vsftpd.conf.5

文件传输协议linux 下vsftpd2.1.0.tar.gz

.TH VSFTPD.CONF 5
.SH NAME
vsftpd.conf \- config file for vsftpd
.SH DESCRIPTION
vsftpd.conf may be used to control various aspects of vsftpd's behaviour. By
default, vsftpd looks for this file at the location
.BR /etc/vsftpd.conf .
However, you may override this by specifying a command line argument to
vsftpd. The command line argument is the pathname of the configuration file
for vsftpd. This behaviour is useful because you may wish to use an advanced
inetd such as
.BR xinetd
to launch vsftpd with different configuration files on a per virtual host
basis.

.SH FORMAT
The format of vsftpd.conf is very simple. Each line is either a comment or
a directive. Comment lines start with a # and are ignored. A directive line
has the format:

option=value

It is important to note that it is an error to put any space between the
option, = and value.

Each setting has a compiled in default which may be modified in the
configuration file.

.SH BOOLEAN OPTIONS
Below is a list of boolean options. The value for a boolean option may be set
to
.BR YES
or
.BR NO .

.TP
.B allow_anon_ssl
Only applies if
.BR ssl_enable
is active. If set to YES, anonymous users will be allowed to use secured SSL
connections.

Default: NO
.TP
.B anon_mkdir_write_enable
If set to YES, anonymous users will be permitted to create new directories
under certain conditions. For this to work, the option
.BR write_enable
must be activated, and the anonymous ftp user must have write permission on
the parent directory.

Default: NO
.TP
.B anon_other_write_enable
If set to YES, anonymous users will be permitted to perform write operations
other than upload and create directory, such as deletion and renaming. This
is generally not recommended but included for completeness.

Default: NO
.TP
.B anon_upload_enable
If set to YES, anonymous users will be permitted to upload files under certain
conditions. For this to work, the option
.BR write_enable
must be activated, and the anonymous ftp user must have write permission on
desired upload locations. This setting is also required for virtual users to
upload; by default, virtual users are treated with anonymous (i.e. maximally
restricted) privilege.

Default: NO
.TP
.B anon_world_readable_only
When enabled, anonymous users will only be allowed to download files which
are world readable. This is recognising that the ftp user may own files,
especially in the presence of uploads.

Default: YES
.TP
.B anonymous_enable
Controls whether anonymous logins are permitted or not. If enabled,
both the usernames
.BR ftp
and
.BR anonymous
are recognised as anonymous logins.

Default: YES
.TP
.B ascii_download_enable
When enabled, ASCII mode data transfers will be honoured on downloads.

Default: NO
.TP
.B ascii_upload_enable
When enabled, ASCII mode data transfers will be honoured on uploads.

Default: NO
.TP
.B async_abor_enable
When enabled, a special FTP command known as "async ABOR" will be enabled.
Only ill advised FTP clients will use this feature. Additionally, this feature
is awkward to handle, so it is disabled by default. Unfortunately, some FTP
clients will hang when cancelling a transfer unless this feature is available,
so you may wish to enable it.

Default: NO
.TP
.B background
When enabled, and vsftpd is started in "listen" mode, vsftpd will background
the listener process. i.e. control will immediately be returned to the shell
which launched vsftpd.

Default: NO
.TP
.B check_shell
Note! This option only has an effect for non-PAM builds of vsftpd. If disabled,
vsftpd will not check /etc/shells for a valid user shell for local logins.

Default: YES
.TP
.B chmod_enable
When enables, allows use of the SITE CHMOD command. NOTE! This only applies
to local users. Anonymous users never get to use SITE CHMOD.

Default: YES
.TP
.B chown_uploads
If enabled, all anonymously uploaded files will have the ownership changed
to the user specified in the setting
.BR chown_username .
This is useful from an administrative, and perhaps security, standpoint.

Default: NO
.TP
.B chroot_list_enable
If activated, you may provide a list of local users who are placed in a
chroot() jail in their home directory upon login. The meaning is slightly
different if chroot_local_user is set to YES. In this case, the list becomes
a list of users which are NOT to be placed in a chroot() jail.
By default, the file containing this list is
/etc/vsftpd.chroot_list, but you may override this with the
.BR chroot_list_file
setting.

Default: NO
.TP
.B chroot_local_user
If set to YES, local users will be (by default) placed in a chroot() jail in
their home directory after login.
.BR Warning:
This option has security implications, especially if the users have upload
permission, or shell access. Only enable if you know what you are doing.
Note that these security implications are not vsftpd specific. They apply to
all FTP daemons which offer to put local users in chroot() jails.

Default: NO
.TP
.B connect_from_port_20
This controls whether PORT style data connections use port 20 (ftp-data) on
the server machine. For security reasons, some clients may insist that this
is the case. Conversely, disabling this option enables vsftpd to run with
slightly less privilege.

Default: NO (but the sample config file enables it)
.TP
.B debug_ssl
If true, OpenSSL connection diagnostics are dumped to the vsftpd log file.
(Added in v2.0.6).

Default: NO
.TP
.B delete_failed_uploads
If true, any failed upload files are deleted.  (Added in v2.0.7).

Default: NO
.TP
.B deny_email_enable
If activated, you may provide a list of anonymous password e-mail responses
which cause login to be denied. By default, the file containing this list is
/etc/vsftpd.banned_emails, but you may override this with the
.BR banned_email_file
setting.

Default: NO
.TP
.B dirlist_enable
If set to NO, all directory list commands will give permission denied.

Default: YES
.TP
.B dirmessage_enable
If enabled, users of the FTP server can be shown messages when they first
enter a new directory. By default, a directory is scanned for the
file .message, but that may be overridden with the configuration setting
.BR message_file .

Default: NO (but the sample config file enables it)
.TP
.B download_enable
If set to NO, all download requests will give permission denied.

Default: YES
.TP
.B dual_log_enable
If enabled, two log files are generated in parallel, going by default to
.BR /var/log/xferlog
and
.BR /var/log/vsftpd.log .
The former is a wu-ftpd style transfer log, parseable by standard tools. The
latter is vsftpd's own style log.

Default: NO
.TP
.B force_dot_files
If activated, files and directories starting with . will be shown in directory
listings even if the "a" flag was not used by the client. This override
excludes the "." and ".." entries.

Default: NO
.TP
.B force_anon_data_ssl
Only applies if
.BR ssl_enable
is activated. If activated, all anonymous logins are forced to use a secure
SSL connection in order to send and receive data on data connections.

Default: NO
.TP
.B force_anon_logins_ssl
Only applies if
.BR ssl_enable
is activated. If activated, all anonymous logins are forced to use a secure
SSL connection in order to send the password.

Default: NO
.TP
.B force_local_data_ssl
Only applies if
.BR ssl_enable
is activated. If activated, all non-anonymous logins are forced to use a secure
SSL connection in order to send and receive data on data connections.

Default: YES
.TP
.B force_local_logins_ssl
Only applies if
.BR ssl_enable
is activated. If activated, all non-anonymous logins are forced to use a secure
SSL connection in order to send the password.

Default: YES
.TP
.B guest_enable
If enabled, all non-anonymous logins are classed as "guest" logins. A guest
login is remapped to the user specified in the
.BR guest_username
setting.

Default: NO
.TP
.B hide_ids
If enabled, all user and group information in directory listings will be
displayed as "ftp".

Default: NO
.TP
.B implicit_ssl
If enabled, an SSL handshake is the first thing expect on all connections
(the FTPS protocol). To support explicit SSL and/or plain text too, a
separate vsftpd listener process should be run.

Default: NO
.TP
.B listen
If enabled, vsftpd will run in standalone mode. This means that vsftpd must
not be run from an inetd of some kind. Instead, the vsftpd executable is
run once directly. vsftpd itself will then take care of listening for and
handling incoming connections.

Default: YES
.TP
.B listen_ipv6
Like the listen parameter, except vsftpd will listen on an IPv6 socket instead
of an IPv4 one. This parameter and the listen parameter are mutually
exclusive.

Default: NO
.TP
.B local_enable
Controls whether local logins are permitted or not. If enabled, normal
user accounts in /etc/passwd (or wherever your PAM config references) may be
used to log in. This must be enable for any non-anonymous login to work,
including virtual users.

Default: NO
.TP
.B lock_upload_files
When enabled, all uploads proceed with a write lock on the upload file. All
downloads proceed with a shared read lock on the download file. WARNING!
Before enabling this, be aware that malicious readers could starve a writer
wanting to e.g. append a file.

Default: YES
.TP
.B log_ftp_protocol
When enabled, all FTP requests and responses are logged, providing the option
xferlog_std_format is not enabled. Useful for debugging.

Default: NO
.TP
.B ls_recurse_enable
When enabled, this setting will allow the use of "ls -R". This is a minor
security risk, because a ls -R at the top level of a large site may consume
a lot of resources.

Default: NO
.TP
.B mdtm_write
When enabled, this setting will allow MDTM to set file modification times
(subject to the usual access checks).

Default: YES
.TP
.B no_anon_password
When enabled, this prevents vsftpd from asking for an anonymous password -
the anonymous user will log straight in.

Default: NO
.TP
.B no_log_lock
When enabled, this prevents vsftpd from taking a file lock when writing to log
files. This option should generally not be enabled. It exists to workaround
operating system bugs such as the Solaris / Veritas filesystem combination
which has been observed to sometimes exhibit hangs trying to lock log files.

Default: NO
.TP
.B one_process_model
If you have a Linux 2.4 kernel, it is possible to use a different security
model which only uses one process per connection. It is a less pure security
model, but gains you performance. You really don't want to enable this unless
you know what you are doing, and your site supports huge numbers of
simultaneously connected users.

Default: NO
.TP
.B passwd_chroot_enable
If enabled, along with
.BR chroot_local_user
, then a chroot() jail location may be specified on a per-user basis. Each
user's jail is derived from their home directory string in /etc/passwd. The
occurrence of /./ in the home directory string denotes that the jail is at that