Chinaunix首页 | 论坛 | 博客
  • 博客访问: 94813
  • 博文数量: 21
  • 博客积分: 415
  • 博客等级: 一等列兵
  • 技术积分: 228
  • 用 户 组: 普通用户
  • 注册时间: 2011-07-11 12:17
文章分类

全部博文(21)

文章存档

2014年(1)

2012年(7)

2011年(13)

分类:

2011-09-14 19:50:03

原文地址:vsftpd配置选项说明 作者:iamlyg98

vsftpd.conf详解

       anon_mkdir_write_enable
       If set to YES, anonymous users will be permitted to  create  new
       directories  under  certain  conditions. For  this to work, the
       option write_enable must be activated,  and  the anonymous  ftp
       user must have write permission on the parent directory.
       Default: NO
       anon_other_write_enable
       If  set  to  YES,  anonymous  users will be permitted to perform
       write operations other than upload and create directory, such as
       deletion and  renaming. This  is generally not recommended but
       included for completeness.
       Default: NO
       anon_upload_enable
       If set to YES, anonymous users will be permitted to upload files
       under   certain conditions.  For  this to  work,  the option
       write_enable must be activated, and the anonymous ftp user  must
       have write permission on desired upload locations.
       Default: NO
       anon_world_readable_only
       When  enabled,  anonymous users will only be allowed to download
       files which are world readable. This is recognising that the ftp
       user may own files, especially in the presence of uploads.
       Default: YES
       anonymous_enable
       Controls whether  anonymous  logins  are  permitted  or not. If
       enabled, both the usernames ftp and anonymous are recognised  as
       anonymous logins.
       Default: YES
       ascii_download_enable
       When  enabled,  ASCII  mode  data  transfers will be honoured on
       downloads.
       Default: NO
       ascii_upload_enable
       When enabled, ASCII mode data  transfers will  be  honoured  on
       uploads.
       Default: NO
       async_abor_enable
       When  enabled,  a special FTP command known as "async ABOR" will
       be enabled.  Only ill advised FTP clients will use this feature.
       Additionally,  this  feature is awkward to handle, so it is dis-
       abled by default. Unfortunately, some FTP clients will hang when
       cancelling  a  transfer unless this feature is available, so you
       may wish to enable it.
       Default: NO
       background
       When enabled, and vsftpd is started  in  "listen"  mode, vsftpd
       will  background the listener process. i.e. control will immedi-
       ately be returned to the shell which launched vsftpd.
       Default: NO
       check_shell
       Note! This option only has  an  effect  for  non-PAM  builds  of
       vsftpd.  If  disabled,  vsftpd  will not check /etc/shells for a
       valid user shell for local logins.
       Default: YES
       chmod_enable
       When enables, allows use of the SITE CHMOD command.  NOTE!  This
       only  applies  to  local users. Anonymous users never get to use
       SITE CHMOD.
       Default: YES
       chown_uploads
       If enabled, all anonymously uploaded files will have the owner-
       ship  changed  to  the user specified in the setting chown_user-
       name.  This is useful from an administrative, and perhaps  secu-
       rity, standpoint.
       Default: NO
       chroot_list_enable
       If  activated,  you  may provide  a list of local users who are
       placed in a chroot() jail in their home  directory  upon login.
       The meaning is slightly different if chroot_local_user is set to
       YES. In this case, the list becomes a list of  users  which  are
       NOT  to be placed in a chroot() jail.  By default, the file con-
       taining  this  list  is  /etc/vsftpd.chroot_list,  but  you  may
       override this with the chroot_list_file setting.
       Default: NO
       chroot_local_user
       If  set  to  YES,  local users will be (by default) placed in a
       chroot() jail in their home  directory  after  login.   Warning:
       This  option  has security implications, especially if the users
       have upload permission, or shell access. Only enable if you know
       what  you  are doing.  Note that these security implications are
       not vsftpd specific. They apply to all FTP daemons  which  offer
       to put local users in chroot() jails.
       Default: NO
       connect_from_port_20
       This  controls  whether  PORT style data connections use port 20
       (ftp-data) on the server machine.  For  security reasons,  some
       clients  may insist that this is the case. Conversely, disabling
       this option enables vsftpd to run with slightly less  privilege.
       Default: NO (but the sample config file enables it)
       deny_email_enable
       If  activated,  you  may provide a list of anonymous password e-
       mail responses which cause login to be denied. By  default,  the
       file  containing this list is /etc/vsftpd.banned_emails, but you
       may override this with the banned_email_file setting.
       Default: NO
       dirlist_enable
       If set to NO, all directory list commands will  give  permission
       denied.
       Default: YES
       dirmessage_enable
       If  enabled,  users of the FTP server can be shown messages when
       they first enter a new directory. By  default,  a  directory  is
       scanned  for  the file .message, but that may be overridden with
       the configuration setting message_file.
       Default: NO (but the sample config file enables it)
       download_enable
       If set to NO, all download requests will give permission denied.
       Default: YES
       dual_log_enable
       If  enabled,  two  log files are generated in parallel, going by
       default to /var/log/xferlog and /var/log/vsftpd.log.  The former
       is  a  wu-ftpd  style transfer log, parseable by standard tools.
       The latter is vsftpd's own style log.
       Default: NO
       force_dot_files
       If activated, files and directories  starting  with  .  will  be
       shown in directory listings even if the "a" flag was not used by
       the client. This override excludes the "." and ".." entries.
       Default: NO
       guest_enable
       If enabled, all non-anonymous  logins  are  classed  as  "guest"
       logins.  A  guest login is remapped to the user specified in the
       guest_username setting.
       Default: NO
       hide_ids
       If enabled, all user and group information in directory listings
       will be displayed as "ftp".
       Default: NO
       listen If  enabled, vsftpd will run in standalone mode. This means that
       vsftpd must not be run from an inetd of some kind. Instead,  the
       vsftpd  executable is run once directly. vsftpd itself will then
       take care of listening for and handling incoming connections.
       Default: NO
       listen_ipv6
       Like the listen parameter, except vsftpd will listen on an  IPv6
       socket  instead  of  an  IPv4 one. This parameter and the listen
       parameter are mutually exclusive.
       Default: NO
       local_enable
       Controls whether local logins are permitted or not. If  enabled,
       normal user accounts in /etc/passwd may be used to log in.
       Default: NO
       log_ftp_protocol
       When enabled, all FTP requests and responses are logged, provid-
       ing the option xferlog_std_format is  not  enabled.  Useful  for
       debugging.
       Default: NO
       ls_recurse_enable
       When  enabled,  this setting will allow the use of "ls -R". This
       is a minor security risk, because a ls -R at the top level of  a
       large site may consume a lot of resources.
       Default: NO
       no_anon_password
       When  enabled, this prevents vsftpd from asking for an anonymous
       password - the anonymous user will log straight in.
       Default: NO
       one_process_model
       If you have a Linux 2.4 kernel, it is possible to use a  differ-
       ent  security  model which only uses one process per connection.
       It is a less pure security model, but gains you performance. You
       really  don't  want  to enable this unless you know what you are
       doing, and your site supports  huge  numbers  of simultaneously
       connected users.
       Default: NO
       passwd_chroot_enable
       If  enabled, along with chroot_local_user , then a chroot() jail
       location may be specified on a per-user basis. Each user's  jail
       is  derived from their home directory string in /etc/passwd. The
       occurrence of /./ in the home directory string denotes that  the
       jail is at that particular location in the path.
       Default: NO
       pasv_enable
       Set to NO if you want to disallow the PASV method of obtaining a
       data connection.
       Default: YES
       pasv_promiscuous
       Set to YES if you want to disable the PASV security  check  that
       ensures  the data connection originates from the same IP address
       as the control connection.  Only enable if you know what you are
       doing!  The  only  legitimate  use  for  this is in some form of
       secure tunnelling scheme, or perhaps to facilitate FXP  support.
       Default: NO
       port_enable
       Set to NO if you want to disallow the PORT method of obtaining a
       data connection.
       Default: YES
       port_promiscuous
       Set to YES if you want to disable the PORT security  check  that
       ensures  that  outgoing data connections can only connect to the
       client. Only enable if you know what you are doing!
       Default: NO
       secure_email_list_enable
       Set to YES if you want only a specified list of e-mail passwords
       for  anonymous  logins  to be accepted. This is useful as a low-
       hassle way of restricting access to low-security content without
       needing  virtual users. When enabled, anonymous logins are pre-
       vented unless the password provided is listed in the file speci-
       fied  by the email_password_file setting. The file format is one
       password per line, no extra whitespace. The default filename  is
       /etc/vsftpd.email_passwords.
       Default: NO
       session_support
       This  controls  whether vsftpd attempts to maintain sessions for
       logins. If vsftpd is  maintaining  sessions,  it will  try  and
       update  utmp  and wtmp. It will also open a pam_session if using
       PAM to authenticate, and only close this upon  logout.  You  may
       wish to disable this if you do not need session logging, and you
       wish to give vsftpd more opportunity to run with less  processes
       and  /  or  less privilege. NOTE - utmp and wtmp support is only
       provided with PAM enabled builds.
       Default: YES
       setproctitle_enable
       If enabled, vsftpd will try and show session status  information
       in the system process listing. In other words, the reported name
       of the process will change to reflect what a vsftpd  session  is
       doing  (idle,  downloading etc). You probably want to leave this
       off for security purposes.
       Default: NO
       syslog_enable
       If enabled, then any  log  output  which  would have  gone  to
       /var/log/vsftpd.log  goes  to the system log instead. Logging is
       done under the FTPD facility.
       Default: NO
       tcp_wrappers
       If enabled, and vsftpd was compiled with tcp_wrappers  support,
       incoming connections  will  be  fed through tcp_wrappers access
       control. Furthermore, there is a mechanism for per-IP based con-
       figuration.  If  tcp_wrappers sets the VSFTPD_LOAD_CONF environ-
       ment variable, then the vsftpd session will  try and  load  the
       vsftpd configuration file specified in this variable.
       Default: NO
       text_userdb_names
       By  default,  numeric IDs are shown in the user and group fields
       of directory listings. You can get  textual  names  by  enabling
       this parameter. It is off by default for performance reasons.
       Default: NO
       use_localtime
       If  enabled, vsftpd will display directory listings with the the
       time in your local time zone. The default is to display GMT. The
       times returned by the MDTM FTP command are also affected by this
       option.
       Default: NO
       use_sendfile
       An internal setting used for testing  the  relative  benefit  of
       using the sendfile() system call on your platform.
       Default: YES
       userlist_deny
       This  option is examined if userlist_enable is activated. If you
       set this setting to NO, then users will be denied  login unless
       they   are   explicitly listed  in   the  file  specified  by
       userlist_file.  When login  is  denied,  the  denial  is issued
       before the user is asked for a password.
       Default: YES
       userlist_enable
       If enabled, vsftpd will load a list of usernames, from the file-
       name given by userlist_file.  If a user tries to log in using  a
       name in this file, they will be denied before they are asked for
       a password. This may be useful in preventing cleartext passwords
       being transmitted. See also userlist_deny.
       Default: NO
       virtual_use_local_privs
       If  enabled, virtual users will use the same privileges as local
       users. By default, virtual users will use the same privileges as
       anonymous  users, which tends to be more restrictive (especially
       in terms of write access).
       Default: NO
       write_enable
       This controls whether any FTP commands which change the filesys-
       tem  are allowed  or not. These commands are: STOR, DELE, RNFR,
       RNTO, MKD, RMD, APPE and SITE.
       Default: NO
       xferlog_enable
       If enabled, a log file will be maintained detailling uploads and
       downloads.    By  default,   this   file   will be  placed  at
       /var/log/vsftpd.log, but this location may be  overridden  using
       the configuration setting vsftpd_log_file.
       Default: NO (but the sample config file enables it)
       xferlog_std_format
       If  enabled,  the  transfer log file will be written in standard
       xferlog format, as used by wu-ftpd. This is useful  because  you
       can  reuse  existing transfer statistics generators. The default
       format is more readable, however. The default location for  this
       style  of  log  file  is /var/log/xferlog, but you may change it
       with the setting xferlog_file.
       Default: NO

NUMERIC OPTIONS
       Below is a list of numeric options. A numeric option must be set  to  a
       non  negative  integer. Octal numbers are supported, for convenience of
       the umask options. To specify an octal number, use 0 as the first digit
       of the number.

       accept_timeout
       The  timeout,  in seconds, for a remote client to establish con-
       nection with a PASV style data connection.
       Default: 60
       anon_max_rate
       The maximum data transfer rate permitted, in bytes  per  second,
       for anonymous clients.
       Default: 0 (unlimited)
       anon_umask
       The  value that the umask for file creation is set to for anony-
       mous users. NOTE! If you want to specify octal values,  remember
       the  "0" prefix otherwise the value will be treated as a base 10
       integer!
       Default: 077
       connect_timeout
       The timeout, in seconds, for a remote client to respond  to  our
       PORT style data connection.
       Default: 60
       data_connection_timeout
       The  timeout,  in  seconds, which is roughly the maximum time we
       permit data transfers to stall for  with no  progress.  If  the
       timeout triggers, the remote client is kicked off.
       Default: 300
       file_open_mode
       The  permissions with  which uploaded files are created. Umasks
       are applied on top of this value. You may wish to change to 0777
       if you want uploaded files to be executable.
       Default: 0666
       ftp_data_port
       The port from which PORT style connections originate (as long as
       the poorly named connect_from_port_20 is enabled).
       Default: 20
       idle_session_timeout
       The timeout, in seconds, which is  the  maximum  time  a remote
       client  may spend between FTP commands. If the timeout triggers,
       the remote client is kicked off.
       Default: 300
       listen_port
       If vsftpd is in standalone mode, this is the port it will listen
       on for incoming FTP connections.
       Default: 21
       local_max_rate
       The  maximum  data transfer rate permitted, in bytes per second,
       for local authenticated users.
       Default: 0 (unlimited)
       local_umask
       The value that the umask for file creation is set to  for  local
       users.  NOTE!  If you want to specify octal values, remember the
       "0" prefix otherwise the value will be  treated  as  a  base  10
       integer!
       Default: 077
       max_clients
       If  vsftpd  is in standalone mode, this is the maximum number of
       clients which may be connected. Any additional clients  connect-
       ing will get an error message.
       Default: 0 (unlimited)
       max_per_ip
       If  vsftpd  is in standalone mode, this is the maximum number of
       clients which may be connected from  the same  source  internet
       address. A client will get an error message if they go over this
       limit.
       Default: 0 (unlimited)
       pasv_max_port
       The maximum port to allocate for PASV  style  data  connections.
       Can  be  used  to  specify  a  narrow port range to assist fire-
       walling.
       Default: 0 (use any port)
       pasv_min_port
       The minimum port to allocate for PASV  style  data  connections.
       Can  be  used  to  specify  a  narrow port range to assist fire-
       walling.
       Default: 0 (use any port)
       trans_chunk_size
       You probably don't want to change this, but try  setting it  to
       something like 8192 for a much smoother bandwidth limiter.
       Default: 0 (let vsftpd pick a sensible setting)

STRING OPTIONS
       Below is a list of string options.

       anon_root
       This  option  represents a  directory  which vsftpd will try to
       change into  after  an  anonymous  login.  Failure  is  silently
       ignored.
       Default: (none)
       banned_email_file
       This option is the name of a file containing a list of anonymous
       e-mail passwords which are not permitted. This file is consulted
       if the option deny_email_enable is enabled.
       Default: /etc/vsftpd.banned_emails
       banner_file
       This  option  is the  name of a file containing text to display
       when someone connects to the server. If set,  it overrides  the
       banner string provided by the ftpd_banner option.
       Default: (none)
       chown_username
       This  is the  name of the user who is given ownership of anony-
       mously uploaded files. This option is only relevant  if  another
       option, chown_uploads, is set.
       Default: root
       chroot_list_file
       The  option  is  the  name  of a file containing a list of local
       users which will be placed in a  chroot()  jail  in  their  home
       directory.   This   option   is  only  relevant  if  the option
       chroot_list_enable is enabled. If the  option  chroot_local_user
       is  enabled,  then  the list file becomes a list of users to NOT
       place in a chroot() jail.
       Default: /etc/vsftpd.chroot_list
       cmds_allowed
       This options specifies a comma separated list  of  allowed  FTP
       commands (post  login.  USER,  PASS and QUIT are always allowed
       pre-login). Other commands are  rejected.  This  is  a  powerful
       method   of   really   locking  down  an FTP  server.  Example:
       cmds_allowed=PASV,RETR,QUIT
       Default: (none)
       deny_file
       This option can be used to set  a  pattern  for  filenames  (and
       directory names etc.) which should not be accessible in any way.
       The affected items are not hidden, but any attempt  to  do  any-
       thing to them (download, change into directory, affect something
       within directory etc.) will be denied. This option is very  sim-
       ple,  and  should  not  be used for serious access control - the
       filesystem's permissions should be used in preference.  However,
       this  option  may  be  useful in certain virtual user setups. In
       particular aware that if a filename is accessible by  a  variety
       of  names  (perhaps  due to symbolic links or hard links), then
       care must be taken to deny access to all the names.  Access will
       be  denied  to  items if their name contains the string given by
       hide_file, or if they match the regular expression specified  by
       hide_file.   Note that vsftpd's regular expression matching code
       is a simple implementation which is a  subset  of  full  regular
       expression  functionality.  Because  of  this,  you will need to
       carefully and exhaustively test any application of this  option.
       And  you are  recommended to use filesystem permissions for any
       important security policies due to  their  greater  reliability.
       Example: deny_file={*.mp3,*.mov,.private}
       Default: (none)
       email_password_file
       This  option  can be used to provide an alternate file for usage
       by the secure_email_list_enable setting.
       Default: /etc/vsftpd.email_passwords
       ftp_username
       This is the name of the user we use for handling anonymous  FTP.
       The home directory of this user is the root of the anonymous FTP
       area.
       Default: ftp
       ftpd_banner
       This string option allows you to override  the  greeting banner
       displayed by vsftpd when a connection first comes in.
       Default: (none - default vsftpd banner is displayed)
       guest_username
       See  the boolean setting guest_enable for a description of what
       constitutes a guest login. This setting  is  the real  username
       which guest users are mapped to.
       Default: ftp
       hide_file
       This  option  can  be  used  to set a pattern for filenames (and
       directory names etc.) which  should  be  hidden  from  directory
       listings. Despite being hidden, the files / directories etc. are
       fully accessible to clients who know what names to actually use.
       Items  will be hidden if their names contain the string given by
       hide_file, or if they match the regular expression specified  by
       hide_file.  Note that vsftpd's regular expression matching code
       is a simple implementation which is a  subset  of  full  regular
       expression   functionality.    Example: hide_file={*.mp3,.hid-
       den,hide*,h?}
       Default: (none)
       listen_address
       If vsftpd is in standalone mode, the default listen address  (of
       all local interfaces) may be overridden by this setting. Provide
       a numeric IP address.
       Default: (none)
       listen_address6
       Like listen_address, but specifies a default listen address  for
       the  IPv6 listener (which is used if listen_ipv6 is set). Format
       is standard IPv6 address format.
       Default: (none)
       local_root
       This option represents a directory  which  vsftpd  will  try  to
       change into after a local (i.e. non-anonymous) login. Failure is
       silently ignored.
       Default: (none)
       message_file
       This option is the name of the file  we  look  for  when a  new
       directory  is  entered. The contents are displayed to the remote
       user.   This   option   is   only   relevant   if   the option
       dirmessage_enable is enabled.
       Default: .message
       nopriv_user
       This is the name of the user that is used by vsftpd when it want
       to be totally unprivileged. Note that this should be a dedicated
       user,  rather  than nobody. The user nobody tends to be used for
       rather a lot of important things on most machines.
       Default: nobody
       pam_service_name
       This string is the name of the PAM service vsftpd will use.
       Default: ftp
       pasv_address
       Use this option to override the  IP  address  that  vsftpd  will
       advertise  in response to the PASV command. Provide a numeric IP
       address.
       Default: (none - the address is taken  from  the incoming  con-
       nected socket)
       secure_chroot_dir
       This  option  should  be the name of a directory which is empty.
       Also, the directory should not be writable by the ftp user. This
       directory is used as a secure chroot() jail at times vsftpd does
       not require filesystem access.
       Default: /usr/share/empty
       user_config_dir
       This powerful option allows the override of  any config option
       specified in the manual page, on a per-user basis. Usage is sim-
       ple, and is  best  illustrated  with  an example.  If  you  set
       user_config_dir  to  be /etc/vsftpd_user_conf and then log on as
       the user "chris", then vsftpd will apply the  settings  in  the
       file  /etc/vsftpd_user_conf/chris  for  the duration of the ses-
       sion. The format of this file is as  detailed  in  this manual
       page!  PLEASE NOTE that not all settings are effective on a per-
       user basis. For example, many settings only prior to the user's
       session  being  started. Examples  of  settings which will not
       affect any behviour on a per-user basis include  listen_address,
       banner_file, max_per_ip, max_clients, xferlog_file, etc.
       Default: (none)
       user_sub_token
       This  option  is useful is conjunction with virtual users. It is
       used to automatically generate a home directory for each virtual
       user, based on a template. For example, if the home directory of
       the  real  user  specified  via  guest_username  is   /home/vir-
       tual/$USER,  and user_sub_token is set to $USER, then when vir-
       tual user fred logs in, he will end up (usually chroot()'ed)  in
       the directory /home/virtual/fred.  This option also takes affect
       if local_root contains user_sub_token.
       Default: (none)
       userlist_file
       This  option  is the  name  of  the  file   loaded   when   the
       userlist_enable option is active.
       Default: /etc/vsftpd.user_list
       vsftpd_log_file
       This option is the name of the file to which we write the vsftpd
       style  log  file.  This  log  is only  written  if  the option
       xferlog_enable is set, and xferlog_std_format is NOT set. Alter-
       natively,  it  is  written  if   you   have   set   the option
       dual_log_enable.  One  further  complication  - if you have set
       syslog_enable, then this file is not written and output is  sent
       to the system log instead.
       Default: /var/log/vsftpd.log
       xferlog_file
       This  option  is the name of the file to which we write the wu-
       ftpd style transfer log. The transfer log is only written if the
       option  xferlog_enable  is  set, along with xferlog_std_format.
       Alternatively,  it  is  written  if  you have  set  the option
       dual_log_enable.
       Default: /var/log/xferlog
原文地址:
阅读(1433) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~