1VSFTPD.CONF(5) File Formats Manual VSFTPD.CONF(5)
2
3
4
6 vsftpd.conf - config file for vsftpd
7
9 vsftpd.conf may be used to control various aspects of vsftpd's behav‐
10 iour. By default, vsftpd looks for this file at the location /etc/vs‐
11 ftpd/vsftpd.conf. However, you may override this by specifying a com‐
12 mand line argument to vsftpd. The command line argument is the pathname
13 of the configuration file for vsftpd. This behaviour is useful because
14 you may wish to use an advanced inetd such as xinetd to launch vsftpd
15 with different configuration files on a per virtual host basis.
16
17 Systemd changes the vsftpd daemon start-up. The vsftpd package contains
18 vsftpd-generator script generating symbolic links to /var/run/sys‐
19 temd/generator/vsftpd.target.wants directory. The generator is called
20 during e. g. 'systemctl --system daemon-reload'. All these symbolic
21 links link /usr/lib/systemd/system/vsftpd@.service file. The vsftpd
22 daemon(s) is/are controlled by one of following ways:
23
24 1. Single daemon using default /etc/vsftpd/vsftpd.conf configuration
25 file
26 # systemctl {start,stop,...} vsftpd[.service]
27
28 2. Single daemon using /etc/vsftpd/<config-filename>.conf
29 # systemctl {start,stop,...} vsftpd@<config-filename-without-exten‐
30 sion>[.service]
31
32 3. All instances together
33 # systemctl {restart,stop} vsftpd.target
34
35 See systemd.unit(5), systemd.target(5) for further details.
36
38 The format of vsftpd.conf is very simple. Each line is either a comment
39 or a directive. Comment lines start with a # and are ignored. A direc‐
40 tive line has the format:
41
42 option=value
43
44 It is important to note that it is an error to put any space between
45 the option, = and value.
46
47 Each setting has a compiled in default which may be modified in the
48 configuration file.
49
50
52 Below is a list of boolean options. The value for a boolean option may
53 be set to YES or NO.
54
55
56 allow_anon_ssl
57 Only applies if ssl_enable is active. If set to YES, anonymous
58 users will be allowed to use secured SSL connections.
59
60 Default: NO
61
62 allow_writeable_chroot
63 Allow chroot()'ing a user to a directory writable by that user.
64 Note that setting this to YES is potentially dangerous. For ex‐
65 ample, if the user creates an 'etc' directory in the new root
66 directory, they could potentially trick the C library into load‐
67 ing a user-created configuration file from the /etc/ directory.
68
69 Default: NO
70
71 better_stou
72 Use a better file name generation algorithm for the STOU com‐
73 mand. The default original algorithm simply adds an increasing
74 number suffix to the file name, which is prone to race condi‐
75 tions if multiple uploaders use the STOU command with the same
76 file name simultaneously, which can result in failure of the
77 command. The new algorithm adds a unique random six character
78 suffix to the file name, which works much better in face of con‐
79 current uploads.
80
81 Default: NO
82
83 anon_mkdir_write_enable
84 If set to YES, anonymous users will be permitted to create new
85 directories under certain conditions. For this to work, the op‐
86 tion write_enable must be activated, and the anonymous ftp user
87 must have write permission on the parent directory.
88
89 Default: NO
90
91 anon_other_write_enable
92 If set to YES, anonymous users will be permitted to perform
93 write operations other than upload and create directory, such as
94 deletion and renaming. This is generally not recommended but in‐
95 cluded for completeness.
96
97 Default: NO
98
99 anon_upload_enable
100 If set to YES, anonymous users will be permitted to upload files
101 under certain conditions. For this to work, the option write_en‐
102 able must be activated, and the anonymous ftp user must have
103 write permission on desired upload locations. This setting is
104 also required for virtual users to upload; by default, virtual
105 users are treated with anonymous (i.e. maximally restricted)
106 privilege.
107
108 Default: NO
109
110 anon_world_readable_only
111 When enabled, anonymous users will only be allowed to download
112 files which are world readable. This is recognising that the ftp
113 user may own files, especially in the presence of uploads.
114
115 Default: YES
116
117 anonymous_enable
118 Controls whether anonymous logins are permitted or not. If en‐
119 abled, both the usernames ftp and anonymous are recognised as
120 anonymous logins.
121
122 Default: YES
123
124 ascii_download_enable
125 When enabled, ASCII mode data transfers will be honoured on
126 downloads. When disabled, the server will pretend to allow
127 ASCII mode but in fact ignore requests to activate it. So the
128 client will think the ASCII mode is active and therefore may
129 still translate any <CRLF> character sequences in the received
130 file. See the following article for a detailed explanation of
131 the behaviour: https://access.redhat.com/articles/3250241.
132
133 Turn this option on to have the server actually do ASCII man‐
134 gling on files when in ASCII mode.
135
136 Default: NO
137
138 ascii_upload_enable
139 When enabled, ASCII mode data transfers will be honoured on up‐
140 loads. When disabled, the server will pretend to allow ASCII
141 mode but in fact ignore requests to activate it. So the client
142 will think the ASCII mode is active and will translate native
143 line terminators to the standard <CRLF> line terminators for
144 transmission, but the server will not do any translation. See
145 the following article for a detailed explanation of the behav‐
146 iour: https://access.redhat.com/articles/3250241.
147
148 Turn this option on to have the server actually do ASCII man‐
149 gling on files when in ASCII mode.
150
151 Default: NO
152
153 async_abor_enable
154 When enabled, a special FTP command known as "async ABOR" will
155 be enabled. Only ill advised FTP clients will use this feature.
156 Additionally, this feature is awkward to handle, so it is dis‐
157 abled by default. Unfortunately, some FTP clients will hang when
158 cancelling a transfer unless this feature is available, so you
159 may wish to enable it.
160
161 Default: NO
162
163 background
164 When enabled, and vsftpd is started in "listen" mode, vsftpd
165 will background the listener process. i.e. control will immedi‐
166 ately be returned to the shell which launched vsftpd.
167
168 Default: YES
169
170 check_shell
171 Note! This option only has an effect for non-PAM builds of vs‐
172 ftpd. If disabled, vsftpd will not check /etc/shells for a valid
173 user shell for local logins.
174
175 Default: YES
176
177 chmod_enable
178 When enabled, allows use of the SITE CHMOD command. NOTE! This
179 only applies to local users. Anonymous users never get to use
180 SITE CHMOD.
181
182 Default: YES
183
184 chown_uploads
185 If enabled, all anonymously uploaded files will have the owner‐
186 ship changed to the user specified in the setting chown_user‐
187 name. This is useful from an administrative, and perhaps secu‐
188 rity, standpoint.
189
190 Default: NO
191
192 chroot_list_enable
193 If activated, you may provide a list of local users who are
194 placed in a chroot() jail in their home directory upon login.
195 The meaning is slightly different if chroot_local_user is set to
196 YES. In this case, the list becomes a list of users which are
197 NOT to be placed in a chroot() jail. By default, the file con‐
198 taining this list is /etc/vsftpd/chroot_list, but you may over‐
199 ride this with the chroot_list_file setting.
200
201 Default: NO
202
203 chroot_local_user
204 If set to YES, local users will be (by default) placed in a ch‐
205 root() jail in their home directory after login. Warning: This
206 option has security implications, especially if the users have
207 upload permission, or shell access. Only enable if you know what
208 you are doing. Note that these security implications are not
209 vsftpd specific. They apply to all FTP daemons which offer to
210 put local users in chroot() jails.
211
212 Default: NO
213
214 connect_from_port_20
215 This controls whether PORT style data connections use port 20
216 (ftp-data) on the server machine. For security reasons, some
217 clients may insist that this is the case. Conversely, disabling
218 this option enables vsftpd to run with slightly less privilege.
219
220 Default: NO (but the sample config file enables it)
221
222 debug_ssl
223 If true, OpenSSL connection diagnostics are dumped to the vsftpd
224 log file. (Added in v2.0.6).
225
226 Default: NO
227
228 delete_failed_uploads
229 If true, any failed upload files are deleted. (Added in
230 v2.0.7).
231
232 Default: NO
233
234 deny_email_enable
235 If activated, you may provide a list of anonymous password e-
236 mail responses which cause login to be denied. By default, the
237 file containing this list is /etc/vsftpd/banned_emails, but you
238 may override this with the banned_email_file setting.
239
240 Default: NO
241
242 dirlist_enable
243 If set to NO, all directory list commands will give permission
244 denied.
245
246 Default: YES
247
248 dirmessage_enable
249 If enabled, users of the FTP server can be shown messages when
250 they first enter a new directory. By default, a directory is
251 scanned for the file .message, but that may be overridden with
252 the configuration setting message_file.
253
254 Default: NO (but the sample config file enables it)
255
256 download_enable
257 If set to NO, all download requests will give permission denied.
258
259 Default: YES
260
261 dual_log_enable
262 If enabled, two log files are generated in parallel, going by
263 default to /var/log/xferlog and /var/log/vsftpd.log. The former
264 is a wu-ftpd style transfer log, parseable by standard tools.
265 The latter is vsftpd's own style log.
266
267 Default: NO
268
269 force_dot_files
270 If activated, files and directories starting with . will be
271 shown in directory listings even if the "a" flag was not used by
272 the client. This override excludes the "." and ".." entries.
273
274 Default: NO
275
276 force_anon_data_ssl
277 Only applies if ssl_enable is activated. If activated, all
278 anonymous logins are forced to use a secure SSL connection in
279 order to send and receive data on data connections.
280
281 Default: NO
282
283 force_anon_logins_ssl
284 Only applies if ssl_enable is activated. If activated, all
285 anonymous logins are forced to use a secure SSL connection in
286 order to send the password.
287
288 Default: NO
289
290 force_local_data_ssl
291 Only applies if ssl_enable is activated. If activated, all non-
292 anonymous logins are forced to use a secure SSL connection in
293 order to send and receive data on data connections.
294
295 Default: YES
296
297 force_local_logins_ssl
298 Only applies if ssl_enable is activated. If activated, all non-
299 anonymous logins are forced to use a secure SSL connection in
300 order to send the password.
301
302 Default: YES
303
304 guest_enable
305 If enabled, all non-anonymous logins are classed as "guest" lo‐
306 gins. A guest login is remapped to the user specified in the
307 guest_username setting.
308
309 Default: NO
310
311 hide_ids
312 If enabled, all user and group information in directory listings
313 will be displayed as "ftp".
314
315 Default: NO
316
317 implicit_ssl
318 If enabled, an SSL handshake is the first thing expect on all
319 connections (the FTPS protocol). To support explicit SSL and/or
320 plain text too, a separate vsftpd listener process should be
321 run.
322
323 Default: NO
324
325 listen If enabled, vsftpd will run in standalone mode. This means that
326 vsftpd must not be run from an inetd of some kind. Instead, the
327 vsftpd executable is run once directly. vsftpd itself will then
328 take care of listening for and handling incoming connections.
329
330 Default: NO
331
332 listen_ipv6
333 Like the listen parameter, except vsftpd will listen on an IPv6
334 socket instead of an IPv4 one. Note that a socket listening on
335 the IPv6 "any" address (::) will accept both IPv6 and IPv4 con‐
336 nections by default. This parameter and the listen parameter are
337 mutually exclusive.
338
339 Default: NO
340
341 local_enable
342 Controls whether local logins are permitted or not. If enabled,
343 normal user accounts in /etc/passwd (or wherever your PAM config
344 references) may be used to log in. This must be enable for any
345 non-anonymous login to work, including virtual users.
346
347 Default: NO
348
349 lock_upload_files
350 When enabled, all uploads proceed with a write lock on the up‐
351 load file. All downloads proceed with a shared read lock on the
352 download file. WARNING! Before enabling this, be aware that ma‐
353 licious readers could starve a writer wanting to e.g. append a
354 file.
355
356 Default: YES
357
358 log_die
359 Log an error to syslog when some error condition occurs and vs‐
360 ftpd decides to quit. Internally, the error messages given to
361 the functions die(), die2() and bug() are passed to syslog. Cur‐
362 rently this functionality requires waiting for a short amount of
363 time (1 second is used) after logging the message and before ex‐
364 iting. This is a workaround for the following systemd bug:
365 https://github.com/systemd/systemd/issues/2913
366
367 Default: NO
368
369 log_ftp_protocol
370 When enabled, all FTP requests and responses are logged, provid‐
371 ing the option xferlog_std_format is not enabled. Useful for de‐
372 bugging.
373
374 Default: NO
375
376 ls_recurse_enable
377 When enabled, this setting will allow the use of "ls -R". This
378 is a minor security risk, because a ls -R at the top level of a
379 large site may consume a lot of resources.
380
381 Default: NO
382
383 mdtm_write
384 When enabled, this setting will allow MDTM to set file modifica‐
385 tion times (subject to the usual access checks).
386
387 Default: YES
388
389 no_anon_password
390 When enabled, this prevents vsftpd from asking for an anonymous
391 password - the anonymous user will log straight in.
392
393 Default: NO
394
395 no_log_lock
396 When enabled, this prevents vsftpd from taking a file lock when
397 writing to log files. This option should generally not be en‐
398 abled. It exists to workaround operating system bugs such as the
399 Solaris / Veritas filesystem combination which has been observed
400 to sometimes exhibit hangs trying to lock log files.
401
402 Default: NO
403
404 one_process_model
405 If you have a Linux 2.4 kernel, it is possible to use a differ‐
406 ent security model which only uses one process per connection.
407 It is a less pure security model, but gains you performance. You
408 really don't want to enable this unless you know what you are
409 doing, and your site supports huge numbers of simultaneously
410 connected users.
411
412 Default: NO
413
414 passwd_chroot_enable
415 If enabled, along with chroot_local_user , then a chroot() jail
416 location may be specified on a per-user basis. Each user's jail
417 is derived from their home directory string in /etc/passwd. The
418 occurrence of /./ in the home directory string denotes that the
419 jail is at that particular location in the path.
420
421 Default: NO
422
423 pasv_addr_resolve
424 Set to YES if you want to use a hostname (as opposed to IP ad‐
425 dress) in the pasv_address option.
426
427 Default: NO
428
429 pasv_enable
430 Set to NO if you want to disallow the PASV method of obtaining a
431 data connection.
432
433 Default: YES
434
435 pasv_promiscuous
436 Set to YES if you want to disable the PASV security check that
437 ensures the data connection originates from the same IP address
438 as the control connection. Only enable if you know what you are
439 doing! The only legitimate use for this is in some form of se‐
440 cure tunnelling scheme, or perhaps to facilitate FXP support.
441
442 Default: NO
443
444 port_enable
445 Set to NO if you want to disallow the PORT method of obtaining a
446 data connection.
447
448 Default: YES
449
450 port_promiscuous
451 Set to YES if you want to disable the PORT security check that
452 ensures that outgoing data connections can only connect to the
453 client. Only enable if you know what you are doing!
454
455 Default: NO
456
457 require_cert
458 If set to yes, all SSL client connections are required to
459 present a client certificate. The degree of validation applied
460 to this certificate is controlled by validate_cert (Added in
461 v2.0.6).
462
463 Default: NO
464
465 require_ssl_reuse
466 If set to yes, all SSL data connections are required to exhibit
467 SSL session reuse (which proves that they know the same master
468 secret as the control channel). Although this is a secure de‐
469 fault, it may break many FTP clients, so you may want to disable
470 it. For a discussion of the consequences, see http://scarybeast‐
471 security.blogspot.com/2009/02/vsftpd-210-released.html (Added in
472 v2.1.0).
473
474 Default: YES
475
476 reverse_lookup_enable
477 Set to YES if you want vsftpd to transform the ip address into
478 the hostname, before pam authentication. This is useful if you
479 use pam_access including the hostname. If you want vsftpd to run
480 on the environment where the reverse lookup for some hostname is
481 available and the name server doesn't respond for a while, you
482 should set this to NO to avoid a performance issue.
483
484 Default: YES
485
486 run_as_launching_user
487 Set to YES if you want vsftpd to run as the user which launched
488 vsftpd. This is useful where root access is not available. MAS‐
489 SIVE WARNING! Do NOT enable this option unless you totally know
490 what you are doing, as naive use of this option can create mas‐
491 sive security problems. Specifically, vsftpd does not / cannot
492 use chroot technology to restrict file access when this option
493 is set (even if launched by root). A poor substitute could be to
494 use a deny_file setting such as {/*,*..*}, but the reliability
495 of this cannot compare to chroot, and should not be relied on.
496 If using this option, many restrictions on other options apply.
497 For example, options requiring privilege such as non-anonymous
498 logins, upload ownership changing, connecting from port 20 and
499 listen ports less than 1024 are not expected to work. Other op‐
500 tions may be impacted.
501
502 Default: NO
503
504 secure_email_list_enable
505 Set to YES if you want only a specified list of e-mail passwords
506 for anonymous logins to be accepted. This is useful as a low-
507 hassle way of restricting access to low-security content without
508 needing virtual users. When enabled, anonymous logins are pre‐
509 vented unless the password provided is listed in the file speci‐
510 fied by the email_password_file setting. The file format is one
511 password per line, no extra whitespace. The default filename is
512 /etc/vsftpd/email_passwords.
513
514 Default: NO
515
516 session_support
517 This controls whether vsftpd attempts to maintain sessions for
518 logins. If vsftpd is maintaining sessions, it will try and up‐
519 date utmp and wtmp. It will also open a pam_session if using PAM
520 to authenticate, and only close this upon logout. You may wish
521 to disable this if you do not need session logging, and you wish
522 to give vsftpd more opportunity to run with less processes and /
523 or less privilege. NOTE - utmp and wtmp support is only provided
524 with PAM enabled builds.
525
526 Default: NO
527
528 setproctitle_enable
529 If enabled, vsftpd will try and show session status information
530 in the system process listing. In other words, the reported name
531 of the process will change to reflect what a vsftpd session is
532 doing (idle, downloading etc). You probably want to leave this
533 off for security purposes.
534
535 Default: NO
536
537 ssl_enable
538 If enabled, and vsftpd was compiled against OpenSSL, vsftpd will
539 support secure connections via SSL. This applies to the control
540 connection (including login) and also data connections. You'll
541 need a client with SSL support too. NOTE!! Beware enabling this
542 option. Only enable it if you need it. vsftpd can make no guar‐
543 antees about the security of the OpenSSL libraries. By enabling
544 this option, you are declaring that you trust the security of
545 your installed OpenSSL library.
546
547 Default: NO
548
549 ssl_request_cert
550 If enabled, vsftpd will request (but not necessarily require;
551 see require_cert) a certificate on incoming SSL connections.
552 Normally this should not cause any trouble at all, but IBM zOS
553 seems to have issues. (New in v2.0.7).
554
555 Default: YES
556
557 ssl_sslv2
558 Only applies if ssl_enable is activated. If enabled, this option
559 will permit SSL v2 protocol connections. TLS v1.2 connections
560 are preferred.
561
562 Default: NO
563
564 ssl_sslv3
565 Only applies if ssl_enable is activated. If enabled, this option
566 will permit SSL v3 protocol connections. TLS v1.2 connections
567 are preferred.
568
569 Default: NO
570
571 ssl_tlsv1
572 Only applies if ssl_enable is activated. If enabled, this option
573 will permit TLS v1 protocol connections. TLS v1.2 connections
574 are preferred.
575
576 Default: NO
577
578 ssl_tlsv1_1
579 Only applies if ssl_enable is activated. If enabled, this option
580 will permit TLS v1.1 protocol connections. TLS v1.2 connections
581 are preferred.
582
583 Default: NO
584
585 ssl_tlsv1_2
586 Only applies if ssl_enable is activated. If enabled, this option
587 will permit TLS v1.2 protocol connections. TLS v1.2 connections
588 are preferred.
589
590 Default: YES
591
592 strict_ssl_read_eof
593 If enabled, SSL data uploads are required to terminate via SSL,
594 not an EOF on the socket. This option is required to be sure
595 that an attacker did not terminate an upload prematurely with a
596 faked TCP FIN. (New in v2.0.7).
597
598 Default: YES
599
600 strict_ssl_write_shutdown
601 If enabled, SSL data downloads are required to terminate via
602 SSL, not an EOF on the socket. This is off by default as I was
603 unable to find a single FTP client that does this. It is minor.
604 All it affects is our ability to tell whether the client con‐
605 firmed full receipt of the file. Even without this option, the
606 client is able to check the integrity of the download. (New in
607 v2.0.7).
608
609 Default: NO
610
611 syslog_enable
612 If enabled, then any log output which would have gone to
613 /var/log/vsftpd.log goes to the system log instead. Logging is
614 done under the FTPD facility.
615
616 Default: NO
617
618 tcp_wrappers
619 If enabled, and vsftpd was compiled with tcp_wrappers support,
620 incoming connections will be fed through tcp_wrappers access
621 control. Furthermore, there is a mechanism for per-IP based con‐
622 figuration. If tcp_wrappers sets the VSFTPD_LOAD_CONF environ‐
623 ment variable, then the vsftpd session will try and load the vs‐
624 ftpd configuration file specified in this variable.
625
626 Default: NO
627
628 text_userdb_names
629 By default, numeric IDs are shown in the user and group fields
630 of directory listings. You can get textual names by enabling
631 this parameter. It is off by default for performance reasons.
632 Note that textual names are not guaranteed when chroot_lo‐
633 cal_user is set to YES.
634
635 Default: NO
636
637 tilde_user_enable
638 If enabled, vsftpd will try and resolve pathnames such as
639 ~chris/pics, i.e. a tilde followed by a username. Note that vs‐
640 ftpd will always resolve the pathnames ~ and ~/something (in
641 this case the ~ resolves to the initial login directory). Note
642 that ~user paths will only resolve if the file /etc/passwd may
643 be found within the _current_ chroot() jail.
644
645 Default: NO
646
647 use_localtime
648 If enabled, vsftpd will display directory listings with the time
649 in your local time zone. The default is to display GMT. The
650 times returned by the MDTM FTP command are also affected by this
651 option.
652
653 Default: NO
654
655 use_sendfile
656 An internal setting used for testing the relative benefit of us‐
657 ing the sendfile() system call on your platform.
658
659 Default: YES
660
661 userlist_deny
662 This option is examined if userlist_enable is activated. If you
663 set this setting to NO, then users will be denied login unless
664 they are explicitly listed in the file specified by
665 userlist_file. When login is denied, the denial is issued be‐
666 fore the user is asked for a password.
667
668 Default: YES
669
670 userlist_enable
671 If enabled, vsftpd will load a list of usernames, from the file‐
672 name given by userlist_file. If a user tries to log in using a
673 name in this file, they will be denied before they are asked for
674 a password. This may be useful in preventing cleartext passwords
675 being transmitted. See also userlist_deny.
676
677 Default: NO
678
679 validate_cert
680 If set to yes, all SSL client certificates received must vali‐
681 date OK. Self-signed certs do not constitute OK validation.
682 (New in v2.0.6).
683
684 Default: NO
685
686 userlist_log
687 This option is examined if userlist_enable is activated. If en‐
688 abled, every login denial based on the user list will be logged.
689
690 Default: NO
691
692 virtual_use_local_privs
693 If enabled, virtual users will use the same privileges as local
694 users. By default, virtual users will use the same privileges as
695 anonymous users, which tends to be more restrictive (especially
696 in terms of write access).
697
698 Default: NO
699
700 write_enable
701 This controls whether any FTP commands which change the filesys‐
702 tem are allowed or not. These commands are: STOR, DELE, RNFR,
703 RNTO, MKD, RMD, APPE and SITE.
704
705 Default: NO
706
707 xferlog_enable
708 If enabled, a log file will be maintained detailling uploads and
709 downloads. By default, this file will be placed at /var/log/vs‐
710 ftpd.log, but this location may be overridden using the configu‐
711 ration setting vsftpd_log_file.
712
713 Default: NO (but the sample config file enables it)
714
715 xferlog_std_format
716 If enabled, the transfer log file will be written in standard
717 xferlog format, as used by wu-ftpd. This is useful because you
718 can reuse existing transfer statistics generators. The default
719 format is more readable, however. The default location for this
720 style of log file is /var/log/xferlog, but you may change it
721 with the setting xferlog_file.
722
723 Default: NO
724
725 isolate_network
726 If enabled, use CLONE_NEWNET to isolate the untrusted processes
727 so that they can't do arbitrary connect() and instead have to
728 ask the privileged process for sockets ( port_promiscuous have
729 to be disabled).
730
731 Default: YES
732
733 isolate
734 If enabled, use CLONE_NEWPID and CLONE_NEWIPC to isolate pro‐
735 cesses to their ipc and pid namespaces. So separated processes
736 can not interact with each other.
737
738 Default: YES
739
740 wc_logs_enable
741 If enabled, logs will be treated as wide-character strings and
742 not just ASCII strings when filtering out non-printable charac‐
743 ters.
744
745 Default: NO
746
747
749 Below is a list of numeric options. A numeric option must be set to a
750 non negative integer. Octal numbers are supported, for convenience of
751 the umask options. To specify an octal number, use 0 as the first digit
752 of the number.
753
754
755 accept_timeout
756 The timeout, in seconds, for a remote client to establish con‐
757 nection with a PASV style data connection.
758
759 Default: 60
760
761 anon_max_rate
762 The maximum data transfer rate permitted, in bytes per second,
763 for anonymous clients.
764
765 Default: 0 (unlimited)
766
767 anon_umask
768 The value that the umask for file creation is set to for anony‐
769 mous users. NOTE! If you want to specify octal values, remember
770 the "0" prefix otherwise the value will be treated as a base 10
771 integer!
772
773 Default: 077
774
775 bind_retries
776 Maximum number of attempts to find a free listening port in pas‐
777 sive mode.
778
779 Default: 9
780
781 chown_upload_mode
782 The file mode to force for chown()ed anonymous uploads. (Added
783 in v2.0.6).
784
785 Default: 0600
786
787 connect_timeout
788 The timeout, in seconds, for a remote client to respond to our
789 PORT style data connection.
790
791 Default: 60
792
793 data_connection_timeout
794 The timeout, in seconds, which is roughly the maximum time we
795 permit data transfers to stall for with no progress. If the
796 timeout triggers, the remote client is kicked off.
797
798 Default: 300
799
800 delay_failed_login
801 The number of seconds to pause prior to reporting a failed lo‐
802 gin.
803
804 Default: 1
805
806 delay_successful_login
807 The number of seconds to pause prior to allowing a successful
808 login.
809
810 Default: 0
811
812 file_open_mode
813 The permissions with which uploaded files are created. Umasks
814 are applied on top of this value. You may wish to change to 0777
815 if you want uploaded files to be executable.
816
817 Default: 0666
818
819 ftp_data_port
820 The port from which PORT style connections originate (as long as
821 the poorly named connect_from_port_20 is enabled).
822
823 Default: 20
824
825 idle_session_timeout
826 The timeout, in seconds, which is the maximum time a remote
827 client may spend between FTP commands. If the timeout triggers,
828 the remote client is kicked off.
829
830 Default: 300
831
832 listen_port
833 If vsftpd is in standalone mode, this is the port it will listen
834 on for incoming FTP connections.
835
836 Default: 21
837
838 local_max_rate
839 The maximum data transfer rate permitted, in bytes per second,
840 for local authenticated users.
841
842 Default: 0 (unlimited)
843
844 local_umask
845 The value that the umask for file creation is set to for local
846 users. NOTE! If you want to specify octal values, remember the
847 "0" prefix otherwise the value will be treated as a base 10 in‐
848 teger!
849
850 Default: 077
851
852 max_clients
853 If vsftpd is in standalone mode, this is the maximum number of
854 clients which may be connected. Any additional clients connect‐
855 ing will get an error message. The value 0 switches off the
856 limit.
857
858 Default: 2000
859
860 max_login_fails
861 After this many login failures, the session is killed.
862
863 Default: 3
864
865 max_per_ip
866 If vsftpd is in standalone mode, this is the maximum number of
867 clients which may be connected from the same source internet ad‐
868 dress. A client will get an error message if they go over this
869 limit. The value 0 switches off the limit.
870
871 Default: 50
872
873 pasv_max_port
874 The maximum port to allocate for PASV style data connections.
875 Can be used to specify a narrow port range to assist fire‐
876 walling.
877
878 Default: 0 (use any port)
879
880 pasv_min_port
881 The minimum port to allocate for PASV style data connections.
882 Can be used to specify a narrow port range to assist fire‐
883 walling.
884
885 Default: 0 (use any port)
886
887 trans_chunk_size
888 You probably don't want to change this, but try setting it to
889 something like 8192 for a much smoother bandwidth limiter.
890
891 Default: 0 (let vsftpd pick a sensible setting)
892
893
895 Below is a list of string options.
896
897
898 anon_root
899 This option represents a directory which vsftpd will try to
900 change into after an anonymous login. Failure is silently ig‐
901 nored.
902
903 Default: (none)
904
905 banned_email_file
906 This option is the name of a file containing a list of anonymous
907 e-mail passwords which are not permitted. This file is consulted
908 if the option deny_email_enable is enabled.
909
910 Default: /etc/vsftpd/banned_emails
911
912 banner_file
913 This option is the name of a file containing text to display
914 when someone connects to the server. If set, it overrides the
915 banner string provided by the ftpd_banner option.
916
917 Default: (none)
918
919 ca_certs_file
920 This option is the name of a file to load Certificate Authority
921 certs from, for the purpose of validating client certs. The
922 loaded certs are also advertised to the client, to cater for
923 TLSv1.0 clients such as the z/OS FTP client. Regrettably, the
924 default SSL CA cert paths are not used, because of vsftpd's use
925 of restricted filesystem spaces (chroot). (Added in v2.0.6).
926
927 Default: (none)
928
929 chown_username
930 This is the name of the user who is given ownership of anony‐
931 mously uploaded files. This option is only relevant if another
932 option, chown_uploads, is set.
933
934 Default: root
935
936 chroot_list_file
937 The option is the name of a file containing a list of local
938 users which will be placed in a chroot() jail in their home di‐
939 rectory. This option is only relevant if the option ch‐
940 root_list_enable is enabled. If the option chroot_local_user is
941 enabled, then the list file becomes a list of users to NOT place
942 in a chroot() jail.
943
944 Default: /etvsftpd.confc/vsftpd.chroot_list
945
946 cmds_allowed
947 This options specifies a comma separated list of allowed FTP
948 commands (post login. USER, PASS and QUIT and others are always
949 allowed pre-login). Other commands are rejected. This is a pow‐
950 erful method of really locking down an FTP server. Example:
951 cmds_allowed=PASV,RETR,QUIT
952
953 Default: (none)
954
955 cmds_denied
956 This options specifies a comma separated list of denied FTP com‐
957 mands (post login. USER, PASS, QUIT and others are always al‐
958 lowed pre-login). If a command appears on both this and cmds_al‐
959 lowed then the denial takes precedence. (Added in v2.1.0).
960
961 Default: (none)
962
963 deny_file
964 This option can be used to set a pattern for filenames (and di‐
965 rectory names etc.) which should not be accessible in any way.
966 The affected items are not hidden, but any attempt to do any‐
967 thing to them (download, change into directory, affect something
968 within directory etc.) will be denied. This option is very sim‐
969 ple, and should not be used for serious access control - the
970 filesystem's permissions should be used in preference. However,
971 this option may be useful in certain virtual user setups. In
972 particular aware that if a filename is accessible by a variety
973 of names (perhaps due to symbolic links or hard links), then
974 care must be taken to deny access to all the names. Access will
975 be denied to items if their name contains the string given by
976 hide_file, or if they match the regular expression specified by
977 hide_file. Note that vsftpd's regular expression matching code
978 is a simple implementation which is a subset of full regular ex‐
979 pression functionality. Because of this, you will need to care‐
980 fully and exhaustively test any application of this option. And
981 you are recommended to use filesystem permissions for any impor‐
982 tant security policies due to their greater reliability. Sup‐
983 ported regex syntax is any number of *, ? and unnested {,} oper‐
984 ators. Regex matching is only supported on the last component of
985 a path, e.g. a/b/? is supported but a/?/c is not. Example:
986 deny_file={*.mp3,*.mov,.private}
987
988 Default: (none)
989
990 dsa_cert_file
991 This option specifies the location of the DSA certificate to use
992 for SSL encrypted connections.
993
994 Default: (none - an RSA certificate suffices)
995
996 dsa_private_key_file
997 This option specifies the location of the DSA private key to use
998 for SSL encrypted connections. If this option is not set, the
999 private key is expected to be in the same file as the certifi‐
1000 cate.
1001
1002 Default: (none)
1003
1004 dh_param_file
1005 This option specifies the location of the custom parameters used
1006 for ephemeral Diffie-Hellman key exchange in SSL.
1007
1008 Default: (none - use built in parameters appropriate for cer‐
1009 tificate key size)
1010
1011 ecdh_param_file
1012 This option specifies the location of custom parameters for
1013 ephemeral Elliptic Curve Diffie-Hellman (ECDH) key exchange.
1014
1015 Default: (none - use built in parameters, NIST P-256 with
1016 OpenSSL 1.0.1 and automatically selected curve based on client
1017 preferences with OpenSSL 1.0.2 and later)
1018
1019 email_password_file
1020 This option can be used to provide an alternate file for usage
1021 by the secure_email_list_enable setting.
1022
1023 Default: /etc/vsftpd/email_passwords
1024
1025 ftp_username
1026 This is the name of the user we use for handling anonymous FTP.
1027 The home directory of this user is the root of the anonymous FTP
1028 area.
1029
1030 Default: ftp
1031
1032 ftpd_banner
1033 This string option allows you to override the greeting banner
1034 displayed by vsftpd when a connection first comes in.
1035
1036 Default: (none - default vsftpd banner is displayed)
1037
1038 guest_username
1039 See the boolean setting guest_enable for a description of what
1040 constitutes a guest login. This setting is the real username
1041 which guest users are mapped to.
1042
1043 Default: ftp
1044
1045 hide_file
1046 This option can be used to set a pattern for filenames (and di‐
1047 rectory names etc.) which should be hidden from directory list‐
1048 ings. Despite being hidden, the files / directories etc. are
1049 fully accessible to clients who know what names to actually use.
1050 Items will be hidden if their names contain the string given by
1051 hide_file, or if they match the regular expression specified by
1052 hide_file. Note that vsftpd's regular expression matching code
1053 is a simple implementation which is a subset of full regular ex‐
1054 pression functionality. See deny_file for details of exactly
1055 what regex syntax is supported. Example: hide_file={*.mp3,.hid‐
1056 den,hide*,h?}
1057
1058 Default: (none)
1059
1060 listen_address
1061 If vsftpd is in standalone mode, the default listen address (of
1062 all local interfaces) may be overridden by this setting. Provide
1063 a numeric IP address.
1064
1065 Default: (none)
1066
1067 listen_address6
1068 Like listen_address, but specifies a default listen address for
1069 the IPv6 listener (which is used if listen_ipv6 is set). Format
1070 is standard IPv6 address format.
1071
1072 Default: (none)
1073
1074 local_root
1075 This option represents a directory which vsftpd will try to
1076 change into after a local (i.e. non-anonymous) login. Failure is
1077 silently ignored.
1078
1079 Default: (none)
1080
1081 message_file
1082 This option is the name of the file we look for when a new di‐
1083 rectory is entered. The contents are displayed to the remote
1084 user. This option is only relevant if the option dirmessage_en‐
1085 able is enabled.
1086
1087 Default: .message
1088
1089 nopriv_user
1090 This is the name of the user that is used by vsftpd when it
1091 wants to be totally unprivileged. Note that this should be a
1092 dedicated user, rather than nobody. The user nobody tends to be
1093 used for rather a lot of important things on most machines.
1094
1095 Default: nobody
1096
1097 pam_service_name
1098 This string is the name of the PAM service vsftpd will use.
1099
1100 Default: ftp
1101
1102 pasv_address
1103 Use this option to override the IP address that vsftpd will ad‐
1104 vertise in response to the PASV command. Provide a numeric IP
1105 address, unless pasv_addr_resolve is enabled, in which case you
1106 can provide a hostname which will be DNS resolved for you at
1107 startup.
1108
1109 Default: (none - the address is taken from the incoming con‐
1110 nected socket)
1111
1112 rsa_cert_file
1113 This option specifies the location of the RSA certificate to use
1114 for SSL encrypted connections.
1115
1116 Default: /usr/share/ssl/certs/vsftpd.pem
1117
1118 rsa_private_key_file
1119 This option specifies the location of the RSA private key to use
1120 for SSL encrypted connections. If this option is not set, the
1121 private key is expected to be in the same file as the certifi‐
1122 cate.
1123
1124 Default: (none)
1125
1126 secure_chroot_dir
1127 This option should be the name of a directory which is empty.
1128 Also, the directory should not be writable by the ftp user. This
1129 directory is used as a secure chroot() jail at times vsftpd does
1130 not require filesystem access.
1131
1132 Default: /usr/share/empty
1133
1134 ssl_ciphers
1135 This option can be used to select which SSL ciphers vsftpd will
1136 allow for encrypted SSL connections. See the ciphers man page
1137 for further details. Note that restricting ciphers can be a use‐
1138 ful security precaution as it prevents malicious remote parties
1139 forcing a cipher which they have found problems with.
1140
1141 By default, the system-wide crypto policy is used. See update-
1142 crypto-policies(8) for further details.
1143
1144 Default: PROFILE=SYSTEM
1145
1146 ssl_sni_hostname
1147 If set, SSL connections will be rejected unless the SNI hostname
1148 in the incoming handshakes matches this value.
1149
1150 Default: (none)
1151
1152 user_config_dir
1153 This powerful option allows the override of any config option
1154 specified in the manual page, on a per-user basis. Usage is sim‐
1155 ple, and is best illustrated with an example. If you set
1156 user_config_dir to be /etc/vsftpd/user_conf and then log on as
1157 the user "chris", then vsftpd will apply the settings in the
1158 file /etc/vsftpd/user_conf/chris for the duration of the ses‐
1159 sion. The format of this file is as detailed in this manual
1160 page! PLEASE NOTE that not all settings are effective on a per-
1161 user basis. For example, many settings only prior to the user's
1162 session being started. Examples of settings which will not af‐
1163 fect any behviour on a per-user basis include listen_address,
1164 banner_file, max_per_ip, max_clients, xferlog_file, etc.
1165
1166 Default: (none)
1167
1168 user_sub_token
1169 This option is useful is conjunction with virtual users. It is
1170 used to automatically generate a home directory for each virtual
1171 user, based on a template. For example, if the home directory of
1172 the real user specified via guest_username is /home/vir‐
1173 tual/$USER, and user_sub_token is set to $USER, then when vir‐
1174 tual user fred logs in, he will end up (usually chroot()'ed) in
1175 the directory /home/virtual/fred. This option also takes affect
1176 if local_root contains user_sub_token.
1177
1178 Default: (none)
1179
1180 userlist_file
1181 This option is the name of the file loaded when the userlist_en‐
1182 able option is active.
1183
1184 Default: /etc/vsftpd/user_list
1185
1186 vsftpd_log_file
1187 This option is the name of the file to which we write the vsftpd
1188 style log file. This log is only written if the option xfer‐
1189 log_enable is set, and xferlog_std_format is NOT set. Alterna‐
1190 tively, it is written if you have set the option dual_log_en‐
1191 able. One further complication - if you have set syslog_enable,
1192 then this file is not written and output is sent to the system
1193 log instead.
1194
1195 Default: /var/log/vsftpd.log
1196
1197 xferlog_file
1198 This option is the name of the file to which we write the wu-
1199 ftpd style transfer log. The transfer log is only written if the
1200 option xferlog_enable is set, along with xferlog_std_format.
1201 Alternatively, it is written if you have set the option
1202 dual_log_enable.
1203
1204 Default: /var/log/xferlog
1205
1206
1208 scarybeasts@gmail.com
1209
1210
1211
1212
1213 VSFTPD.CONF(5)