vsftpd.conf.5

文件传输协议linux 下vsftpd2.1.0.tar.gz

.B local_umask
The value that the umask for file creation is set to for local users. NOTE! If
you want to specify octal values, remember the "0" prefix otherwise the value
will be treated as a base 10 integer!

Default: 077
.TP
.B max_clients
If vsftpd is in standalone mode, this is the maximum number of clients which
may be connected. Any additional clients connecting will get an error message.

Default: 0 (unlimited)
.TP
.B max_login_fails
After this many login failures, the session is killed.

Default: 3
.TP
.B max_per_ip
If vsftpd is in standalone mode, this is the maximum number of clients which
may be connected from the same source internet address. A client will get an
error message if they go over this limit.

Default: 0 (unlimited)
.TP
.B pasv_max_port
The maximum port to allocate for PASV style data connections. Can be used to
specify a narrow port range to assist firewalling.

Default: 0 (use any port)
.TP
.B pasv_min_port
The minimum port to allocate for PASV style data connections. Can be used to
specify a narrow port range to assist firewalling.

Default: 0 (use any port)
.TP
.B trans_chunk_size
You probably don't want to change this, but try setting it to something like
8192 for a much smoother bandwidth limiter.

Default: 0 (let vsftpd pick a sensible setting)

.SH STRING OPTIONS
Below is a list of string options.

.TP
.B anon_root
This option represents a directory which vsftpd will try to change into
after an anonymous login. Failure is silently ignored.

Default: (none)
.TP
.B banned_email_file
This option is the name of a file containing a list of anonymous e-mail
passwords which are not permitted. This file is consulted if the option
.BR deny_email_enable
is enabled.

Default: /etc/vsftpd.banned_emails
.TP
.B banner_file
This option is the name of a file containing text to display when someone
connects to the server. If set, it overrides the banner string provided by
the
.BR ftpd_banner
option.

Default: (none)
.TP
.B ca_certs_file
This option is the name of a file to load Certificate Authority certs from, for
the purpose of validating client certs. Regrettably, the default SSL CA cert
paths are not used, because of vsftpd's use of restricted filesystem spaces
(chroot). (Added in v2.0.6).

Default: (none)
.TP
.B chown_username
This is the name of the user who is given ownership of anonymously uploaded
files. This option is only relevant if another option,
.BR chown_uploads ,
is set.

Default: root
.TP
.B chroot_list_file
The option is the name of a file containing a list of local users which
will be placed in a chroot() jail in their home directory. This option is
only relevant if the option
.BR chroot_list_enable
is enabled. If the option
.BR chroot_local_user
is enabled, then the list file becomes a list of users to NOT place in a
chroot() jail.

Default: /etc/vsftpd.chroot_list
.TP
.B cmds_allowed
This options specifies a comma separated list of allowed FTP commands (post
login. USER, PASS and QUIT and others are always allowed pre-login). Other
commands are rejected. This is a powerful method of really locking down an
FTP server. Example: cmds_allowed=PASV,RETR,QUIT

Default: (none)
.TP
.B cmds_denied
This options specifies a comma separated list of denied FTP commands (post
login. USER, PASS, QUIT and others are always allowed pre-login). If a command
appears on both this and
.BR cmds_allowed
then the denial takes precedence. (Added in v2.1.0).

Default: (none)
.TP
.B deny_file
This option can be used to set a pattern for filenames (and directory names
etc.) which should not be accessible in any way. The affected items are not
hidden, but any attempt to do anything to them (download, change into
directory, affect something within directory etc.) will be denied. This option
is very simple, and should not be used for serious access control - the
filesystem's permissions should be used in preference. However, this option
may be useful in certain virtual user setups. In particular aware that if
a filename is accessible by a variety of names (perhaps due to symbolic
links or hard links), then care must be taken to deny access to all the names.
Access will be denied to items if their name contains the string given by
hide_file, or if they match the regular expression specified by hide_file.
Note that vsftpd's regular expression matching code is a simple implementation
which is a subset of full regular expression functionality. Because of this,
you will need to carefully and exhaustively test any application of this
option. And you are recommended to use filesystem permissions for any
important security policies due to their greater reliability. Supported
regex syntax is any number of *, ? and unnested {,} operators. Regex
matching is only supported on the last component of a path, e.g. a/b/? is
supported but a/?/c is not.
Example: deny_file={*.mp3,*.mov,.private}

Default: (none)
.TP
.B dsa_cert_file
This option specifies the location of the DSA certificate to use for SSL
encrypted connections.

Default: (none - an RSA certificate suffices)
.TP
.B dsa_private_key_file
This option specifies the location of the DSA private key to use for SSL
encrypted connections. If this option is not set, the private key is expected
to be in the same file as the certificate.

Default: (none)
.TP
.B email_password_file
This option can be used to provide an alternate file for usage by the
.BR secure_email_list_enable
setting.

Default: /etc/vsftpd.email_passwords
.TP
.B ftp_username
This is the name of the user we use for handling anonymous FTP. The home
directory of this user is the root of the anonymous FTP area.

Default: ftp
.TP
.B ftpd_banner
This string option allows you to override the greeting banner displayed
by vsftpd when a connection first comes in.

Default: (none - default vsftpd banner is displayed)
.TP
.B guest_username
See the boolean setting
.BR guest_enable
for a description of what constitutes a guest login. This setting is the
real username which guest users are mapped to.

Default: ftp
.TP
.B hide_file
This option can be used to set a pattern for filenames (and directory names
etc.) which should be hidden from directory listings. Despite being hidden,
the files / directories etc. are fully accessible to clients who know what
names to actually use. Items will be hidden if their names contain the string
given by hide_file, or if they match the regular expression specified by
hide_file. Note that vsftpd's regular expression matching code is a simple
implementation which is a subset of full regular expression functionality.
See
.BR deny_file
for details of exactly what regex syntax is supported.
Example: hide_file={*.mp3,.hidden,hide*,h?}

Default: (none)
.TP
.B listen_address
If vsftpd is in standalone mode, the default listen address (of all local
interfaces) may be overridden by this setting. Provide a numeric IP address.

Default: (none)
.TP
.B listen_address6
Like listen_address, but specifies a default listen address for the IPv6
listener (which is used if listen_ipv6 is set). Format is standard IPv6
address format.

Default: (none)
.TP
.B local_root
This option represents a directory which vsftpd will try to change into
after a local (i.e. non-anonymous) login. Failure is silently ignored.

Default: (none)
.TP
.B message_file
This option is the name of the file we look for when a new directory is
entered. The contents are displayed to the remote user. This option is
only relevant if the option
.BR dirmessage_enable
is enabled.

Default: .message
.TP
.B nopriv_user
This is the name of the user that is used by vsftpd when it wants to be
totally unprivileged. Note that this should be a dedicated user, rather
than nobody. The user nobody tends to be used for rather a lot of important
things on most machines.

Default: nobody
.TP
.B pam_service_name
This string is the name of the PAM service vsftpd will use.

Default: ftp
.TP
.B pasv_address
Use this option to override the IP address that vsftpd will advertise in
response to the PASV command. Provide a numeric IP address, unless
.BR pasv_addr_resolve
is enabled, in which case you can provide a hostname which will be DNS
resolved for you at startup.

Default: (none - the address is taken from the incoming connected socket)
.TP
.B rsa_cert_file
This option specifies the location of the RSA certificate to use for SSL
encrypted connections.

Default: /usr/share/ssl/certs/vsftpd.pem
.TP
.B rsa_private_key_file
This option specifies the location of the RSA private key to use for SSL
encrypted connections. If this option is not set, the private key is expected
to be in the same file as the certificate.

Default: (none)
.TP
.B secure_chroot_dir
This option should be the name of a directory which is empty. Also, the
directory should not be writable by the ftp user. This directory is used
as a secure chroot() jail at times vsftpd does not require filesystem access.

Default: /usr/share/empty
.TP
.B ssl_ciphers
This option can be used to select which SSL ciphers vsftpd will allow for
encrypted SSL connections. See the
.BR ciphers
man page for further details. Note that restricting ciphers can be a useful
security precaution as it prevents malicious remote parties forcing a cipher
which they have found problems with.

Default: DES-CBC3-SHA
.TP
.B user_config_dir
This powerful option allows the override of any config option specified in
the manual page, on a per-user basis. Usage is simple, and is best illustrated
with an example. If you set
.BR user_config_dir
to be
.BR /etc/vsftpd_user_conf
and then log on as the user "chris", then vsftpd will apply the settings in
the file
.BR /etc/vsftpd_user_conf/chris
for the duration of the session. The format of this file is as detailed in
this manual page! PLEASE NOTE that not all settings are effective on a
per-user basis. For example, many settings only prior to the user's session
being started. Examples of settings which will not affect any behviour on
a per-user basis include listen_address, banner_file, max_per_ip, max_clients,
xferlog_file, etc.

Default: (none)
.TP
.B user_sub_token
This option is useful is conjunction with virtual users. It is used to
automatically generate a home directory for each virtual user, based on a
template. For example, if the home directory of the real user specified via
.BR guest_username
is
.BR /home/virtual/$USER ,
and
.BR user_sub_token
is set to
.BR $USER ,
then when virtual user fred logs in, he will end up (usually chroot()'ed) in
the directory
.BR /home/virtual/fred .
This option also takes affect if
.BR local_root
contains
.BR user_sub_token .

Default: (none)
.TP
.B userlist_file
This option is the name of the file loaded when the
.BR userlist_enable
option is active.

Default: /etc/vsftpd.user_list
.TP
.B vsftpd_log_file
This option is the name of the file to which we write the vsftpd style
log file. This log is only written if the option
.BR xferlog_enable
is set, and
.BR xferlog_std_format
is NOT set. Alternatively, it is written if you have set the option
.BR dual_log_enable .
One further complication - if you have set
.BR syslog_enable ,
then this file is not written and output is sent to the system log instead.

Default: /var/log/vsftpd.log
.TP
.B xferlog_file
This option is the name of the file to which we write the wu-ftpd style
transfer log. The transfer log is only written if the option
.BR xferlog_enable
is set, along with
.BR xferlog_std_format .
Alternatively, it is written if you have set the option
.BR dual_log_enable .

Default: /var/log/xferlog

.SH AUTHOR
scarybeasts@gmail.com