1VSFTPD.CONF(5)                File Formats Manual               VSFTPD.CONF(5)
2
3
4

NAME

6       vsftpd.conf - config file for vsftpd
7

DESCRIPTION

9       vsftpd.conf  may  be used to control various aspects of vsftpd's behav‐
10       iour. By default, vsftpd looks for this file at the  location  /etc/vs‐
11       ftpd/vsftpd.conf.   However, you may override this by specifying a com‐
12       mand line argument to vsftpd. The command line argument is the pathname
13       of  the configuration file for vsftpd. This behaviour is useful because
14       you may wish to use an advanced inetd such as xinetd to  launch  vsftpd
15       with different configuration files on a per virtual host basis.
16
17       Systemd changes the vsftpd daemon start-up. The vsftpd package contains
18       vsftpd-generator script  generating  symbolic  links  to  /var/run/sys‐
19       temd/generator/vsftpd.target.wants  directory.  The generator is called
20       during e. g. 'systemctl --system  daemon-reload'.  All  these  symbolic
21       links  link  /usr/lib/systemd/system/vsftpd@.service  file.  The vsftpd
22       daemon(s) is/are controlled by one of following ways:
23
24       1. Single daemon using  default  /etc/vsftpd/vsftpd.conf  configuration
25       file
26       # systemctl {start,stop,...} vsftpd[.service]
27
28       2. Single daemon using /etc/vsftpd/<config-filename>.conf
29       #   systemctl  {start,stop,...}  vsftpd@<config-filename-without-exten‐
30       sion>[.service]
31
32       3. All instances together
33       # systemctl {restart,stop} vsftpd.target
34
35       See systemd.unit(5), systemd.target(5) for further details.
36

FORMAT

38       The format of vsftpd.conf is very simple. Each line is either a comment
39       or  a directive. Comment lines start with a # and are ignored. A direc‐
40       tive line has the format:
41
42       option=value
43
44       It is important to note that it is an error to put  any  space  between
45       the option, = and value.
46
47       Each  setting  has  a  compiled in default which may be modified in the
48       configuration file.
49
50

BOOLEAN OPTIONS

52       Below is a list of boolean options. The value for a boolean option  may
53       be set to YES or NO.
54
55
56       allow_anon_ssl
57              Only  applies  if ssl_enable is active. If set to YES, anonymous
58              users will be allowed to use secured SSL connections.
59
60              Default: NO
61
62       allow_writeable_chroot
63              Allow chroot()'ing a user to a directory writable by that  user.
64              Note  that setting this to YES is potentially dangerous. For ex‐
65              ample, if the user creates an 'etc' directory in  the  new  root
66              directory, they could potentially trick the C library into load‐
67              ing a user-created configuration file from the /etc/ directory.
68
69              Default: NO
70
71       better_stou
72              Use a better file name generation algorithm for  the  STOU  com‐
73              mand.  The  default original algorithm simply adds an increasing
74              number suffix to the file name, which is prone  to  race  condi‐
75              tions  if  multiple uploaders use the STOU command with the same
76              file name simultaneously, which can result  in  failure  of  the
77              command.  The  new  algorithm adds a unique random six character
78              suffix to the file name, which works much better in face of con‐
79              current uploads.
80
81              Default: NO
82
83       anon_mkdir_write_enable
84              If  set  to YES, anonymous users will be permitted to create new
85              directories under certain conditions. For this to work, the  op‐
86              tion  write_enable must be activated, and the anonymous ftp user
87              must have write permission on the parent directory.
88
89              Default: NO
90
91       anon_other_write_enable
92              If set to YES, anonymous users  will  be  permitted  to  perform
93              write operations other than upload and create directory, such as
94              deletion and renaming. This is generally not recommended but in‐
95              cluded for completeness.
96
97              Default: NO
98
99       anon_upload_enable
100              If set to YES, anonymous users will be permitted to upload files
101              under certain conditions. For this to work, the option write_en‐
102              able  must  be  activated,  and the anonymous ftp user must have
103              write permission on desired upload locations.  This  setting  is
104              also  required  for virtual users to upload; by default, virtual
105              users are treated with  anonymous  (i.e.  maximally  restricted)
106              privilege.
107
108              Default: NO
109
110       anon_world_readable_only
111              When  enabled,  anonymous users will only be allowed to download
112              files which are world readable. This is recognising that the ftp
113              user may own files, especially in the presence of uploads.
114
115              Default: YES
116
117       anonymous_enable
118              Controls  whether  anonymous logins are permitted or not. If en‐
119              abled, both the usernames ftp and anonymous  are  recognised  as
120              anonymous logins.
121
122              Default: YES
123
124       ascii_download_enable
125              When  enabled,  ASCII  mode  data  transfers will be honoured on
126              downloads.  When disabled, the  server  will  pretend  to  allow
127              ASCII  mode  but  in fact ignore requests to activate it. So the
128              client will think the ASCII mode is  active  and  therefore  may
129              still  translate  any <CRLF> character sequences in the received
130              file. See the following article for a  detailed  explanation  of
131              the behaviour: https://access.redhat.com/articles/3250241.
132
133              Turn  this  option  on to have the server actually do ASCII man‐
134              gling on files when in ASCII mode.
135
136              Default: NO
137
138       ascii_upload_enable
139              When enabled, ASCII mode data transfers will be honoured on  up‐
140              loads.   When  disabled,  the server will pretend to allow ASCII
141              mode but in fact ignore requests to activate it. So  the  client
142              will  think  the  ASCII mode is active and will translate native
143              line terminators to the standard  <CRLF>  line  terminators  for
144              transmission,  but  the  server will not do any translation. See
145              the following article for a detailed explanation of  the  behav‐
146              iour: https://access.redhat.com/articles/3250241.
147
148              Turn  this  option  on to have the server actually do ASCII man‐
149              gling on files when in ASCII mode.
150
151              Default: NO
152
153       async_abor_enable
154              When enabled, a special FTP command known as "async  ABOR"  will
155              be enabled.  Only ill advised FTP clients will use this feature.
156              Additionally, this feature is awkward to handle, so it  is  dis‐
157              abled by default. Unfortunately, some FTP clients will hang when
158              cancelling a transfer unless this feature is available,  so  you
159              may wish to enable it.
160
161              Default: NO
162
163       background
164              When  enabled,  and  vsftpd  is started in "listen" mode, vsftpd
165              will background the listener process. i.e. control will  immedi‐
166              ately be returned to the shell which launched vsftpd.
167
168              Default: YES
169
170       check_shell
171              Note!  This  option only has an effect for non-PAM builds of vs‐
172              ftpd. If disabled, vsftpd will not check /etc/shells for a valid
173              user shell for local logins.
174
175              Default: YES
176
177       chmod_enable
178              When  enabled,  allows use of the SITE CHMOD command. NOTE! This
179              only applies to local users. Anonymous users never  get  to  use
180              SITE CHMOD.
181
182              Default: YES
183
184       chown_uploads
185              If  enabled, all anonymously uploaded files will have the owner‐
186              ship changed to the user specified in  the  setting  chown_user‐
187              name.   This is useful from an administrative, and perhaps secu‐
188              rity, standpoint.
189
190              Default: NO
191
192       chroot_list_enable
193              If activated, you may provide a list  of  local  users  who  are
194              placed  in  a  chroot() jail in their home directory upon login.
195              The meaning is slightly different if chroot_local_user is set to
196              YES.  In  this  case, the list becomes a list of users which are
197              NOT to be placed in a chroot() jail.  By default, the file  con‐
198              taining  this list is /etc/vsftpd/chroot_list, but you may over‐
199              ride this with the chroot_list_file setting.
200
201              Default: NO
202
203       chroot_local_user
204              If set to YES, local users will be (by default) placed in a  ch‐
205              root()  jail in their home directory after login.  Warning: This
206              option has security implications, especially if the  users  have
207              upload permission, or shell access. Only enable if you know what
208              you are doing.  Note that these security  implications  are  not
209              vsftpd  specific.  They  apply to all FTP daemons which offer to
210              put local users in chroot() jails.
211
212              Default: NO
213
214       connect_from_port_20
215              This controls whether PORT style data connections  use  port  20
216              (ftp-data)  on  the  server  machine. For security reasons, some
217              clients may insist that this is the case. Conversely,  disabling
218              this option enables vsftpd to run with slightly less privilege.
219
220              Default: NO (but the sample config file enables it)
221
222       debug_ssl
223              If true, OpenSSL connection diagnostics are dumped to the vsftpd
224              log file.  (Added in v2.0.6).
225
226              Default: NO
227
228       delete_failed_uploads
229              If true,  any  failed  upload  files  are  deleted.   (Added  in
230              v2.0.7).
231
232              Default: NO
233
234       deny_email_enable
235              If  activated,  you  may provide a list of anonymous password e-
236              mail responses which cause login to be denied. By  default,  the
237              file  containing this list is /etc/vsftpd/banned_emails, but you
238              may override this with the banned_email_file setting.
239
240              Default: NO
241
242       dirlist_enable
243              If set to NO, all directory list commands will  give  permission
244              denied.
245
246              Default: YES
247
248       dirmessage_enable
249              If  enabled,  users of the FTP server can be shown messages when
250              they first enter a new directory. By  default,  a  directory  is
251              scanned  for  the file .message, but that may be overridden with
252              the configuration setting message_file.
253
254              Default: NO (but the sample config file enables it)
255
256       download_enable
257              If set to NO, all download requests will give permission denied.
258
259              Default: YES
260
261       dual_log_enable
262              If enabled, two log files are generated in  parallel,  going  by
263              default to /var/log/xferlog and /var/log/vsftpd.log.  The former
264              is a wu-ftpd style transfer log, parseable  by  standard  tools.
265              The latter is vsftpd's own style log.
266
267              Default: NO
268
269       force_dot_files
270              If  activated,  files  and  directories  starting with . will be
271              shown in directory listings even if the "a" flag was not used by
272              the client. This override excludes the "." and ".." entries.
273
274              Default: NO
275
276       force_anon_data_ssl
277              Only  applies  if  ssl_enable  is  activated.  If activated, all
278              anonymous logins are forced to use a secure  SSL  connection  in
279              order to send and receive data on data connections.
280
281              Default: NO
282
283       force_anon_logins_ssl
284              Only  applies  if  ssl_enable  is  activated.  If activated, all
285              anonymous logins are forced to use a secure  SSL  connection  in
286              order to send the password.
287
288              Default: NO
289
290       force_local_data_ssl
291              Only  applies if ssl_enable is activated. If activated, all non-
292              anonymous logins are forced to use a secure  SSL  connection  in
293              order to send and receive data on data connections.
294
295              Default: YES
296
297       force_local_logins_ssl
298              Only  applies if ssl_enable is activated. If activated, all non-
299              anonymous logins are forced to use a secure  SSL  connection  in
300              order to send the password.
301
302              Default: YES
303
304       guest_enable
305              If  enabled, all non-anonymous logins are classed as "guest" lo‐
306              gins. A guest login is remapped to the  user  specified  in  the
307              guest_username setting.
308
309              Default: NO
310
311       hide_ids
312              If enabled, all user and group information in directory listings
313              will be displayed as "ftp".
314
315              Default: NO
316
317       implicit_ssl
318              If enabled, an SSL handshake is the first thing  expect  on  all
319              connections  (the FTPS protocol). To support explicit SSL and/or
320              plain text too, a separate vsftpd  listener  process  should  be
321              run.
322
323              Default: NO
324
325       listen If  enabled, vsftpd will run in standalone mode. This means that
326              vsftpd must not be run from an inetd of some kind. Instead,  the
327              vsftpd  executable is run once directly. vsftpd itself will then
328              take care of listening for and handling incoming connections.
329
330              Default: NO
331
332       listen_ipv6
333              Like the listen parameter, except vsftpd will listen on an  IPv6
334              socket  instead  of an IPv4 one. Note that a socket listening on
335              the IPv6 "any" address (::) will accept both IPv6 and IPv4  con‐
336              nections by default. This parameter and the listen parameter are
337              mutually exclusive.
338
339              Default: NO
340
341       local_enable
342              Controls whether local logins are permitted or not. If  enabled,
343              normal user accounts in /etc/passwd (or wherever your PAM config
344              references) may be used to log in. This must be enable  for  any
345              non-anonymous login to work, including virtual users.
346
347              Default: NO
348
349       lock_upload_files
350              When  enabled,  all uploads proceed with a write lock on the up‐
351              load file. All downloads proceed with a shared read lock on  the
352              download file. WARNING!  Before enabling this, be aware that ma‐
353              licious readers could starve a writer wanting to e.g.  append  a
354              file.
355
356              Default: YES
357
358       log_die
359              Log  an error to syslog when some error condition occurs and vs‐
360              ftpd decides to quit. Internally, the error  messages  given  to
361              the functions die(), die2() and bug() are passed to syslog. Cur‐
362              rently this functionality requires waiting for a short amount of
363              time (1 second is used) after logging the message and before ex‐
364              iting. This is a  workaround  for  the  following  systemd  bug:
365              https://github.com/systemd/systemd/issues/2913
366
367              Default: NO
368
369       log_ftp_protocol
370              When enabled, all FTP requests and responses are logged, provid‐
371              ing the option xferlog_std_format is not enabled. Useful for de‐
372              bugging.
373
374              Default: NO
375
376       ls_recurse_enable
377              When  enabled,  this setting will allow the use of "ls -R". This
378              is a minor security risk, because a ls -R at the top level of  a
379              large site may consume a lot of resources.
380
381              Default: NO
382
383       mdtm_write
384              When enabled, this setting will allow MDTM to set file modifica‐
385              tion times (subject to the usual access checks).
386
387              Default: YES
388
389       no_anon_password
390              When enabled, this prevents vsftpd from asking for an  anonymous
391              password - the anonymous user will log straight in.
392
393              Default: NO
394
395       no_log_lock
396              When  enabled, this prevents vsftpd from taking a file lock when
397              writing to log files. This option should generally  not  be  en‐
398              abled. It exists to workaround operating system bugs such as the
399              Solaris / Veritas filesystem combination which has been observed
400              to sometimes exhibit hangs trying to lock log files.
401
402              Default: NO
403
404       one_process_model
405              If  you have a Linux 2.4 kernel, it is possible to use a differ‐
406              ent security model which only uses one process  per  connection.
407              It is a less pure security model, but gains you performance. You
408              really don't want to enable this unless you know  what  you  are
409              doing,  and  your  site  supports huge numbers of simultaneously
410              connected users.
411
412              Default: NO
413
414       passwd_chroot_enable
415              If enabled, along with chroot_local_user , then a chroot()  jail
416              location  may be specified on a per-user basis. Each user's jail
417              is derived from their home directory string in /etc/passwd.  The
418              occurrence  of /./ in the home directory string denotes that the
419              jail is at that particular location in the path.
420
421              Default: NO
422
423       pasv_addr_resolve
424              Set to YES if you want to use a hostname (as opposed to  IP  ad‐
425              dress) in the pasv_address option.
426
427              Default: NO
428
429       pasv_enable
430              Set to NO if you want to disallow the PASV method of obtaining a
431              data connection.
432
433              Default: YES
434
435       pasv_promiscuous
436              Set to YES if you want to disable the PASV security  check  that
437              ensures  the data connection originates from the same IP address
438              as the control connection.  Only enable if you know what you are
439              doing!  The  only legitimate use for this is in some form of se‐
440              cure tunnelling scheme, or perhaps to facilitate FXP support.
441
442              Default: NO
443
444       port_enable
445              Set to NO if you want to disallow the PORT method of obtaining a
446              data connection.
447
448              Default: YES
449
450       port_promiscuous
451              Set  to  YES if you want to disable the PORT security check that
452              ensures that outgoing data connections can only connect  to  the
453              client. Only enable if you know what you are doing!
454
455              Default: NO
456
457       require_cert
458              If  set  to  yes,  all  SSL  client  connections are required to
459              present a client certificate. The degree of  validation  applied
460              to  this  certificate  is  controlled by validate_cert (Added in
461              v2.0.6).
462
463              Default: NO
464
465       require_ssl_reuse
466              If set to yes, all SSL data connections are required to  exhibit
467              SSL  session  reuse (which proves that they know the same master
468              secret as the control channel). Although this is  a  secure  de‐
469              fault, it may break many FTP clients, so you may want to disable
470              it. For a discussion of the consequences, see http://scarybeast
471              security.blogspot.com/2009/02/vsftpd-210-released.html (Added in
472              v2.1.0).
473
474              Default: YES
475
476       reverse_lookup_enable
477              Set to YES if you want vsftpd to transform the ip  address  into
478              the  hostname,  before pam authentication. This is useful if you
479              use pam_access including the hostname. If you want vsftpd to run
480              on the environment where the reverse lookup for some hostname is
481              available and the name server doesn't respond for a  while,  you
482              should set this to NO to avoid a performance issue.
483
484              Default: YES
485
486       run_as_launching_user
487              Set  to YES if you want vsftpd to run as the user which launched
488              vsftpd. This is useful where root access is not available.  MAS‐
489              SIVE  WARNING! Do NOT enable this option unless you totally know
490              what you are doing, as naive use of this option can create  mas‐
491              sive  security  problems. Specifically, vsftpd does not / cannot
492              use chroot technology to restrict file access when  this  option
493              is set (even if launched by root). A poor substitute could be to
494              use a deny_file setting such as {/*,*..*}, but  the  reliability
495              of  this  cannot compare to chroot, and should not be relied on.
496              If using this option, many restrictions on other options  apply.
497              For  example,  options requiring privilege such as non-anonymous
498              logins, upload ownership changing, connecting from port  20  and
499              listen  ports less than 1024 are not expected to work. Other op‐
500              tions may be impacted.
501
502              Default: NO
503
504       secure_email_list_enable
505              Set to YES if you want only a specified list of e-mail passwords
506              for  anonymous  logins  to be accepted. This is useful as a low-
507              hassle way of restricting access to low-security content without
508              needing  virtual  users. When enabled, anonymous logins are pre‐
509              vented unless the password provided is listed in the file speci‐
510              fied  by the email_password_file setting. The file format is one
511              password per line, no extra whitespace. The default filename  is
512              /etc/vsftpd/email_passwords.
513
514              Default: NO
515
516       session_support
517              This  controls  whether vsftpd attempts to maintain sessions for
518              logins. If vsftpd is maintaining sessions, it will try  and  up‐
519              date utmp and wtmp. It will also open a pam_session if using PAM
520              to authenticate, and only close this upon logout. You  may  wish
521              to disable this if you do not need session logging, and you wish
522              to give vsftpd more opportunity to run with less processes and /
523              or less privilege. NOTE - utmp and wtmp support is only provided
524              with PAM enabled builds.
525
526              Default: NO
527
528       setproctitle_enable
529              If enabled, vsftpd will try and show session status  information
530              in the system process listing. In other words, the reported name
531              of the process will change to reflect what a vsftpd  session  is
532              doing  (idle,  downloading etc). You probably want to leave this
533              off for security purposes.
534
535              Default: NO
536
537       ssl_enable
538              If enabled, and vsftpd was compiled against OpenSSL, vsftpd will
539              support  secure connections via SSL. This applies to the control
540              connection (including login) and also data  connections.  You'll
541              need a client with SSL support too. NOTE!!  Beware enabling this
542              option. Only enable it if you need it. vsftpd can make no  guar‐
543              antees  about the security of the OpenSSL libraries. By enabling
544              this option, you are declaring that you trust  the  security  of
545              your installed OpenSSL library.
546
547              Default: NO
548
549       ssl_request_cert
550              If  enabled,  vsftpd  will request (but not necessarily require;
551              see require_cert) a certificate  on  incoming  SSL  connections.
552              Normally  this  should not cause any trouble at all, but IBM zOS
553              seems to have issues.  (New in v2.0.7).
554
555              Default: YES
556
557       ssl_sslv2
558              Only applies if ssl_enable is activated. If enabled, this option
559              will  permit  SSL v2 protocol connections.  TLS v1.2 connections
560              are preferred.
561
562              Default: NO
563
564       ssl_sslv3
565              Only applies if ssl_enable is activated. If enabled, this option
566              will  permit  SSL v3 protocol connections.  TLS v1.2 connections
567              are preferred.
568
569              Default: NO
570
571       ssl_tlsv1
572              Only applies if ssl_enable is activated. If enabled, this option
573              will  permit  TLS v1 protocol connections.  TLS v1.2 connections
574              are preferred.
575
576              Default: NO
577
578       ssl_tlsv1_1
579              Only applies if ssl_enable is activated. If enabled, this option
580              will permit TLS v1.1 protocol connections.  TLS v1.2 connections
581              are preferred.
582
583              Default: NO
584
585       ssl_tlsv1_2
586              Only applies if ssl_enable is activated. If enabled, this option
587              will permit TLS v1.2 protocol connections.  TLS v1.2 connections
588              are preferred.
589
590              Default: YES
591
592       strict_ssl_read_eof
593              If enabled, SSL data uploads are required to terminate via  SSL,
594              not  an  EOF  on  the socket. This option is required to be sure
595              that an attacker did not terminate an upload prematurely with  a
596              faked TCP FIN. (New in v2.0.7).
597
598              Default: YES
599
600       strict_ssl_write_shutdown
601              If  enabled,  SSL  data  downloads are required to terminate via
602              SSL, not an EOF on the socket. This is off by default as  I  was
603              unable  to find a single FTP client that does this. It is minor.
604              All it affects is our ability to tell whether  the  client  con‐
605              firmed  full  receipt of the file. Even without this option, the
606              client is able to check the integrity of the download.  (New  in
607              v2.0.7).
608
609              Default: NO
610
611       syslog_enable
612              If  enabled,  then  any  log  output  which  would  have gone to
613              /var/log/vsftpd.log goes to the system log instead.  Logging  is
614              done under the FTPD facility.
615
616              Default: NO
617
618       tcp_wrappers
619              If  enabled,  and vsftpd was compiled with tcp_wrappers support,
620              incoming connections will be  fed  through  tcp_wrappers  access
621              control. Furthermore, there is a mechanism for per-IP based con‐
622              figuration. If tcp_wrappers sets the  VSFTPD_LOAD_CONF  environ‐
623              ment variable, then the vsftpd session will try and load the vs‐
624              ftpd configuration file specified in this variable.
625
626              Default: NO
627
628       text_userdb_names
629              By default, numeric IDs are shown in the user and  group  fields
630              of  directory  listings.  You  can get textual names by enabling
631              this parameter. It is off by default  for  performance  reasons.
632              Note  that  textual  names  are  not  guaranteed when chroot_lo‐
633              cal_user is set to YES.
634
635              Default: NO
636
637       tilde_user_enable
638              If enabled, vsftpd  will  try  and  resolve  pathnames  such  as
639              ~chris/pics,  i.e. a tilde followed by a username. Note that vs‐
640              ftpd will always resolve the pathnames  ~  and  ~/something  (in
641              this  case  the ~ resolves to the initial login directory). Note
642              that ~user paths will only resolve if the file  /etc/passwd  may
643              be found within the _current_ chroot() jail.
644
645              Default: NO
646
647       use_localtime
648              If enabled, vsftpd will display directory listings with the time
649              in your local time zone. The default  is  to  display  GMT.  The
650              times returned by the MDTM FTP command are also affected by this
651              option.
652
653              Default: NO
654
655       use_sendfile
656              An internal setting used for testing the relative benefit of us‐
657              ing the sendfile() system call on your platform.
658
659              Default: YES
660
661       userlist_deny
662              This  option is examined if userlist_enable is activated. If you
663              set this setting to NO, then users will be denied  login  unless
664              they   are   explicitly   listed   in   the  file  specified  by
665              userlist_file.  When login is denied, the denial is  issued  be‐
666              fore the user is asked for a password.
667
668              Default: YES
669
670       userlist_enable
671              If enabled, vsftpd will load a list of usernames, from the file‐
672              name given by userlist_file.  If a user tries to log in using  a
673              name in this file, they will be denied before they are asked for
674              a password. This may be useful in preventing cleartext passwords
675              being transmitted. See also userlist_deny.
676
677              Default: NO
678
679       validate_cert
680              If  set  to yes, all SSL client certificates received must vali‐
681              date OK.  Self-signed certs do  not  constitute  OK  validation.
682              (New in v2.0.6).
683
684              Default: NO
685
686       userlist_log
687              This  option is examined if userlist_enable is activated. If en‐
688              abled, every login denial based on the user list will be logged.
689
690              Default: NO
691
692       virtual_use_local_privs
693              If enabled, virtual users will use the same privileges as  local
694              users. By default, virtual users will use the same privileges as
695              anonymous users, which tends to be more restrictive  (especially
696              in terms of write access).
697
698              Default: NO
699
700       write_enable
701              This controls whether any FTP commands which change the filesys‐
702              tem are allowed or not. These commands are:  STOR,  DELE,  RNFR,
703              RNTO, MKD, RMD, APPE and SITE.
704
705              Default: NO
706
707       xferlog_enable
708              If enabled, a log file will be maintained detailling uploads and
709              downloads.  By default, this file will be placed at /var/log/vs‐
710              ftpd.log, but this location may be overridden using the configu‐
711              ration setting vsftpd_log_file.
712
713              Default: NO (but the sample config file enables it)
714
715       xferlog_std_format
716              If enabled, the transfer log file will be  written  in  standard
717              xferlog  format,  as used by wu-ftpd. This is useful because you
718              can reuse existing transfer statistics generators.  The  default
719              format  is more readable, however. The default location for this
720              style of log file is /var/log/xferlog, but  you  may  change  it
721              with the setting xferlog_file.
722
723              Default: NO
724
725       isolate_network
726              If  enabled, use CLONE_NEWNET to isolate the untrusted processes
727              so that they can't do arbitrary connect() and  instead  have  to
728              ask  the  privileged process for sockets ( port_promiscuous have
729              to be disabled).
730
731              Default: YES
732
733       isolate
734              If enabled, use CLONE_NEWPID and CLONE_NEWIPC  to  isolate  pro‐
735              cesses  to  their ipc and pid namespaces. So separated processes
736              can not interact with each other.
737
738              Default: YES
739
740       wc_logs_enable
741              If enabled, logs will be treated as wide-character  strings  and
742              not  just ASCII strings when filtering out non-printable charac‐
743              ters.
744
745              Default: NO
746
747

NUMERIC OPTIONS

749       Below is a list of numeric options. A numeric option must be set  to  a
750       non  negative  integer. Octal numbers are supported, for convenience of
751       the umask options. To specify an octal number, use 0 as the first digit
752       of the number.
753
754
755       accept_timeout
756              The  timeout,  in seconds, for a remote client to establish con‐
757              nection with a PASV style data connection.
758
759              Default: 60
760
761       anon_max_rate
762              The maximum data transfer rate permitted, in bytes  per  second,
763              for anonymous clients.
764
765              Default: 0 (unlimited)
766
767       anon_umask
768              The  value that the umask for file creation is set to for anony‐
769              mous users. NOTE! If you want to specify octal values,  remember
770              the  "0" prefix otherwise the value will be treated as a base 10
771              integer!
772
773              Default: 077
774
775       bind_retries
776              Maximum number of attempts to find a free listening port in pas‐
777              sive mode.
778
779              Default: 9
780
781       chown_upload_mode
782              The  file  mode to force for chown()ed anonymous uploads. (Added
783              in v2.0.6).
784
785              Default: 0600
786
787       connect_timeout
788              The timeout, in seconds, for a remote client to respond  to  our
789              PORT style data connection.
790
791              Default: 60
792
793       data_connection_timeout
794              The  timeout,  in  seconds, which is roughly the maximum time we
795              permit data transfers to stall for  with  no  progress.  If  the
796              timeout triggers, the remote client is kicked off.
797
798              Default: 300
799
800       delay_failed_login
801              The  number  of seconds to pause prior to reporting a failed lo‐
802              gin.
803
804              Default: 1
805
806       delay_successful_login
807              The number of seconds to pause prior to  allowing  a  successful
808              login.
809
810              Default: 0
811
812       file_open_mode
813              The  permissions  with  which uploaded files are created. Umasks
814              are applied on top of this value. You may wish to change to 0777
815              if you want uploaded files to be executable.
816
817              Default: 0666
818
819       ftp_data_port
820              The port from which PORT style connections originate (as long as
821              the poorly named connect_from_port_20 is enabled).
822
823              Default: 20
824
825       idle_session_timeout
826              The timeout, in seconds, which is  the  maximum  time  a  remote
827              client  may spend between FTP commands. If the timeout triggers,
828              the remote client is kicked off.
829
830              Default: 300
831
832       listen_port
833              If vsftpd is in standalone mode, this is the port it will listen
834              on for incoming FTP connections.
835
836              Default: 21
837
838       local_max_rate
839              The  maximum  data transfer rate permitted, in bytes per second,
840              for local authenticated users.
841
842              Default: 0 (unlimited)
843
844       local_umask
845              The value that the umask for file creation is set to  for  local
846              users.  NOTE!  If you want to specify octal values, remember the
847              "0" prefix otherwise the value will be treated as a base 10  in‐
848              teger!
849
850              Default: 077
851
852       max_clients
853              If  vsftpd  is in standalone mode, this is the maximum number of
854              clients which may be connected. Any additional clients  connect‐
855              ing  will  get  an  error message.  The value 0 switches off the
856              limit.
857
858              Default: 2000
859
860       max_login_fails
861              After this many login failures, the session is killed.
862
863              Default: 3
864
865       max_per_ip
866              If vsftpd is in standalone mode, this is the maximum  number  of
867              clients which may be connected from the same source internet ad‐
868              dress. A client will get an error message if they go  over  this
869              limit. The value 0 switches off the limit.
870
871              Default: 50
872
873       pasv_max_port
874              The  maximum  port  to allocate for PASV style data connections.
875              Can be used to specify a  narrow  port  range  to  assist  fire‐
876              walling.
877
878              Default: 0 (use any port)
879
880       pasv_min_port
881              The  minimum  port  to allocate for PASV style data connections.
882              Can be used to specify a  narrow  port  range  to  assist  fire‐
883              walling.
884
885              Default: 0 (use any port)
886
887       trans_chunk_size
888              You  probably  don't  want to change this, but try setting it to
889              something like 8192 for a much smoother bandwidth limiter.
890
891              Default: 0 (let vsftpd pick a sensible setting)
892
893

STRING OPTIONS

895       Below is a list of string options.
896
897
898       anon_root
899              This option represents a directory  which  vsftpd  will  try  to
900              change  into  after  an anonymous login. Failure is silently ig‐
901              nored.
902
903              Default: (none)
904
905       banned_email_file
906              This option is the name of a file containing a list of anonymous
907              e-mail passwords which are not permitted. This file is consulted
908              if the option deny_email_enable is enabled.
909
910              Default: /etc/vsftpd/banned_emails
911
912       banner_file
913              This option is the name of a file  containing  text  to  display
914              when  someone  connects  to the server. If set, it overrides the
915              banner string provided by the ftpd_banner option.
916
917              Default: (none)
918
919       ca_certs_file
920              This option is the name of a file to load Certificate  Authority
921              certs  from,  for  the  purpose  of validating client certs. The
922              loaded certs are also advertised to the  client,  to  cater  for
923              TLSv1.0  clients  such as the z/OS FTP client.  Regrettably, the
924              default SSL CA cert paths are not used, because of vsftpd's  use
925              of restricted filesystem spaces (chroot). (Added in v2.0.6).
926
927              Default: (none)
928
929       chown_username
930              This  is  the  name of the user who is given ownership of anony‐
931              mously uploaded files. This option is only relevant  if  another
932              option, chown_uploads, is set.
933
934              Default: root
935
936       chroot_list_file
937              The  option  is  the  name  of a file containing a list of local
938              users which will be placed in a chroot() jail in their home  di‐
939              rectory.  This  option  is  only  relevant  if  the  option  ch‐
940              root_list_enable is enabled. If the option chroot_local_user  is
941              enabled, then the list file becomes a list of users to NOT place
942              in a chroot() jail.
943
944              Default: /etvsftpd.confc/vsftpd.chroot_list
945
946       cmds_allowed
947              This options specifies a comma separated  list  of  allowed  FTP
948              commands  (post login. USER, PASS and QUIT and others are always
949              allowed pre-login). Other commands are rejected. This is a  pow‐
950              erful  method  of  really  locking  down an FTP server. Example:
951              cmds_allowed=PASV,RETR,QUIT
952
953              Default: (none)
954
955       cmds_denied
956              This options specifies a comma separated list of denied FTP com‐
957              mands  (post  login.  USER, PASS, QUIT and others are always al‐
958              lowed pre-login). If a command appears on both this and cmds_al‐
959              lowed then the denial takes precedence. (Added in v2.1.0).
960
961              Default: (none)
962
963       deny_file
964              This  option can be used to set a pattern for filenames (and di‐
965              rectory names etc.) which should not be accessible in  any  way.
966              The  affected  items  are not hidden, but any attempt to do any‐
967              thing to them (download, change into directory, affect something
968              within  directory etc.) will be denied. This option is very sim‐
969              ple, and should not be used for serious  access  control  -  the
970              filesystem's  permissions should be used in preference. However,
971              this option may be useful in certain  virtual  user  setups.  In
972              particular  aware  that if a filename is accessible by a variety
973              of names (perhaps due to symbolic links  or  hard  links),  then
974              care must be taken to deny access to all the names.  Access will
975              be denied to items if their name contains the  string  given  by
976              hide_file,  or if they match the regular expression specified by
977              hide_file.  Note that vsftpd's regular expression matching  code
978              is a simple implementation which is a subset of full regular ex‐
979              pression functionality. Because of this, you will need to  care‐
980              fully  and exhaustively test any application of this option. And
981              you are recommended to use filesystem permissions for any impor‐
982              tant  security  policies  due to their greater reliability. Sup‐
983              ported regex syntax is any number of *, ? and unnested {,} oper‐
984              ators. Regex matching is only supported on the last component of
985              a path, e.g. a/b/? is supported  but  a/?/c  is  not.   Example:
986              deny_file={*.mp3,*.mov,.private}
987
988              Default: (none)
989
990       dsa_cert_file
991              This option specifies the location of the DSA certificate to use
992              for SSL encrypted connections.
993
994              Default: (none - an RSA certificate suffices)
995
996       dsa_private_key_file
997              This option specifies the location of the DSA private key to use
998              for  SSL  encrypted  connections. If this option is not set, the
999              private key is expected to be in the same file as  the  certifi‐
1000              cate.
1001
1002              Default: (none)
1003
1004       dh_param_file
1005              This option specifies the location of the custom parameters used
1006              for ephemeral Diffie-Hellman key exchange in SSL.
1007
1008              Default: (none - use built in parameters  appropriate  for  cer‐
1009              tificate key size)
1010
1011       ecdh_param_file
1012              This  option  specifies  the  location  of custom parameters for
1013              ephemeral Elliptic Curve Diffie-Hellman (ECDH) key exchange.
1014
1015              Default: (none -  use  built  in  parameters,  NIST  P-256  with
1016              OpenSSL  1.0.1  and automatically selected curve based on client
1017              preferences with OpenSSL 1.0.2 and later)
1018
1019       email_password_file
1020              This option can be used to provide an alternate file  for  usage
1021              by the secure_email_list_enable setting.
1022
1023              Default: /etc/vsftpd/email_passwords
1024
1025       ftp_username
1026              This  is the name of the user we use for handling anonymous FTP.
1027              The home directory of this user is the root of the anonymous FTP
1028              area.
1029
1030              Default: ftp
1031
1032       ftpd_banner
1033              This  string  option  allows you to override the greeting banner
1034              displayed by vsftpd when a connection first comes in.
1035
1036              Default: (none - default vsftpd banner is displayed)
1037
1038       guest_username
1039              See the boolean setting guest_enable for a description  of  what
1040              constitutes  a  guest  login.  This setting is the real username
1041              which guest users are mapped to.
1042
1043              Default: ftp
1044
1045       hide_file
1046              This option can be used to set a pattern for filenames (and  di‐
1047              rectory  names etc.) which should be hidden from directory list‐
1048              ings. Despite being hidden, the files  /  directories  etc.  are
1049              fully accessible to clients who know what names to actually use.
1050              Items will be hidden if their names contain the string given  by
1051              hide_file,  or if they match the regular expression specified by
1052              hide_file. Note that vsftpd's regular expression  matching  code
1053              is a simple implementation which is a subset of full regular ex‐
1054              pression functionality.  See deny_file for  details  of  exactly
1055              what regex syntax is supported.  Example: hide_file={*.mp3,.hid‐
1056              den,hide*,h?}
1057
1058              Default: (none)
1059
1060       listen_address
1061              If vsftpd is in standalone mode, the default listen address  (of
1062              all local interfaces) may be overridden by this setting. Provide
1063              a numeric IP address.
1064
1065              Default: (none)
1066
1067       listen_address6
1068              Like listen_address, but specifies a default listen address  for
1069              the  IPv6 listener (which is used if listen_ipv6 is set). Format
1070              is standard IPv6 address format.
1071
1072              Default: (none)
1073
1074       local_root
1075              This option represents a directory  which  vsftpd  will  try  to
1076              change into after a local (i.e. non-anonymous) login. Failure is
1077              silently ignored.
1078
1079              Default: (none)
1080
1081       message_file
1082              This option is the name of the file we look for when a  new  di‐
1083              rectory  is  entered.  The  contents are displayed to the remote
1084              user. This option is only relevant if the option  dirmessage_en‐
1085              able is enabled.
1086
1087              Default: .message
1088
1089       nopriv_user
1090              This  is  the  name  of  the user that is used by vsftpd when it
1091              wants to be totally unprivileged. Note that  this  should  be  a
1092              dedicated  user, rather than nobody. The user nobody tends to be
1093              used for rather a lot of important things on most machines.
1094
1095              Default: nobody
1096
1097       pam_service_name
1098              This string is the name of the PAM service vsftpd will use.
1099
1100              Default: ftp
1101
1102       pasv_address
1103              Use this option to override the IP address that vsftpd will  ad‐
1104              vertise  in  response  to the PASV command. Provide a numeric IP
1105              address, unless pasv_addr_resolve is enabled, in which case  you
1106              can  provide  a  hostname  which will be DNS resolved for you at
1107              startup.
1108
1109              Default: (none - the address is taken  from  the  incoming  con‐
1110              nected socket)
1111
1112       rsa_cert_file
1113              This option specifies the location of the RSA certificate to use
1114              for SSL encrypted connections.
1115
1116              Default: /usr/share/ssl/certs/vsftpd.pem
1117
1118       rsa_private_key_file
1119              This option specifies the location of the RSA private key to use
1120              for  SSL  encrypted  connections. If this option is not set, the
1121              private key is expected to be in the same file as  the  certifi‐
1122              cate.
1123
1124              Default: (none)
1125
1126       secure_chroot_dir
1127              This  option  should  be the name of a directory which is empty.
1128              Also, the directory should not be writable by the ftp user. This
1129              directory is used as a secure chroot() jail at times vsftpd does
1130              not require filesystem access.
1131
1132              Default: /usr/share/empty
1133
1134       ssl_ciphers
1135              This option can be used to select which SSL ciphers vsftpd  will
1136              allow  for  encrypted  SSL connections. See the ciphers man page
1137              for further details. Note that restricting ciphers can be a use‐
1138              ful  security precaution as it prevents malicious remote parties
1139              forcing a cipher which they have found problems with.
1140
1141              By default, the system-wide crypto policy is used.  See  update-
1142              crypto-policies(8) for further details.
1143
1144              Default: PROFILE=SYSTEM
1145
1146       ssl_sni_hostname
1147              If set, SSL connections will be rejected unless the SNI hostname
1148              in the incoming handshakes matches this value.
1149
1150              Default: (none)
1151
1152       user_config_dir
1153              This powerful option allows the override of  any  config  option
1154              specified in the manual page, on a per-user basis. Usage is sim‐
1155              ple, and is  best  illustrated  with  an  example.  If  you  set
1156              user_config_dir  to  be /etc/vsftpd/user_conf and then log on as
1157              the user "chris", then vsftpd will apply  the  settings  in  the
1158              file  /etc/vsftpd/user_conf/chris  for  the duration of the ses‐
1159              sion. The format of this file is  as  detailed  in  this  manual
1160              page!  PLEASE NOTE that not all settings are effective on a per-
1161              user basis. For example, many settings only prior to the  user's
1162              session  being  started. Examples of settings which will not af‐
1163              fect any behviour on a per-user  basis  include  listen_address,
1164              banner_file, max_per_ip, max_clients, xferlog_file, etc.
1165
1166              Default: (none)
1167
1168       user_sub_token
1169              This  option  is useful is conjunction with virtual users. It is
1170              used to automatically generate a home directory for each virtual
1171              user, based on a template. For example, if the home directory of
1172              the  real  user  specified  via  guest_username  is   /home/vir‐
1173              tual/$USER,  and  user_sub_token is set to $USER, then when vir‐
1174              tual user fred logs in, he will end up (usually chroot()'ed)  in
1175              the directory /home/virtual/fred.  This option also takes affect
1176              if local_root contains user_sub_token.
1177
1178              Default: (none)
1179
1180       userlist_file
1181              This option is the name of the file loaded when the userlist_en‐
1182              able option is active.
1183
1184              Default: /etc/vsftpd/user_list
1185
1186       vsftpd_log_file
1187              This option is the name of the file to which we write the vsftpd
1188              style log file. This log is only written  if  the  option  xfer‐
1189              log_enable  is  set, and xferlog_std_format is NOT set. Alterna‐
1190              tively, it is written if you have set  the  option  dual_log_en‐
1191              able.  One further complication - if you have set syslog_enable,
1192              then this file is not written and output is sent to  the  system
1193              log instead.
1194
1195              Default: /var/log/vsftpd.log
1196
1197       xferlog_file
1198              This  option  is  the name of the file to which we write the wu-
1199              ftpd style transfer log. The transfer log is only written if the
1200              option  xferlog_enable  is  set,  along with xferlog_std_format.
1201              Alternatively,  it  is  written  if  you  have  set  the  option
1202              dual_log_enable.
1203
1204              Default: /var/log/xferlog
1205
1206

AUTHOR

1208       scarybeasts@gmail.com
1209
1210
1211
1212
1213                                                                VSFTPD.CONF(5)
Impressum