Unix/Linux Go Back    


RedHat 9 (Linux i386) - man page for vsftpd.conf (redhat section 5)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


VSFTPD.CONF(5)									   VSFTPD.CONF(5)

NAME
       vsftpd.conf, the config file for vsftpd

DESCRIPTION
       vsftpd.conf  may  be  used  to  control various aspects of vsftpd's behaviour. By default,
       vsftpd looks for this file at the location /etc/vsftpd.conf.  However,  you  may  override
       this  by  specifying  a	command line argument to vsftpd. The command line argument is the
       pathname of the configuration file for vsftpd. This behaviour is useful	because  you  may
       wish to use an advanced inetd such as xinetd to launch vsftpd with different configuration
       files on a per virtual host basis.

FORMAT
       The format of vsftpd.conf is very simple. Each line is either a comment	or  a  directive.
       Comment lines start with a # and are ignored. A directive line has the format:

       option=value

       It  is  important  to  note that it is an error to put any space between the option, = and
       value.

       Each setting has a compiled in default which may be modified in the configuration file.

BOOLEAN OPTIONS
       Below is a list of boolean options. The value for a boolean option may be set  to  YES  or
       NO.

       anon_mkdir_write_enable
	      If  set  to  YES, anonymous users will be permitted to create new directories under
	      certain conditions. For this to work, the option write_enable  must  be  activated,
	      and the anonymous ftp user must have write permission on the parent directory.

	      Default: NO

       anon_other_write_enable
	      If  set to YES, anonymous users will be permitted to perform write operations other
	      than upload and create directory, such as deletion and renaming. This is	generally
	      not recommended but included for completeness.

	      Default: NO

       anon_upload_enable
	      If set to YES, anonymous users will be permitted to upload files under certain con-
	      ditions. For this to work, the option  write_enable  must  be  activated,  and  the
	      anonymous ftp user must have write permission on desired upload locations.

	      Default: NO

       anon_world_readable_only
	      When  enabled,  anonymous  users	will  only be allowed to download files which are
	      world readable. This is recognising that the ftp user may own files, especially  in
	      the presence of uploads.

	      Default: YES

       anonymous_enable
	      Controls	whether anonymous logins are permitted or not. If enabled, both the user-
	      names ftp and anonymous are recognised as anonymous logins.

	      Default: YES

       ascii_download_enable
	      When enabled, ASCII mode data transfers will be honoured on downloads.

	      Default: NO

       ascii_upload_enable
	      When enabled, ASCII mode data transfers will be honoured on uploads.

	      Default: NO

       async_abor_enable
	      When enabled, a special FTP command known as "async ABOR" will  be  enabled.   Only
	      ill advised FTP clients will use this feature. Addtionally, this feature is awkward
	      to handle, so it is disabled by default. Unfortunately, some FTP clients will  hang
	      when  cancelling	a  transfer  unless this feature is available, so you may wish to
	      enable it.

	      Default: NO

       check_shell
	      Note! This option only has an effect for non-PAM builds  of  vsftpd.  If	disabled,
	      vsftpd will not check /etc/shells for a valid user shell for local logins.

	      Default: YES

       chown_uploads
	      If  enabled,  all anonymously uploaded files will have the ownership changed to the
	      user specified in the setting chown_username.  This is useful from  an  administra-
	      tive, and perhaps security, standpoint.

	      Default: NO

       chroot_list_enable
	      If  activated,  you  may provide a list of local users who are placed in a chroot()
	      jail in their home directory upon login.	The  meaning  is  slightly  different  if
	      chroot_local_user  is  set  to  YES. In this case, the list becomes a list of users
	      which are NOT to be placed in a chroot() jail.  By  default,  the  file  containing
	      this   list  is  /etc/vsftpd.chroot_list,  but  you  may	override  this	with  the
	      chroot_list_file setting.

	      Default: NO

       chroot_local_user
	      If set to YES, local users will be placed in a chroot() jail in their  home  direc-
	      tory  after  login.   Warning: This option has security implications, especially if
	      the users have upload permission, or shell access. Only enable if you know what you
	      are  doing.   Note  that	these security implications are not vsftpd specific. They
	      apply to all FTP daemons which offer to put local users in chroot() jails.

	      Default: NO

       connect_from_port_20
	      This controls whether PORT style data connections use port  20  (ftp-data)  on  the
	      server  machine.	For  security  reasons,  some clients may insist that this is the
	      case. Conversely, disabling this option enables vsftpd to run  with  slightly  less
	      privilege.

	      Default: NO (but the sample config file enables it)

       deny_email_enable
	      If  activated,  you may provide a list of anonymous password e-mail responses which
	      cause  login  to	be  denied.  By  default,  the	file  containing  this	list   is
	      /etc/vsftpd.banned_emails,  but  you  may  override this with the banned_email_file
	      setting.

	      Default: NO

       dirmessage_enable
	      If enabled, users of the FTP server can be shown messages when they first  enter	a
	      new  directory.  By default, a directory is scanned for the file .message, but that
	      may be overridden with the configuration setting message_file.

	      Default: NO (but the sample config file enables it)

       guest_enable
	      If enabled, all non-anonymous logins are classed as "guest" logins. A  guest  login
	      is remapped to the user specified in the guest_username setting.

	      Default: NO

       hide_ids
	      If  enabled, all user and group information in directory listings will be displayed
	      as "ftp".

	      Default: NO

       listen If enabled, vsftpd will run in standalone mode. This means that vsftpd must not  be
	      run  from  an  inetd  of	some  kind.  Instead,  the  vsftpd executable is run once
	      directly. vsftpd itself will then take care of listening for and handling  incoming
	      connections.

	      Default: NO

       local_enable
	      Controls	whether  local	logins	are  permitted	or  not.  If enabled, normal user
	      accounts in /etc/passwd may be used to log in.

	      Default: NO

       log_ftp_protocol
	      When enabled, all FTP requests and responses are logged, providing the option xfer-
	      log_std_format is not enabled. Useful for debugging.

	      Default: NO

       ls_recurse_enable
	      When  enabled, this setting will allow the use of "ls -R". This is a minor security
	      risk, because a ls -R at the top level of  a  large  site  may  consume  a  lot  of
	      resources.

	      Default: NO

       no_anon_password
	      When  enabled,  this  prevents  vsftpd  from asking for an anonymous password - the
	      anonymous user will log straight in.

	      Default: NO

       one_process_model
	      If you have a Linux 2.4 kernel, it is possible to use a  different  security  model
	      which  only  uses one process per connection. It is a less pure security model, but
	      gains you performance. You really don't want to enable this unless  you  know  what
	      you  are	doing,	and  your  site supports huge numbers of simultaneously connected
	      users.

	      Default: NO

       passwd_chroot_enable
	      If enabled, along with chroot_local_user , then a chroot()  jail	location  may  be
	      specified  on  a per-user basis. Each user's jail is derived from their home direc-
	      tory string in /etc/passwd. The occurence of  /./  in  the  home	directory  string
	      denotes that the jail is at that particular location in the path.

	      Default: NO

       pasv_enable
	      Set to NO if you want to disallow the PASV method of obtaining a data connection.

	      Default: YES

       pasv_promiscuous
	      Set  to  YES  if	you want to disable the PASV security check that ensures the data
	      connection originates from the same IP address as  the  control  connection.   Only
	      enable  if you know what you are doing! The only legitimate use for this is in some
	      form of secure tunnelling scheme.

	      Default: NO

       port_enable
	      Set to NO if you want to disallow the PORT method of obtaining a data connection.

	      Default: YES

       port_promiscuous
	      Set to YES if you want to disable the PORT security check that ensures that  outgo-
	      ing  data  connections can only connect to the client. Only enable if you know what
	      you are doing!

	      Default: NO

       setproctitle_enable
	      If enabled, vsftpd will try and show  session  status  information  in  the  system
	      process  listing.  In  other words, the reported name of the process will change to
	      reflect what a vsftpd session is doing (idle, downloading etc). You  probably  want
	      to leave this off for security purposes.

	      Default: NO

       tcp_wrappers
	      If enabled, and vsftpd was compiled with tcp_wrappers support, incoming connections
	      will be fed through tcp_wrappers access control. Furthermore, there is a	mechanism
	      for  per-IP based configuration. If tcp_wrappers sets the VSFTPD_LOAD_CONF environ-
	      ment variable, then the vsftpd session will try and load the  vsftpd  configuration
	      file specified in this variable.

	      Default: NO

       text_userdb_names
	      By  default,  numeric IDs are shown in the user and group fields of directory list-
	      ings. You can get textual names by enabling this parameter. It is  off  by  default
	      for performance reasons.

	      Default: NO

       use_localtime
	      If  enabled, vsftpd will display directory listings with the the time in your local
	      time zone. The default is to display GMT. The times returned by the MDTM	FTP  com-
	      mand are also affected by this option.

	      Default: NO

       use_sendfile
	      An  internal  setting used for testing the relative benefit of using the sendfile()
	      system call on your platform.

	      Default: YES

       userlist_deny
	      This option is examined if userlist_enable is activated. If you set this setting to
	      NO,  then  users will be denied login unless they are explicitly listed in the file
	      specified by userlist_file.  When login is denied, the denial is issued before  the
	      user is asked for a password.

	      Default: YES

       userlist_enable
	      If  enabled,  vsftpd  will  load	a  list  of usernames, from the filename given by
	      userlist_file.  If a user tries to log in using a name in this file, they  will  be
	      denied  before  they  are  asked	for  a password. This may be useful in preventing
	      cleartext passwords being transmitted. See also userlist_deny.

	      Default: NO

       write_enable
	      This controls whether any FTP commands which change the filesystem are  allowed  or
	      not. These commands are: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE.

	      Default: NO

       xferlog_enable
	      If  enabled,  a  log  file will be maintained detailling uploads and downloads.  By
	      default, this file will be placed at /var/log/vsftpd.log, but this location may  be
	      overridden using the configuration setting xferlog_file.

	      Default: NO (but the sample config file enables it)

       xferlog_std_format
	      If  enabled,  the  transfer log file will be written in standard xferlog format, as
	      used by wu-ftpd. This is useful because you can reuse existing transfer  statistics
	      generators. The default format is more readable, however.

	      Default: NO

NUMERIC OPTIONS
       Below  is  a list of numeric options. A numeric option must be set to a non negative inte-
       ger. Octal numbers are supported, for convenience of the  umask	options.  To  specify  an
       octal number, use 0 as the first digit of the number.

       accept_timeout
	      The  timeout,  in  seconds, for a remote client to establish connection with a PASV
	      style data connection.

	      Default: 60

       anon_max_rate
	      The maximum data transfer rate  permitted,  in  bytes  per  second,  for	anonymous
	      clients.

	      Default: 0 (unlimited)

       anon_umask
	      The  value that the umask for file creation is set to for anonymous users. NOTE! If
	      you want to specify octal values, remember the "0" prefix otherwise the value  will
	      be treated as a base 10 integer!

	      Default: 077

       connect_timeout
	      The timeout, in seconds, for a remote client to respond to our PORT style data con-
	      nection.

	      Default: 60

       data_connection_timeout
	      The timeout, in seconds, which is roughly the maximum time we permit data transfers
	      to stall for with no progress. If the timeout triggers, the remote client is kicked
	      off.

	      Default: 300

       file_open_mode
	      The permissions with which uploaded files are created. Umasks are applied on top of
	      this  value.  You  may wish to change to 0777 if you want uploaded files to be exe-
	      cutable.

	      Default: 0666

       ftp_data_port
	      The port from which PORT style connections originate (as long as the  poorly  named
	      connect_from_port_20 is enabled).

	      Default: 20

       idle_session_timeout
	      The  timeout,  in  seconds,  which  is  the  maximum time a remote client may spend
	      between FTP commands. If the timeout triggers, the remote client is kicked off.

	      Default: 300

       listen_port
	      If vsftpd is in standalone mode, this is the port it will listen	on  for  incoming
	      FTP connections.

	      Default: 21

       local_max_rate
	      The  maximum data transfer rate permitted, in bytes per second, for local authenti-
	      cated users.

	      Default: 0 (unlimited)

       local_umask
	      The value that the umask for file creation is set to for local users. NOTE! If  you
	      want  to	specify octal values, remember the "0" prefix otherwise the value will be
	      treated as a base 10 integer!

	      Default: 077

       max_clients
	      If vsftpd is in standalone mode, this is the maximum number of clients which may be
	      connected. Any additional clients connecting will get an error message.

	      Default: 0 (unlimited)

       max_per_ip
	      If vsftpd is in standalone mode, this is the maximum number of clients which may be
	      connected from the same source internet address. A client will get an error message
	      if they go over this limit.

	      Default: 0 (unlimited)

       pasv_max_port
	      The  maximum port to allocate for PASV style data connections. Can be used to spec-
	      ify a narrow port range to assist firewalling.

	      Default: 0 (use any port)

       pasv_min_port
	      The minimum port to allocate for PASV style data connections. Can be used to  spec-
	      ify a narrow port range to assist firewalling.

	      Default: 0 (use any port)

STRING OPTIONS
       Below is a list of string options.

       anon_root
	      This  option  represents	a directory which vsftpd will try to change into after an
	      anonymous login. Failure is silently ignored.

	      Default: (none)

       banned_email_file
	      This option is the name of a file containing a list of anonymous	e-mail	passwords
	      which  are not permitted. This file is consulted if the option deny_email_enable is
	      enabled.

	      Default: /etc/vsftpd.banned_emails

       banner_file
	      This option is the name of a file containing text to display when someone  connects
	      to  the  server. If set, it overrides the banner string provided by the ftpd_banner
	      option.

	      Default: (none)

       chown_username
	      This is the name of the user who is given ownership of anonymously uploaded  files.
	      This option is only relevant if another option, chown_uploads, is set.

	      Default: root

       chroot_list_file
	      The  option  is  the  name of a file containing a list of local users which will be
	      placed in a chroot() jail in their home directory. This option is only relevant  if
	      the  option chroot_list_enable is enabled, and the option chroot_local_user is dis-
	      abled.

	      Default: /etc/vsftpd.chroot_list

       guest_username
	      See the boolean setting guest_enable for a description of what constitutes a  guest
	      login. This setting is the real username which guest users are mapped to.

	      Default: ftp

       ftp_username
	      This  is the name of the user we use for handling anonymous FTP. The home directory
	      of this user is the root of the anonymous FTP area.

	      Default: ftp

       ftpd_banner
	      This string option allows you to override the greeting banner displayed  by  vsftpd
	      when a connection first comes in.

	      Default: (none - default vsftpd banner is displayed)

       listen_address
	      If  vsftpd  is  in standalone mode, the default listen address (of all local inter-
	      faces) may be overridden by this setting. Provide a numeric IP address.

	      Default: (none)

       local_root
	      This option represents a directory which vsftpd will try to  change  into  after	a
	      local (i.e. non-anonymous) login. Failure is silently ignored.

	      Default: (none)

       message_file
	      This  option  is	the name of the file we look for when a new directory is entered.
	      The contents are displayed to the remote user. This option is only relevant if  the
	      option dirmessage_enable is enabled.

	      Default: .message

       nopriv_user
	      This  is	the  name  of  the user that is used by vsftpd when it want to be totally
	      unprivileged. Note that this should be a dedicated user, rather  than  nobody.  The
	      user nobody tends to be used for rather a lot of important things on most machines.

	      Default: nobody

       pam_service_name
	      This string is the name of the PAM service vsftpd will use.

	      Default: ftp

       pasv_address
	      Use  this  option to override the IP address that vsftpd will advertise in response
	      to the PASV command. Provide a numeric IP address.

	      Default: (none - the address is taken from the incoming connected socket)

       secure_chroot_dir
	      This option should be the name of a directory which is empty. Also,  the	directory
	      should not be writable by the ftp user. This directory is used as a secure chroot()
	      jail at times vsftpd does not require filesystem access.

	      Default: /usr/share/empty

       user_config_dir
	      This powerful option allows the override of any config option specified in the man-
	      ual  page,  on  a  per-user basis. Usage is simple, and is best illustrated with an
	      example. If you set user_config_dir to be /etc/vsftpd_user_conf and then log on  as
	      the   user   "chris",   then   vsftpd   will   apply   the  settings  in	the  file
	      /etc/vsftpd_user_conf/chris for the duration of the session.  The  format  of  this
	      file is as detailed in this manual page!

	      Default: (none)

       userlist_file
	      This  option  is	the  name  of  the file loaded when the userlist_enable option is
	      active.

	      Default: /etc/vsftpd.user_list

       xferlog_file
	      This option is the name of the file to which we write the transfer log. The  trans-
	      fer log is only written if the option xferlog_enable is set.

	      Default: /var/log/vsftpd.log

AUTHOR
       chris@scary.beasts.org

										   VSFTPD.CONF(5)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums


All times are GMT -4. The time now is 08:58 PM.