
+.TP
+.B message_file
+This option is the name of the file we look for when a new directory is
+entered. The contents are displayed to the remote user. This option is
+only relevant if the option
+.BR dirmessage_enable
+is enabled.
+
+Default: .message
+.TP
+.B nopriv_user
+This is the name of the user that is used by vsftpd when it want to be
+totally unprivileged. Note that this should be a dedicated user, rather
+than nobody. The user nobody tends to be used for rather a lot of important
+things on most machines.
+
+Default: nobody
+.TP
+.B pam_service_name
+This string is the name of the PAM service vsftpd will use.
+
+Default: ftp
+.TP
+.B pasv_address
+Use this option to override the IP address that vsftpd will advertise in
+response to the PASV command. Provide a numeric IP address.
+
+Default: (none - the address is taken from the incoming connected socket)
+.TP
+.B secure_chroot_dir
+This option should be the name of a directory which is empty. Also, the
+directory should not be writable by the ftp user. This directory is used
+as a secure chroot() jail at times vsftpd does not require filesystem access.
+
+Default: /usr/share/empty
+.TP
+.B user_config_dir
+This powerful option allows the override of any config option specified in
+the manual page, on a per-user basis. Usage is simple, and is best illustrated
+with an example. If you set
+.BR user_config_dir
+to be
+.BR /etc/vsftpd_user_conf
+and then log on as the user "chris", then vsftpd will apply the settings in
+the file
+.BR /etc/vsftpd_user_conf/chris
+for the duration of the session. The format of this file is as detailed in
+this manual page! PLEASE NOTE that not all settings are effective on a
+per-user basis. For example, many settings only prior to the user's session
+being started. Examples of settings which will not affect any behviour on
+a per-user basis include listen_address, banner_file, max_per_ip, max_clients,
+xferlog_file, etc.
+
+Default: (none)
+.TP
+.B user_sub_token
+This option is useful is conjunction with virtual users. It is used to
+automatically generate a home directory for each virtual user, based on a
+template. For example, if the home directory of the real user specified via
+.BR guest_username
+is
+.BR /home/virtual/$USER ,
+and
+.BR user_sub_token
+is set to
+.BR $USER ,
+then when virtual user fred logs in, he will end up (usually chroot()'ed) in
+the directory
+.BR /home/virtual/fred .
+This option also takes affect if
+.BR local_root
+contains
+.BR user_sub_token .
+
+Default: (none)
+.TP
+.B userlist_file
+This option is the name of the file loaded when the
+.BR userlist_enable
+option is active.
+
+Default: /etc/vsftpd.user_list
+.TP
+.B vsftpd_log_file
+This option is the name of the file to which we write the vsftpd style
+log file. This log is only written if the option
+.BR xferlog_enable
+is set, and
+.BR xferlog_std_format
+is NOT set. Alternatively, it is written if you have set the option
+.BR dual_log_enable .
+One further complication - if you have set
+.BR syslog_enable ,
+then this file is not written and output is sent to the system log instead.
+
+Default: /var/log/vsftpd.log
+.TP
+.B xferlog_file
+This option is the name of the file to which we write the wu-ftpd style
+transfer log. The transfer log is only written if the option
+.BR xferlog_enable
+is set, along with
+.BR xferlog_std_format .
+Alternatively, it is written if you have set the option
+.BR dual_log_enable .
+
+Default: /var/log/xferlog
+
+.SH AUTHOR
+chris@scary.beasts.org
+
OSDN Git Service
