1VSFTPD.CONF(5)                File Formats Manual               VSFTPD.CONF(5)
2
3
4

NAME

6       vsftpd.conf - config file for vsftpd
7

DESCRIPTION

9       vsftpd.conf  may  be used to control various aspects of vsftpd's behav‐
10       iour. By default, vsftpd looks for this file at the  location  /etc/vs‐
11       ftpd/vsftpd.conf.   However, you may override this by specifying a com‐
12       mand line argument to vsftpd. The command line argument is the pathname
13       of  the configuration file for vsftpd. This behaviour is useful because
14       you may wish to use an advanced inetd such as xinetd to  launch  vsftpd
15       with different configuration files on a per virtual host basis.
16
17       Systemd changes the vsftpd daemon start-up. The vsftpd package contains
18       vsftpd-generator script  generating  symbolic  links  to  /var/run/sys‐
19       temd/generator/vsftpd.target.wants  directory.  The generator is called
20       during e. g. 'systemctl --system  daemon-reload'.  All  these  symbolic
21       links  link  /usr/lib/systemd/system/vsftpd@.service  file.  The vsftpd
22       daemon(s) is/are controlled by one of following ways:
23
24       1. Single daemon using  default  /etc/vsftpd/vsftpd.conf  configuration
25       file
26       # systemctl {start,stop,...} vsftpd[.service]
27
28       2. Single daemon using /etc/vsftpd/<config-filename>.conf
29       #   systemctl  {start,stop,...}  vsftpd@<config-filename-without-exten‐
30       sion>[.service]
31
32       3. All instances together
33       # systemctl {restart,stop} vsftpd.target
34
35       See systemd.unit(5), systemd.target(5) for further details.
36

FORMAT

38       The format of vsftpd.conf is very simple. Each line is either a comment
39       or  a directive. Comment lines start with a # and are ignored. A direc‐
40       tive line has the format:
41
42       option=value
43
44       It is important to note that it is an error to put  any  space  between
45       the option, = and value.
46
47       Each  setting  has  a  compiled in default which may be modified in the
48       configuration file.
49
50

BOOLEAN OPTIONS

52       Below is a list of boolean options. The value for a boolean option  may
53       be set to YES or NO.
54
55
56       allow_anon_ssl
57              Only  applies  if ssl_enable is active. If set to YES, anonymous
58              users will be allowed to use secured SSL connections.
59
60              Default: NO
61
62       allow_writeable_chroot
63              Allow chroot()'ing a user to a directory writable by that  user.
64              Note  that setting this to YES is potentially dangerous. For ex‐
65              ample, if the user creates an 'etc' directory in  the  new  root
66              directory, they could potentially trick the C library into load‐
67              ing a user-created configuration file from the /etc/ directory.
68
69              Default: NO
70
71       better_stou
72              Use a better file name generation algorithm for  the  STOU  com‐
73              mand.  The  default original algorithm simply adds an increasing
74              number suffix to the file name, which is prone  to  race  condi‐
75              tions  if  multiple uploaders use the STOU command with the same
76              file name simultaneously, which can result  in  failure  of  the
77              command.  The  new  algorithm adds a unique random six character
78              suffix to the file name, which works much better in face of con‐
79              current uploads.
80
81              Default: NO
82
83       anon_mkdir_write_enable
84              If  set  to YES, anonymous users will be permitted to create new
85              directories under certain conditions. For this to work, the  op‐
86              tion  write_enable must be activated, and the anonymous ftp user
87              must have write permission on the parent directory.
88
89              Default: NO
90
91       anon_other_write_enable
92              If set to YES, anonymous users  will  be  permitted  to  perform
93              write operations other than upload and create directory, such as
94              deletion and renaming. This is generally not recommended but in‐
95              cluded for completeness.
96
97              Default: NO
98
99       anon_upload_enable
100              If set to YES, anonymous users will be permitted to upload files
101              under certain conditions. For this to work, the option write_en‐
102              able  must  be  activated,  and the anonymous ftp user must have
103              write permission on desired upload locations.  This  setting  is
104              also  required  for virtual users to upload; by default, virtual
105              users are treated with  anonymous  (i.e.  maximally  restricted)
106              privilege.
107
108              Default: NO
109
110       anon_world_readable_only
111              When  enabled,  anonymous users will only be allowed to download
112              files which are world readable. This is recognising that the ftp
113              user may own files, especially in the presence of uploads.
114
115              Default: YES
116
117       anonymous_enable
118              Controls  whether  anonymous logins are permitted or not. If en‐
119              abled, both the usernames ftp and anonymous  are  recognised  as
120              anonymous logins.
121
122              Default: YES
123
124       ascii_download_enable
125              When  enabled,  ASCII  mode  data  transfers will be honoured on
126              downloads.  When disabled, the  server  will  pretend  to  allow
127              ASCII  mode  but  in fact ignore requests to activate it. So the
128              client will think the ASCII mode is  active  and  therefore  may
129              still  translate  any <CRLF> character sequences in the received
130              file. See the following article for a  detailed  explanation  of
131              the behaviour: https://access.redhat.com/articles/3250241.
132
133              Turn  this  option  on to have the server actually do ASCII man‐
134              gling on files when in ASCII mode.
135
136              Default: NO
137
138       ascii_upload_enable
139              When enabled, ASCII mode data transfers will be honoured on  up‐
140              loads.   When  disabled,  the server will pretend to allow ASCII
141              mode but in fact ignore requests to activate it. So  the  client
142              will  think  the  ASCII mode is active and will translate native
143              line terminators to the standard  <CRLF>  line  terminators  for
144              transmission,  but  the  server will not do any translation. See
145              the following article for a detailed explanation of  the  behav‐
146              iour: https://access.redhat.com/articles/3250241.
147
148              Turn  this  option  on to have the server actually do ASCII man‐
149              gling on files when in ASCII mode.
150
151              Default: NO
152
153       async_abor_enable
154              When enabled, a special FTP command known as "async  ABOR"  will
155              be enabled.  Only ill advised FTP clients will use this feature.
156              Additionally, this feature is awkward to handle, so it  is  dis‐
157              abled by default. Unfortunately, some FTP clients will hang when
158              cancelling a transfer unless this feature is available,  so  you
159              may wish to enable it.
160
161              Default: NO
162
163       background
164              When  enabled,  and  vsftpd  is started in "listen" mode, vsftpd
165              will background the listener process. i.e. control will  immedi‐
166              ately be returned to the shell which launched vsftpd.
167
168              Default: YES
169
170       check_shell
171              Note!  This  option only has an effect for non-PAM builds of vs‐
172              ftpd. If disabled, vsftpd will not check /etc/shells for a valid
173              user shell for local logins.
174
175              Default: YES
176
177       chmod_enable
178              When  enabled,  allows use of the SITE CHMOD command. NOTE! This
179              only applies to local users. Anonymous users never  get  to  use
180              SITE CHMOD.
181
182              Default: YES
183
184       chown_uploads
185              If  enabled, all anonymously uploaded files will have the owner‐
186              ship changed to the user specified in  the  setting  chown_user‐
187              name.   This is useful from an administrative, and perhaps secu‐
188              rity, standpoint.
189
190              Default: NO
191
192       chroot_list_enable
193              If activated, you may provide a list  of  local  users  who  are
194              placed  in  a  chroot() jail in their home directory upon login.
195              The meaning is slightly different if chroot_local_user is set to
196              YES.  In  this  case, the list becomes a list of users which are
197              NOT to be placed in a chroot() jail.  By default, the file  con‐
198              taining  this list is /etc/vsftpd/chroot_list, but you may over‐
199              ride this with the chroot_list_file setting.
200
201              Default: NO
202
203       chroot_local_user
204              If set to YES, local users will be (by default) placed in a  ch‐
205              root()  jail in their home directory after login.  Warning: This
206              option has security implications, especially if the  users  have
207              upload permission, or shell access. Only enable if you know what
208              you are doing.  Note that these security  implications  are  not
209              vsftpd  specific.  They  apply to all FTP daemons which offer to
210              put local users in chroot() jails.
211
212              Default: NO
213
214       connect_from_port_20
215              This controls whether PORT style data connections  use  port  20
216              (ftp-data)  on  the  server  machine. For security reasons, some
217              clients may insist that this is the case. Conversely,  disabling
218              this option enables vsftpd to run with slightly less privilege.
219
220              Default: NO (but the sample config file enables it)
221
222       debug_ssl
223              If true, OpenSSL connection diagnostics are dumped to the vsftpd
224              log file.  (Added in v2.0.6).
225
226              Default: NO
227
228       delete_failed_uploads
229              If true,  any  failed  upload  files  are  deleted.   (Added  in
230              v2.0.7).
231
232              Default: NO
233
234       deny_email_enable
235              If  activated,  you  may provide a list of anonymous password e-
236              mail responses which cause login to be denied. By  default,  the
237              file  containing this list is /etc/vsftpd/banned_emails, but you
238              may override this with the banned_email_file setting.
239
240              Default: NO
241
242       dirlist_enable
243              If set to NO, all directory list commands will  give  permission
244              denied.
245
246              Default: YES
247
248       dirmessage_enable
249              If  enabled,  users of the FTP server can be shown messages when
250              they first enter a new directory. By  default,  a  directory  is
251              scanned  for  the file .message, but that may be overridden with
252              the configuration setting message_file.
253
254              Default: NO (but the sample config file enables it)
255
256       download_enable
257              If set to NO, all download requests will give permission denied.
258
259              Default: YES
260
261       dual_log_enable
262              If enabled, two log files are generated in  parallel,  going  by
263              default to /var/log/xferlog and /var/log/vsftpd.log.  The former
264              is a wu-ftpd style transfer log, parseable  by  standard  tools.
265              The latter is vsftpd's own style log.
266
267              Default: NO
268
269       force_dot_files
270              If  activated,  files  and  directories  starting with . will be
271              shown in directory listings even if the "a" flag was not used by
272              the client. This override excludes the "." and ".." entries.
273
274              Default: NO
275
276       force_anon_data_ssl
277              Only  applies  if  ssl_enable  is  activated.  If activated, all
278              anonymous logins are forced to use a secure  SSL  connection  in
279              order to send and receive data on data connections.
280
281              Default: NO
282
283       force_anon_logins_ssl
284              Only  applies  if  ssl_enable  is  activated.  If activated, all
285              anonymous logins are forced to use a secure  SSL  connection  in
286              order to send the password.
287
288              Default: NO
289
290       force_local_data_ssl
291              Only  applies if ssl_enable is activated. If activated, all non-
292              anonymous logins are forced to use a secure  SSL  connection  in
293              order to send and receive data on data connections.
294
295              Default: YES
296
297       force_local_logins_ssl
298              Only  applies if ssl_enable is activated. If activated, all non-
299              anonymous logins are forced to use a secure  SSL  connection  in
300              order to send the password.
301
302              Default: YES
303
304       guest_enable
305              If  enabled, all non-anonymous logins are classed as "guest" lo‐
306              gins. A guest login is remapped to the  user  specified  in  the
307              guest_username setting.
308
309              Default: NO
310
311       hide_ids
312              If enabled, all user and group information in directory listings
313              will be displayed as "ftp".
314
315              Default: NO
316
317       implicit_ssl
318              If enabled, an SSL handshake is the first thing  expect  on  all
319              connections  (the FTPS protocol). To support explicit SSL and/or
320              plain text too, a separate vsftpd  listener  process  should  be
321              run.
322
323              Default: NO
324
325       listen If  enabled, vsftpd will run in standalone mode. This means that
326              vsftpd must not be run from an inetd of some kind. Instead,  the
327              vsftpd  executable is run once directly. vsftpd itself will then
328              take care of listening for and handling incoming connections.
329
330              Default: NO
331
332       listen_ipv6
333              Like the listen parameter, except vsftpd will listen on an  IPv6
334              socket  instead  of an IPv4 one. Note that a socket listening on
335              the IPv6 "any" address (::) will accept both IPv6 and IPv4  con‐
336              nections by default. This parameter and the listen parameter are
337              mutually exclusive.
338
339              Default: NO
340
341       local_enable
342              Controls whether local logins are permitted or not. If  enabled,
343              normal user accounts in /etc/passwd (or wherever your PAM config
344              references) may be used to log in. This must be enable  for  any
345              non-anonymous login to work, including virtual users.
346
347              Default: NO
348
349       lock_upload_files
350              When  enabled,  all uploads proceed with a write lock on the up‐
351              load file. All downloads proceed with a shared read lock on  the
352              download file. WARNING!  Before enabling this, be aware that ma‐
353              licious readers could starve a writer wanting to e.g.  append  a
354              file.
355
356              Default: YES
357
358       log_die
359              Log  an error to syslog when some error condition occurs and vs‐
360              ftpd decides to quit. Internally, the error  messages  given  to
361              the functions die(), die2() and bug() are passed to syslog. Cur‐
362              rently this functionality requires waiting for a short amount of
363              time (1 second is used) after logging the message and before ex‐
364              iting. This is a  workaround  for  the  following  systemd  bug:
365              https://github.com/systemd/systemd/issues/2913
366
367              Default: NO
368
369       log_ftp_protocol
370              When enabled, all FTP requests and responses are logged, provid‐
371              ing the option xferlog_std_format is not enabled. Useful for de‐
372              bugging.
373
374              Default: NO
375
376       ls_recurse_enable
377              When  enabled,  this setting will allow the use of "ls -R". This
378              is a minor security risk, because a ls -R at the top level of  a
379              large site may consume a lot of resources.
380
381              Default: NO
382
383       mdtm_write
384              When enabled, this setting will allow MDTM to set file modifica‐
385              tion times (subject to the usual access checks).
386
387              Default: YES
388
389       no_anon_password
390              When enabled, this prevents vsftpd from asking for an  anonymous
391              password - the anonymous user will log straight in.
392
393              Default: NO
394
395       no_log_lock
396              When  enabled, this prevents vsftpd from taking a file lock when
397              writing to log files. This option should generally  not  be  en‐
398              abled. It exists to workaround operating system bugs such as the
399              Solaris / Veritas filesystem combination which has been observed
400              to sometimes exhibit hangs trying to lock log files.
401
402              Default: NO
403
404       one_process_model
405              If  you have a Linux 2.4 kernel, it is possible to use a differ‐
406              ent security model which only uses one process  per  connection.
407              It is a less pure security model, but gains you performance. You
408              really don't want to enable this unless you know  what  you  are
409              doing,  and  your  site  supports huge numbers of simultaneously
410              connected users.
411
412              Default: NO
413
414       passwd_chroot_enable
415              If enabled, along with chroot_local_user , then a chroot()  jail
416              location  may be specified on a per-user basis. Each user's jail
417              is derived from their home directory string in /etc/passwd.  The
418              occurrence  of /./ in the home directory string denotes that the
419              jail is at that particular location in the path.
420
421              Default: NO
422
423       pasv_addr_resolve
424              Set to YES if you want to use a hostname (as opposed to  IP  ad‐
425              dress) in the pasv_address option.
426
427              Default: NO
428
429       pasv_enable
430              Set to NO if you want to disallow the PASV method of obtaining a
431              data connection.
432
433              Default: YES
434
435       pasv_promiscuous
436              Set to YES if you want to disable the PASV security  check  that
437              ensures  the data connection originates from the same IP address
438              as the control connection.  Only enable if you know what you are
439              doing!  The  only legitimate use for this is in some form of se‐
440              cure tunnelling scheme, or perhaps to facilitate FXP support.
441
442              Default: NO
443
444       port_enable
445              Set to NO if you want to disallow the PORT method of obtaining a
446              data connection.
447
448              Default: YES
449
450       port_promiscuous
451              Set  to  YES if you want to disable the PORT security check that
452              ensures that outgoing data connections can only connect  to  the
453              client. Only enable if you know what you are doing!
454
455              Default: NO
456
457       require_cert
458              If  set  to  yes,  all  SSL  client  connections are required to
459              present a client certificate. The degree of  validation  applied
460              to  this  certificate  is  controlled by validate_cert (Added in
461              v2.0.6).
462
463              Default: NO
464
465       require_ssl_reuse
466              If set to yes, all SSL data connections are required to  exhibit
467              SSL  session  reuse (which proves that they know the same master
468              secret as the control channel). Although this is  a  secure  de‐
469              fault, it may break many FTP clients, so you may want to disable
470              it. For a discussion of the consequences, see http://scarybeast
471              security.blogspot.com/2009/02/vsftpd-210-released.html (Added in
472              v2.1.0).
473
474              Default: YES
475
476       reverse_lookup_enable
477              Set to YES if you want vsftpd to transform the ip  address  into
478              the  hostname,  before pam authentication. This is useful if you
479              use pam_access including the hostname. If you want vsftpd to run
480              on the environment where the reverse lookup for some hostname is
481              available and the name server doesn't respond for a  while,  you
482              should set this to NO to avoid a performance issue.
483
484              Default: YES
485
486       run_as_launching_user
487              Set  to YES if you want vsftpd to run as the user which launched
488              vsftpd. This is useful where root access is not available.  MAS‐
489              SIVE  WARNING! Do NOT enable this option unless you totally know
490              what you are doing, as naive use of this option can create  mas‐
491              sive  security  problems. Specifically, vsftpd does not / cannot
492              use chroot technology to restrict file access when  this  option
493              is set (even if launched by root). A poor substitute could be to
494              use a deny_file setting such as {/*,*..*}, but  the  reliability
495              of  this  cannot compare to chroot, and should not be relied on.
496              If using this option, many restrictions on other options  apply.
497              For  example,  options requiring privilege such as non-anonymous
498              logins, upload ownership changing, connecting from port  20  and
499              listen  ports less than 1024 are not expected to work. Other op‐
500              tions may be impacted.
501
502              Default: NO
503
504       secure_email_list_enable
505              Set to YES if you want only a specified list of e-mail passwords
506              for  anonymous  logins  to be accepted. This is useful as a low-
507              hassle way of restricting access to low-security content without
508              needing  virtual  users. When enabled, anonymous logins are pre‐
509              vented unless the password provided is listed in the file speci‐
510              fied  by the email_password_file setting. The file format is one
511              password per line, no extra whitespace. The default filename  is
512              /etc/vsftpd/email_passwords.
513
514              Default: NO
515
516       session_support
517              This  controls  whether vsftpd attempts to maintain sessions for
518              logins. If vsftpd is maintaining sessions, it will try  and  up‐
519              date utmp and wtmp. It will also open a pam_session if using PAM
520              to authenticate, and only close this upon logout. You  may  wish
521              to disable this if you do not need session logging, and you wish
522              to give vsftpd more opportunity to run with less processes and /
523              or less privilege. NOTE - utmp and wtmp support is only provided
524              with PAM enabled builds.
525
526              Default: NO
527
528       setproctitle_enable
529              If enabled, vsftpd will try and show session status  information
530              in the system process listing. In other words, the reported name
531              of the process will change to reflect what a vsftpd  session  is
532              doing  (idle,  downloading etc). You probably want to leave this
533              off for security purposes.
534
535              Default: NO
536
537       ssl_enable
538              If enabled, and vsftpd was compiled against OpenSSL, vsftpd will
539              support  secure connections via SSL. This applies to the control
540              connection (including login) and also data  connections.  You'll
541              need a client with SSL support too. NOTE!!  Beware enabling this
542              option. Only enable it if you need it. vsftpd can make no  guar‐
543              antees  about the security of the OpenSSL libraries. By enabling
544              this option, you are declaring that you trust  the  security  of
545              your installed OpenSSL library.
546
547              Default: NO
548
549       ssl_request_cert
550              If  enabled,  vsftpd  will request (but not necessarily require;
551              see require_cert) a certificate  on  incoming  SSL  connections.
552              Normally  this  should not cause any trouble at all, but IBM zOS
553              seems to have issues.  (New in v2.0.7).
554
555              Default: YES
556
557       ssl_sslv2
558              Only applies if ssl_enable is activated. If enabled, this option
559              will  permit  SSL v2 protocol connections.  TLS v1.2 connections
560              are preferred.
561
562              Default: NO
563
564       ssl_sslv3
565              Only applies if ssl_enable is activated. If enabled, this option
566              will  permit  SSL v3 protocol connections.  TLS v1.2 connections
567              are preferred.
568
569              Default: NO
570
571       ssl_tlsv1
572              Only applies if ssl_enable is activated. If enabled, this option
573              will  permit  TLS v1 protocol connections.  TLS v1.2 connections
574              are preferred.
575
576              Default: NO
577
578       ssl_tlsv1_1
579              Only applies if ssl_enable is activated. If enabled, this option
580              will permit TLS v1.1 protocol connections.  TLS v1.2 connections
581              are preferred.
582
583              Default: NO
584
585       ssl_tlsv1_2
586              Only applies if ssl_enable is activated. If enabled, this option
587              will  permit  TLS  v1.2  protocol connections.  TLS v1.2 and TLS
588              v1.3 connections are preferred.
589
590              Default: YES
591
592       ssl_tlsv1_3
593              Only applies if ssl_enable is activated. If enabled, this option
594              will  permit  TLS  v1.3  protocol connections.  TLS v1.2 and TLS
595              v1.3 connections are preferred.
596
597              Default: YES
598
599       strict_ssl_read_eof
600              If enabled, SSL data uploads are required to terminate via  SSL,
601              not  an  EOF  on  the socket. This option is required to be sure
602              that an attacker did not terminate an upload prematurely with  a
603              faked TCP FIN. (New in v2.0.7).
604
605              Default: YES
606
607       strict_ssl_write_shutdown
608              If  enabled,  SSL  data  downloads are required to terminate via
609              SSL, not an EOF on the socket. This is off by default as  I  was
610              unable  to find a single FTP client that does this. It is minor.
611              All it affects is our ability to tell whether  the  client  con‐
612              firmed  full  receipt of the file. Even without this option, the
613              client is able to check the integrity of the download.  (New  in
614              v2.0.7).
615
616              Default: NO
617
618       syslog_enable
619              If  enabled,  then  any  log  output  which  would  have gone to
620              /var/log/vsftpd.log goes to the system log instead.  Logging  is
621              done under the FTPD facility.
622
623              Default: NO
624
625       tcp_wrappers
626              If  enabled,  and vsftpd was compiled with tcp_wrappers support,
627              incoming connections will be  fed  through  tcp_wrappers  access
628              control. Furthermore, there is a mechanism for per-IP based con‐
629              figuration. If tcp_wrappers sets the  VSFTPD_LOAD_CONF  environ‐
630              ment variable, then the vsftpd session will try and load the vs‐
631              ftpd configuration file specified in this variable.
632
633              Default: NO
634
635       text_userdb_names
636              By default, numeric IDs are shown in the user and  group  fields
637              of  directory  listings.  You  can get textual names by enabling
638              this parameter. It is off by default  for  performance  reasons.
639              Note  that  textual  names  are  not  guaranteed when chroot_lo‐
640              cal_user is set to YES.
641
642              Default: NO
643
644       tilde_user_enable
645              If enabled, vsftpd  will  try  and  resolve  pathnames  such  as
646              ~chris/pics,  i.e. a tilde followed by a username. Note that vs‐
647              ftpd will always resolve the pathnames  ~  and  ~/something  (in
648              this  case  the ~ resolves to the initial login directory). Note
649              that ~user paths will only resolve if the file  /etc/passwd  may
650              be found within the _current_ chroot() jail.
651
652              Default: NO
653
654       use_localtime
655              If enabled, vsftpd will display directory listings with the time
656              in your local time zone. The default  is  to  display  GMT.  The
657              times returned by the MDTM FTP command are also affected by this
658              option.
659
660              Default: NO
661
662       use_sendfile
663              An internal setting used for testing the relative benefit of us‐
664              ing the sendfile() system call on your platform.
665
666              Default: YES
667
668       userlist_deny
669              This  option is examined if userlist_enable is activated. If you
670              set this setting to NO, then users will be denied  login  unless
671              they   are   explicitly   listed   in   the  file  specified  by
672              userlist_file.  When login is denied, the denial is  issued  be‐
673              fore the user is asked for a password.
674
675              Default: YES
676
677       userlist_enable
678              If enabled, vsftpd will load a list of usernames, from the file‐
679              name given by userlist_file.  If a user tries to log in using  a
680              name in this file, they will be denied before they are asked for
681              a password. This may be useful in preventing cleartext passwords
682              being transmitted. See also userlist_deny.
683
684              Default: NO
685
686       validate_cert
687              If  set  to yes, all SSL client certificates received must vali‐
688              date OK.  Self-signed certs do  not  constitute  OK  validation.
689              (New in v2.0.6).
690
691              Default: NO
692
693       userlist_log
694              This  option is examined if userlist_enable is activated. If en‐
695              abled, every login denial based on the user list will be logged.
696
697              Default: NO
698
699       virtual_use_local_privs
700              If enabled, virtual users will use the same privileges as  local
701              users. By default, virtual users will use the same privileges as
702              anonymous users, which tends to be more restrictive  (especially
703              in terms of write access).
704
705              Default: NO
706
707       write_enable
708              This controls whether any FTP commands which change the filesys‐
709              tem are allowed or not. These commands are:  STOR,  DELE,  RNFR,
710              RNTO, MKD, RMD, APPE and SITE.
711
712              Default: NO
713
714       xferlog_enable
715              If enabled, a log file will be maintained detailling uploads and
716              downloads.  By default, this file will be placed at /var/log/vs‐
717              ftpd.log, but this location may be overridden using the configu‐
718              ration setting vsftpd_log_file.
719
720              Default: NO (but the sample config file enables it)
721
722       xferlog_std_format
723              If enabled, the transfer log file will be  written  in  standard
724              xferlog  format,  as used by wu-ftpd. This is useful because you
725              can reuse existing transfer statistics generators.  The  default
726              format  is more readable, however. The default location for this
727              style of log file is /var/log/xferlog, but  you  may  change  it
728              with the setting xferlog_file.
729
730              Default: NO
731
732       isolate_network
733              If  enabled, use CLONE_NEWNET to isolate the untrusted processes
734              so that they can't do arbitrary connect() and  instead  have  to
735              ask  the  privileged process for sockets ( port_promiscuous have
736              to be disabled).
737
738              Default: YES
739
740       isolate
741              If enabled, use CLONE_NEWPID and CLONE_NEWIPC  to  isolate  pro‐
742              cesses  to  their ipc and pid namespaces. So separated processes
743              can not interact with each other.
744
745              Default: YES
746
747       wc_logs_enable
748              If enabled, logs will be treated as wide-character  strings  and
749              not  just ASCII strings when filtering out non-printable charac‐
750              ters.
751
752              Default: NO
753
754

NUMERIC OPTIONS

756       Below is a list of numeric options. A numeric option must be set  to  a
757       non  negative  integer. Octal numbers are supported, for convenience of
758       the umask options. To specify an octal number, use 0 as the first digit
759       of the number.
760
761
762       accept_timeout
763              The  timeout,  in seconds, for a remote client to establish con‐
764              nection with a PASV style data connection.
765
766              Default: 60
767
768       anon_max_rate
769              The maximum data transfer rate permitted, in bytes  per  second,
770              for anonymous clients.
771
772              Default: 0 (unlimited)
773
774       anon_umask
775              The  value that the umask for file creation is set to for anony‐
776              mous users. NOTE! If you want to specify octal values,  remember
777              the  "0" prefix otherwise the value will be treated as a base 10
778              integer!
779
780              Default: 077
781
782       bind_retries
783              Maximum number of attempts to find a free listening port in pas‐
784              sive mode.
785
786              Default: 9
787
788       chown_upload_mode
789              The  file  mode to force for chown()ed anonymous uploads. (Added
790              in v2.0.6).
791
792              Default: 0600
793
794       connect_timeout
795              The timeout, in seconds, for a remote client to respond  to  our
796              PORT style data connection.
797
798              Default: 60
799
800       data_connection_timeout
801              The  timeout,  in  seconds, which is roughly the maximum time we
802              permit data transfers to stall for  with  no  progress.  If  the
803              timeout triggers, the remote client is kicked off.
804
805              Default: 300
806
807       delay_failed_login
808              The  number  of seconds to pause prior to reporting a failed lo‐
809              gin.
810
811              Default: 1
812
813       delay_successful_login
814              The number of seconds to pause prior to  allowing  a  successful
815              login.
816
817              Default: 0
818
819       file_open_mode
820              The  permissions  with  which uploaded files are created. Umasks
821              are applied on top of this value. You may wish to change to 0777
822              if you want uploaded files to be executable.
823
824              Default: 0666
825
826       ftp_data_port
827              The port from which PORT style connections originate (as long as
828              the poorly named connect_from_port_20 is enabled).
829
830              Default: 20
831
832       idle_session_timeout
833              The timeout, in seconds, which is  the  maximum  time  a  remote
834              client  may spend between FTP commands. If the timeout triggers,
835              the remote client is kicked off.
836
837              Default: 300
838
839       listen_port
840              If vsftpd is in standalone mode, this is the port it will listen
841              on for incoming FTP connections.
842
843              Default: 21
844
845       local_max_rate
846              The  maximum  data transfer rate permitted, in bytes per second,
847              for local authenticated users.
848
849              Default: 0 (unlimited)
850
851       local_umask
852              The value that the umask for file creation is set to  for  local
853              users.  NOTE!  If you want to specify octal values, remember the
854              "0" prefix otherwise the value will be treated as a base 10  in‐
855              teger!
856
857              Default: 077
858
859       max_clients
860              If  vsftpd  is in standalone mode, this is the maximum number of
861              clients which may be connected. Any additional clients  connect‐
862              ing  will  get  an  error message.  The value 0 switches off the
863              limit.
864
865              Default: 2000
866
867       max_login_fails
868              After this many login failures, the session is killed.
869
870              Default: 3
871
872       max_per_ip
873              If vsftpd is in standalone mode, this is the maximum  number  of
874              clients which may be connected from the same source internet ad‐
875              dress. A client will get an error message if they go  over  this
876              limit. The value 0 switches off the limit.
877
878              Default: 50
879
880       pasv_max_port
881              The  maximum  port  to allocate for PASV style data connections.
882              Can be used to specify a  narrow  port  range  to  assist  fire‐
883              walling.
884
885              Default: 0 (use any port)
886
887       pasv_min_port
888              The  minimum  port  to allocate for PASV style data connections.
889              Can be used to specify a  narrow  port  range  to  assist  fire‐
890              walling.
891
892              Default: 0 (use any port)
893
894       trans_chunk_size
895              You  probably  don't  want to change this, but try setting it to
896              something like 8192 for a much smoother bandwidth limiter.
897
898              Default: 0 (let vsftpd pick a sensible setting)
899
900

STRING OPTIONS

902       Below is a list of string options.
903
904
905       anon_root
906              This option represents a directory  which  vsftpd  will  try  to
907              change  into  after  an anonymous login. Failure is silently ig‐
908              nored.
909
910              Default: (none)
911
912       banned_email_file
913              This option is the name of a file containing a list of anonymous
914              e-mail passwords which are not permitted. This file is consulted
915              if the option deny_email_enable is enabled.
916
917              Default: /etc/vsftpd/banned_emails
918
919       banner_file
920              This option is the name of a file  containing  text  to  display
921              when  someone  connects  to the server. If set, it overrides the
922              banner string provided by the ftpd_banner option.
923
924              Default: (none)
925
926       ca_certs_file
927              This option is the name of a file to load Certificate  Authority
928              certs  from,  for  the  purpose  of validating client certs. The
929              loaded certs are also advertised to the  client,  to  cater  for
930              TLSv1.0  clients  such as the z/OS FTP client.  Regrettably, the
931              default SSL CA cert paths are not used, because of vsftpd's  use
932              of restricted filesystem spaces (chroot). (Added in v2.0.6).
933
934              Default: (none)
935
936       chown_username
937              This  is  the  name of the user who is given ownership of anony‐
938              mously uploaded files. This option is only relevant  if  another
939              option, chown_uploads, is set.
940
941              Default: root
942
943       chroot_list_file
944              The  option  is  the  name  of a file containing a list of local
945              users which will be placed in a chroot() jail in their home  di‐
946              rectory.  This  option  is  only  relevant  if  the  option  ch‐
947              root_list_enable is enabled. If the option chroot_local_user  is
948              enabled, then the list file becomes a list of users to NOT place
949              in a chroot() jail.
950
951              Default: /etvsftpd.confc/vsftpd.chroot_list
952
953       cmds_allowed
954              This options specifies a comma separated  list  of  allowed  FTP
955              commands  (post login. USER, PASS and QUIT and others are always
956              allowed pre-login). Other commands are rejected. This is a  pow‐
957              erful  method  of  really  locking  down an FTP server. Example:
958              cmds_allowed=PASV,RETR,QUIT
959
960              Default: (none)
961
962       cmds_denied
963              This options specifies a comma separated list of denied FTP com‐
964              mands  (post  login.  USER, PASS, QUIT and others are always al‐
965              lowed pre-login). If a command appears on both this and cmds_al‐
966              lowed then the denial takes precedence. (Added in v2.1.0).
967
968              Default: (none)
969
970       deny_file
971              This  option can be used to set a pattern for filenames (and di‐
972              rectory names etc.) which should not be accessible in  any  way.
973              The  affected  items  are not hidden, but any attempt to do any‐
974              thing to them (download, change into directory, affect something
975              within  directory etc.) will be denied. This option is very sim‐
976              ple, and should not be used for serious  access  control  -  the
977              filesystem's  permissions should be used in preference. However,
978              this option may be useful in certain  virtual  user  setups.  In
979              particular  aware  that if a filename is accessible by a variety
980              of names (perhaps due to symbolic links  or  hard  links),  then
981              care must be taken to deny access to all the names.  Access will
982              be denied to items if their name contains the  string  given  by
983              hide_file,  or if they match the regular expression specified by
984              hide_file.  Note that vsftpd's regular expression matching  code
985              is a simple implementation which is a subset of full regular ex‐
986              pression functionality. Because of this, you will need to  care‐
987              fully  and exhaustively test any application of this option. And
988              you are recommended to use filesystem permissions for any impor‐
989              tant  security  policies  due to their greater reliability. Sup‐
990              ported regex syntax is any number of *, ? and unnested {,} oper‐
991              ators. Regex matching is only supported on the last component of
992              a path, e.g. a/b/? is supported  but  a/?/c  is  not.   Example:
993              deny_file={*.mp3,*.mov,.private}
994
995              Default: (none)
996
997       dsa_cert_file
998              This option specifies the location of the DSA certificate to use
999              for SSL encrypted connections.
1000
1001              Default: (none - an RSA certificate suffices)
1002
1003       dsa_private_key_file
1004              This option specifies the location of the DSA private key to use
1005              for  SSL  encrypted  connections. If this option is not set, the
1006              private key is expected to be in the same file as  the  certifi‐
1007              cate.
1008
1009              Default: (none)
1010
1011       dh_param_file
1012              This option specifies the location of the custom parameters used
1013              for ephemeral Diffie-Hellman key exchange in SSL.
1014
1015              Default: (none - use built in parameters  appropriate  for  cer‐
1016              tificate key size)
1017
1018       ecdh_param_file
1019              This  option  specifies  the  location  of custom parameters for
1020              ephemeral Elliptic Curve Diffie-Hellman (ECDH) key exchange.
1021
1022              Default: (none -  use  built  in  parameters,  NIST  P-256  with
1023              OpenSSL  1.0.1  and automatically selected curve based on client
1024              preferences with OpenSSL 1.0.2 and later)
1025
1026       email_password_file
1027              This option can be used to provide an alternate file  for  usage
1028              by the secure_email_list_enable setting.
1029
1030              Default: /etc/vsftpd/email_passwords
1031
1032       ftp_username
1033              This  is the name of the user we use for handling anonymous FTP.
1034              The home directory of this user is the root of the anonymous FTP
1035              area.
1036
1037              Default: ftp
1038
1039       ftpd_banner
1040              This  string  option  allows you to override the greeting banner
1041              displayed by vsftpd when a connection first comes in.
1042
1043              Default: (none - default vsftpd banner is displayed)
1044
1045       guest_username
1046              See the boolean setting guest_enable for a description  of  what
1047              constitutes  a  guest  login.  This setting is the real username
1048              which guest users are mapped to.
1049
1050              Default: ftp
1051
1052       hide_file
1053              This option can be used to set a pattern for filenames (and  di‐
1054              rectory  names etc.) which should be hidden from directory list‐
1055              ings. Despite being hidden, the files  /  directories  etc.  are
1056              fully accessible to clients who know what names to actually use.
1057              Items will be hidden if their names contain the string given  by
1058              hide_file,  or if they match the regular expression specified by
1059              hide_file. Note that vsftpd's regular expression  matching  code
1060              is a simple implementation which is a subset of full regular ex‐
1061              pression functionality.  See deny_file for  details  of  exactly
1062              what regex syntax is supported.  Example: hide_file={*.mp3,.hid‐
1063              den,hide*,h?}
1064
1065              Default: (none)
1066
1067       listen_address
1068              If vsftpd is in standalone mode, the default listen address  (of
1069              all local interfaces) may be overridden by this setting. Provide
1070              a numeric IP address.
1071
1072              Default: (none)
1073
1074       listen_address6
1075              Like listen_address, but specifies a default listen address  for
1076              the  IPv6 listener (which is used if listen_ipv6 is set). Format
1077              is standard IPv6 address format.
1078
1079              Default: (none)
1080
1081       local_root
1082              This option represents a directory  which  vsftpd  will  try  to
1083              change into after a local (i.e. non-anonymous) login. Failure is
1084              silently ignored.
1085
1086              Default: (none)
1087
1088       message_file
1089              This option is the name of the file we look for when a  new  di‐
1090              rectory  is  entered.  The  contents are displayed to the remote
1091              user. This option is only relevant if the option  dirmessage_en‐
1092              able is enabled.
1093
1094              Default: .message
1095
1096       nopriv_user
1097              This  is  the  name  of  the user that is used by vsftpd when it
1098              wants to be totally unprivileged. Note that  this  should  be  a
1099              dedicated  user, rather than nobody. The user nobody tends to be
1100              used for rather a lot of important things on most machines.
1101
1102              Default: nobody
1103
1104       pam_service_name
1105              This string is the name of the PAM service vsftpd will use.
1106
1107              Default: ftp
1108
1109       pasv_address
1110              Use this option to override the IP address that vsftpd will  ad‐
1111              vertise  in  response  to the PASV command. Provide a numeric IP
1112              address, unless pasv_addr_resolve is enabled, in which case  you
1113              can  provide  a  hostname  which will be DNS resolved for you at
1114              startup.
1115
1116              Default: (none - the address is taken  from  the  incoming  con‐
1117              nected socket)
1118
1119       rsa_cert_file
1120              This option specifies the location of the RSA certificate to use
1121              for SSL encrypted connections.
1122
1123              Default: /usr/share/ssl/certs/vsftpd.pem
1124
1125       rsa_private_key_file
1126              This option specifies the location of the RSA private key to use
1127              for  SSL  encrypted  connections. If this option is not set, the
1128              private key is expected to be in the same file as  the  certifi‐
1129              cate.
1130
1131              Default: (none)
1132
1133       secure_chroot_dir
1134              This  option  should  be the name of a directory which is empty.
1135              Also, the directory should not be writable by the ftp user. This
1136              directory is used as a secure chroot() jail at times vsftpd does
1137              not require filesystem access.
1138
1139              Default: /usr/share/empty
1140
1141       ssl_ciphers
1142              This option can be used to select which SSL ciphers vsftpd  will
1143              allow  for  encrypted  SSL connections. See the ciphers man page
1144              for further details. Note that restricting ciphers can be a use‐
1145              ful  security precaution as it prevents malicious remote parties
1146              forcing a cipher which they have found problems with.
1147
1148              By default, the system-wide crypto policy is used.  See  update-
1149              crypto-policies(8) for further details.
1150
1151              Default: PROFILE=SYSTEM
1152
1153       ssl_sni_hostname
1154              If set, SSL connections will be rejected unless the SNI hostname
1155              in the incoming handshakes matches this value.
1156
1157              Default: (none)
1158
1159       user_config_dir
1160              This powerful option allows the override of  any  config  option
1161              specified in the manual page, on a per-user basis. Usage is sim‐
1162              ple, and is  best  illustrated  with  an  example.  If  you  set
1163              user_config_dir  to  be /etc/vsftpd/user_conf and then log on as
1164              the user "chris", then vsftpd will apply  the  settings  in  the
1165              file  /etc/vsftpd/user_conf/chris  for  the duration of the ses‐
1166              sion. The format of this file is  as  detailed  in  this  manual
1167              page!  PLEASE NOTE that not all settings are effective on a per-
1168              user basis. For example, many settings only prior to the  user's
1169              session  being  started. Examples of settings which will not af‐
1170              fect any behviour on a per-user  basis  include  listen_address,
1171              banner_file, max_per_ip, max_clients, xferlog_file, etc.
1172
1173              Default: (none)
1174
1175       user_sub_token
1176              This  option  is useful is conjunction with virtual users. It is
1177              used to automatically generate a home directory for each virtual
1178              user, based on a template. For example, if the home directory of
1179              the  real  user  specified  via  guest_username  is   /home/vir‐
1180              tual/$USER,  and  user_sub_token is set to $USER, then when vir‐
1181              tual user fred logs in, he will end up (usually chroot()'ed)  in
1182              the directory /home/virtual/fred.  This option also takes affect
1183              if local_root contains user_sub_token.
1184
1185              Default: (none)
1186
1187       userlist_file
1188              This option is the name of the file loaded when the userlist_en‐
1189              able option is active.
1190
1191              Default: /etc/vsftpd/user_list
1192
1193       vsftpd_log_file
1194              This option is the name of the file to which we write the vsftpd
1195              style log file. This log is only written  if  the  option  xfer‐
1196              log_enable  is  set, and xferlog_std_format is NOT set. Alterna‐
1197              tively, it is written if you have set  the  option  dual_log_en‐
1198              able.  One further complication - if you have set syslog_enable,
1199              then this file is not written and output is sent to  the  system
1200              log instead.
1201
1202              Default: /var/log/vsftpd.log
1203
1204       xferlog_file
1205              This  option  is  the name of the file to which we write the wu-
1206              ftpd style transfer log. The transfer log is only written if the
1207              option  xferlog_enable  is  set,  along with xferlog_std_format.
1208              Alternatively,  it  is  written  if  you  have  set  the  option
1209              dual_log_enable.
1210
1211              Default: /var/log/xferlog
1212
1213

AUTHOR

1215       scarybeasts@gmail.com
1216
1217
1218
1219
1220                                                                VSFTPD.CONF(5)
Impressum