分类: BSD
2008-03-20 17:46:02
NAME
vsftpd.conf - config file for vsftpd
DESCRIPTION
vsftpd.conf may be used to control various
aspects of vsftpd's behaviour. By default, vsftpd looks for this file at the
location /etc/vsftpd.conf. However, you may override this by specifying a
command line argument to vsftpd. The command line argument is the pathname of
the configuration file for vsftpd. This behaviour is useful because you may wish
to use an advanced inetd such as xinetd to launch vsftpd with different
configuration files on a per virtual host basis.
vsftpd.conf用来控制vsftpd的行为,默认情况下,它位于/etc/vsftpd.conf。不过,可以通过vsftpd的命令行下改变它的位置,这个特性是非常有用的,尤其是当你希望更高级的inted,例如xinetd来启动不同配置文件的vsftpd的时候,这个功能非常有用. 可以使用不同的配置文件来启动基于虚拟主机的每个服务。
(注:使用xinetd可以在需要的时候才启动ftp,不过我没用过)
FORMAT
The format of vsftpd.conf is very simple.
Each line is either a comment or a directive. Comment lines start with a # and
are ignored. A directive line has the format:
option=value
It is important to note that it is an error
to put any space between the option, = and value.
Each setting has a compiled in default which
may be modified in the configuration file.
vsftpd.conf的格式很简单,每一行要么是注释,要么是一个条目。注释是以#号开头,vsftpd会忽略它们。一个条目的格式是:
option=value
必须注意的是在option、=、value之间不能用空格。
每个设置都有相应的默认值,你可以酌情修改。
BOOLEAN
OPTIONS
Below is a list of boolean options. The
value for a boolean option may be set to YES or NO.
以下列出的选项仅能设置为YES或者NO
allow_anon_ssl
Only applies if ssl_enable is active. If set
to YES, anonymous users will be allowed to use secured SSL connections.
Default: NO
只有当ssl_enable设置为YES才生效,如果设置为YES,匿名用户将被允许以ssl连接。
默认:NO
anon_mkdir_write_enable
If set to YES, anonymous users will be
permitted to create new directories under certain conditions. For this to work,
the option write_enable must be activated, and the anonymous ftp user must have
write permission on the parent directory.
Default: NO
如果设置为YES,匿名用户将被允许创建新的目录,以下条件必须满足:write_enable选项设置为YES;匿名用户对父目录有写权限。
默认:NO
anon_other_write_enable
If set to YES, anonymous users will be
permitted to perform write operations other than upload and create directory,
such as deletion and renaming. This is generally not recommended but included
for completeness.
Default: NO
如果设置为YES,匿名用户将会被允许创建目录之外的写操作,例如删除、重命名,不推荐这么做,除非您完全理解此项功能。
默认:NO
anon_upload_enable
If set to YES, anonymous users will be
permitted to upload files under certain conditions. For this to work, the option
write_enable must be activated, and the anonymous ftp user must have write
permission on desired upload locations.
Default: NO
如果设置为YES,匿名用户将被允许上传文件,以下条件必须满足:write_enable选项设置为YES;匿名用户对将要上传到的目录有写权限。
anon_world_readable_only
When enabled, anonymous users will only be
allowed to download files which are world readable. This is recognising that the
ftp user may own files, especially in the presence of uploads.
Default: YES
如果启用,匿名用户将仅被允许下载具有全局读权限的文件。这就意味着ftp用户可以拥有自己的文件,特别是前边提到的上传的文件。
默认:YES
anonymous_enable
Controls whether anonymous logins are
permitted or not. If enabled, both the usernames ftp and anonymous are
recognised as anonymous logins.
Default: YES
控制是否允许匿名用户登陆,如果启用,用户名为ftp和anonymous的用户均被视为匿名用户。
默认:YES
ascii_download_enable
When enabled, ASCII mode data transfers will
be honoured on downloads.
Default: NO
启用后,下载将启用ASCII传输模式。
默认:NO
ascii_upload_enable
When enabled, ASCII mode data transfers will
be honoured on uploads.
Default: NO
启用后,上传将启用ASCII传输模式
默认:NO
async_abor_enable
When enabled, a special FTP command known as
"async ABOR" will be enabled. Only ill advised FTP clients will use this
feature. Additionally, this feature is awkward to handle, so it is disabled by
default. Unfortunately, some FTP clients will hang when cancelling a transfer
unless this feature is available, so you may wish to enable it.
Default: NO
启用后,一个特殊的FTP命令“async ABOR”将被启用,只有某些特殊的FTP客户端才需要使用这一特性。另外,这个特性并不是很好控制,因此默认没有开启,但是不幸的是,如果该特性没有开启,一些FTP客户端在取消一个传输的时候会挂起,因此,您可能需要启用它。
默认:NO
background
When enabled, and vsftpd is started in
"listen" mode, vsftpd will background the listener process. i.e. control will
immediately be returned to the shell which launched vsftpd.
Default: NO
启用该选项,同时vsftpd是以“listen”模式启动的,则vsftpd会以background方式监听进程,也就是,控制会很快的返回给shell。
默认: NO
check_shell
Note! This option only has an effect for
non-PAM builds of vsftpd. If disabled, vsftpd will not check /etc/shells for a
valid user shell for local logins.
Default: YES
注意!这个选项仅仅对加了non-PAM参数编译安装的vsftpd有效,如果禁用它,vsftpd将不检查有效用户的用于本地登陆的/etc/shells。
默认:YES
chmod_enable
When enables, allows use of the SITE CHMOD
command. NOTE! This only applies to local users. Anonymous users never get to
use SITE CHMOD.
Default: YES
启用后,SITE CHMOD命令将被允许使用。注意!这只对本地用户有效,匿名用户从不允许使用SITE CHMOD命令。
默认: YES
chown_uploads
If enabled, all anonymously uploaded files
will have the ownership changed to the user specified in the setting
chown_username. This is useful from an administrative, and perhaps security,
standpoint.
Default: NO
启用后,所有匿名用户上传的文件的宿主将被更改为chown_username中指定的用户,这样便于管理,特别是从安全的角度考虑。
默认: NO
chroot_list_enable
If activated, you may provide a list of
local users who are placed in a chroot() jail in their home directory upon
login. The meaning is slightly different if chroot_local_user is set to YES. In
this case, the list becomes a list of users which are NOT to be placed in a
chroot() jail. By default, the file containing this list is
/etc/vsftpd.chroot_list, but you may override this with the chroot_list_file
setting.
Default: NO
启用后,你需要提供一个要将其限制在它home目录的本地用户列表,如果chroot_local_user设置为YES,则意义略有不同。在这种情况下,该列表将变成不需要将其限制在它home目录的本地用户列表,默认情况下,该文件是/etc/vsftpd.chroot_list,但你可以通过chroot_list_file来更改它的位置。
默认: NO
chroot_local_user
If set to YES, local users will be (by
default) placed in a chroot() jail in their home directory after login. Warning:
This option has security implications, especially if the users have upload
permission, or shell access. Only enable if you know what you are doing. Note
that these security implications are not vsftpd specific. They apply to all FTP
daemons which offer to put local users in chroot() jails.
Default: NO
如果设置为YES,本地用户在登陆后将被限制在其home目录中(也是默认情况)。警告:此选项有安全隐患,特别的是当用户拥有上传权限,或有shell访问权限时。只有当你确切的明白后果以后再启用它。注意这并不是vsftpd所特有的,所有提供将本地用户限制在home目录的FTP守护进程都存在这种隐患。
默认:NO
connect_from_port_20
This controls whether PORT style data
connections use port 20 (ftp-data) on the server machine. For security reasons,
some clients may insist that this is the case. Conversely, disabling this option
enables vsftpd to run with slightly less privilege.
Default: NO (but the sample config file
enables it)
该选项用于控制在服务器端是否使用20(ftp-data)端口来进行数据连接。基于安全的考虑,一些客户端需要这样做,相反,禁用该选项,将使vsftpd能以较小的特权运行。
默认: NO(但是在示范的配置文件中启用了该选项)
deny_email_enable
If activated, you may provide a list of
anonymous password e-mail responses which cause login to be denied. By default,
the file containing this list is /etc/vsftpd.banned_emails, but you may override
this with the banned_email_file setting.
Default: NO
如果启用该选项,您应该提供一个禁止匿名用户作密码的EMAIL地址列表,默认情况下,这个文件是/etc/vsftpd.banned_emails,但是你可以通过banned_email_file选项来指定其他位置。
默认: NO
dirlist_enable
If set to NO, all directory list commands
will give permission denied.
Default: YES
如果设置为NO,所有的列目录命令将被拒绝执行。
默认:YES
dirmessage_enable
If enabled, users of the FTP server can be
shown messages when they first enter a new directory. By default, a directory is
scanned for the file .message, but that may be overridden with the configuration
setting message_file.
Default: NO (but the sample config file
enables it)
如果启用它,当ftp用户第一次进入一个新目录时,FTP服务器将显示欢迎信息。默认情况下扫描目录下的.message文件,可以通过message_file选项指定为其他文件。
默认: NO(但是在示范的配置文件中启用了该选项)
download_enable
If set to NO, all download requests will
give permission denied.
Default: YES
如果设置为NO,则所有的下载请求均被拒绝执行。
默认:YES
dual_log_enable
If enabled, two log files are generated in
parallel, going by default to /var/log/xferlog and /var/log/vsftpd.log. The
former is a wu-ftpd style transfer log, parseable by standard tools. The latter
is vsftpd's own style log.
Default: NO
如果启动该选项,将生成两个相似的日志文件,默认是/var/log/xferlog和/var/log/vsftpd.log,前者是wu-ftpd类型的传输日志,可用于标准工具分析,后者是vsftpd自己类型的日志。
默认: NO
force_dot_files
If activated, files and directories starting
with . will be shown in directory listings even if the "a" flag was not used by
the client. This override excludes the "." and ".." entries.
Default: NO
如果启用,以点开头的文件和目录在目录列取的时候会被显示,即使客户端没有使用“a”标识,这不包括“.”和“..”目录。
默认: NO
force_local_data_ssl
Only applies if ssl_enable is activated. If
activated, all non-anonymous logins are forced to use a secure SSL connection in
order to send and receive data on data connections.
Default: YES
该选项只有当ssl_enable选项被启用才能使用,如果启用,则所有的非匿名用户登陆时将被强迫使用ssl连接来传输、接受数据。
默认: YES
force_local_logins_ssl
Only applies if ssl_enable is activated. If
activated, all non-anonymous logins are forced to use a secure SSL connection in
order to send the password.
Default: YES
该选项只有当ssl_enable选项被启用才能使用,如果启用,则所有的非匿名用户登陆时将被强迫使用ssl连接来传送密码。
默认: YES
guest_enable
If enabled, all non-anonymous logins are
classed as "guest" logins. A guest login is remapped to the user specified in
the guest_username setting.
Default: NO
如果启用,则所有的非匿名用户都将以“guest”身份登陆,登陆以后将被映射到guest_username选项指定的用户。
默认: NO
hide_ids
If enabled, all user and group information
in directory listings will be displayed as "ftp".
Default: NO
如果启用,则所有目录中的用户和组信息在列取的时候将被显示为“ftp”。
默认: NO
listen
If enabled, vsftpd will run in standalone
mode. This means that vsftpd must not be run from an inetd of some kind.
Instead, the vsftpd executable is run once directly. vsftpd itself will then
take care of listening for and handling incoming connections.
Default: NO
如果启用,vsftpd将以独立模式运行,这意味着vsftpd不能由inetd来启动,相反,vsftpd应当直接执行,vsftpd自身监听并处理连接请求。
默认: NO
listen_ipv6
Like the listen parameter, except vsftpd
will listen on an IPv6 socket instead of an IPv4 one. This parameter and the
listen parameter are mutually exclusive.
Default: NO
类似于listen参数,区别是,vsftpd将监听IPv6接口,而不是IPv4接口,该参数和listen参数是相互独立的。
默认: NO
local_enable
Controls whether local logins are permitted
or not. If enabled, normal user accounts in /etc/passwd may be used to log in.
Default: NO
用于控制是否运行本地登陆,如果启用,/etc/passwd中的普通账号可用于登陆。
默认: NO
log_ftp_protocol
When enabled, all FTP requests and responses
are logged, providing the option xferlog_std_format is not enabled. Useful for
debugging.
Default: NO
如果启用,当xferlog_std_format没有启用的时候,所有的FTP请求和应答都将被记录。此选项对于调试非常有用。
默认: NO
ls_recurse_enable
When enabled, this setting will allow the
use of "ls -R". This is a minor security risk, because a ls -R at the top level
of a large site may consume a lot of resources.
Default: NO
如果启用,该选项将允许用户使用“ls -R”,这有点安全威胁,因为在大型站点的根下运行“ls -R”会消耗很多资源。
默认: NO
no_anon_password
When enabled, this prevents vsftpd from
asking for an anonymous password - the anonymous user will log straight in.
Default: NO
如果启用,匿名用户登录将不再需要密码,可以直接登陆。
默认: NO
no_log_lock
When enabled, this prevents vsftpd from
taking a file lock when writing to log files. This option should generally not
be enabled. It exists to workaround operating system bugs such as the Solaris /
Veritas filesystem combination which has been observed to sometimes exhibit
hangs trying to lock log files.
Default: NO
如果启用,在写日志文件时,将会阻止vsftpd使用文件锁定。这个选项通常并不会启用,它的存在是为了处理操作系统的一个bug,如Solaris / Veritas文件系统组合某些情况下会因试图锁定日志文件而挂起。
默认: NO
one_process_model
If you have a Linux 2.4 kernel, it is
possible to use a different security model which only uses one process per
connection. It is a less pure security model, but gains you performance. You
really don't want to enable this unless you know what you are doing, and your
site supports huge numbers of simultaneously connected users.
Default: NO
如果你使用 Linux 2.4内核,那么可以使用一种不同的安全模式,它只允许一个连接使用一个进程,这是一种稍有安全问题的模式,不过值得一试。如果您不清楚后果,并且你的站点要承受大量的用户并发连接的时候,请不要启用该选项。
默认: NO
passwd_chroot_enable
If enabled, along with chroot_local_user ,
then a chroot() jail location may be specified on a per-user basis. Each user's
jail is derived from their home directory string in /etc/passwd. The occurrence
of /./ in the home directory string denotes that the jail is at that particular
location in the path.
Default: NO
如果启用,并且与chroot_local_user选项一起使用,将会针对每个用户限制目录,将他们限制在/etc/passwd中设置的home目录,当home目录中包含/./时,用户将被限制在那个特殊的位置。
默认:NO
pasv_enable
Set to NO if you want to disallow the PASV
method of obtaining a data connection.
Default: YES
如果你不允许在数据连接的时候使用PASV模式,则将该选项设置为NO
默认: YES
pasv_promiscuous
Set to YES if you want to disable the PASV
security check that ensures the data connection originates from the same IP
address as the control connection. Only enable if you know what you are doing!
The only legitimate use for this is in some form of secure tunnelling scheme, or
perhaps to facilitate FXP support.
Default: NO
如果您要禁用PASV安全检查,将该选项设置为YES,该安全检查用于确保数据连接与控制源于同一IP地址。如果不清楚后果,请不要启用该选项!该选项只有在某些使用安全隧道,或者得到FXP支持的情况下使用才是合理的。
默认: NO
port_enable
Set to NO if you want to disallow the PORT
method of obtaining a data connection.
Default: YES
如果你不允许在数据连接的时候使用PORT模式,则将该选项设置为NO
默认: YES
port_promiscuous
Set to YES if you want to disable the PORT
security check that ensures that outgoing data connections can only connect to
the client. Only enable if you know what you are doing!
Default: NO
如果您想禁用PORT安全检查,将该选项设置为YES,该安全检查用于确保出站的数据确实是流向客户端。如果不清楚后果,请不要启用该选项!
默认: NO
run_as_launching_user
Set to YES if you want vsftpd to run as the
user which launched vsftpd. This is useful where root access is not available.
MASSIVE WARNING! Do NOT enable this option unless you totally know what you are
doing, as naive use of this option can create massive security problems.
Specifically, vsftpd does not / cannot use chroot technology to restrict file
access when this option is set (even if launched by root). A poor substitute
could be to use a deny_file setting such as {/*,*..*}, but the reliability of
this cannot compare to chroot, and should not be relied on. If using this
option, many restrictions on other options apply. For example, options requiring
privilege such as non-anonymous logins, upload ownership changing, connecting
from port 20 and listen ports less than 1024 are not expected to work. Other
options may be impacted.
Default: NO
如果您希望由用户来启动vsftpd,将此选项设置为YES。当root不能登陆的时候,这将非常有用。严重警告!如果你不清楚后果请不要启用该选项,随意的使用该选项将导致非常严重的安全问题。特别的,当该选项启用后,vsftpd没有/不能使用目录限制技术来限制文件访问(甚至是由root启用的)。一个愚蠢的替代方法是将选项deny_file设置为{/*,*..*},但是这种方法的可靠性不如chroot,不应该信赖它。如果启用它,应该限制其他很多选项。例如,需要权限的选项,如非匿名用户登陆,上传文件宿主转换,使用20端口连接监听低于1024的端口不能工作,其他的选项也可能会有影响。
默认值: NO
secure_email_list_enable
Set to YES if you want only a specified list
of e-mail passwords for anonymous logins to be accepted. This is useful as a
low-hassle way of restricting access to low-security content without needing
virtual users. When enabled, anonymous logins are prevented unless the password
provided is listed in the file specified by the email_password_file setting. The
file format is one password per line, no extra whitespace. The default filename
is /etc/vsftpd.email_passwords.
Default: NO
如果你要为匿名用户指定一个作为密码的邮件地址列表,将该选项设置为YES,这是在不创建虚拟用户的条件下,构建一个低安全性访问控制目录的方法。启用以后,匿名用户只有使用在email_password_file选项中指定的文件内列出的邮件地址作为密码,才被允许访问,文件的格式是每行一个密码,不要空格,默认文件名是/etc/vsftpd.email_passwords。
默认:NO
session_support
This controls whether vsftpd attempts to
maintain sessions for logins. If vsftpd is maintaining sessions, it will try and
update utmp and wtmp. It will also open a pam_session if using PAM to
authenticate, and only close this upon logout. You may wish to disable this if
you do not need session logging, and you wish to give vsftpd more opportunity to
run with less processes and / or less privilege. NOTE - utmp and wtmp support is
only provided with PAM enabled builds.
Default: NO
该选项用于控制vsftpd是否为登陆保持会话,如果保持会话,vsftpd将尝试和更新utmp和wtmp。如果使用了PAM认证,将同时打开pam_session,直到用户退出登陆。如果不需要保持登陆会话,并且希望vsftpd以更少的进程和/或更少的权限来运行,请禁用它。注意:utmp和wtmp只有在启用了PAM的情况下才被支持。
默认:NO
setproctitle_enable
If enabled, vsftpd will try and show session
status information in the system process listing. In other words, the reported
name of the process will change to reflect what a vsftpd session is doing (idle,
downloading etc). You probably want to leave this off for security purposes.
Default: NO
如果启用,vsftpd将会尝试在系统进程列表中显示会话状态信息。也就是说,进程报告会显示每个vsftpd会话在干什么(空闲、下载等等)。出于安全的考虑,你可能需要将其关闭。
默认: NO
ssl_enable
If enabled, and vsftpd was compiled against
OpenSSL, vsftpd will support secure connections via SSL. This applies to the
control connection (including login) and also data connections. You'll need a
client with SSL support too. NOTE!! Beware enabling this option. Only enable it
if you need it. vsftpd can make no guarantees about the security of the OpenSSL
libraries. By enabling this option, you are declaring that you trust the
security of your installed OpenSSL library.
Default: NO
如果启用,并且在编译时加入了OpenSSL支持,vsftpd将支持通过SSL进行安全连接。用于控制连接(包括登陆)和数据连接,客户端也需要支持SSL。注意!启用该选项需小心,仅在需要的时候再启用它。vsftpd对使用OpenSS库的安全性不做任何担保,启用该选项,就意味着你信任你所安装的OpenSSL库的安全性。
默认: NO
ssl_sslv2
Only applies if ssl_enable is activated. If
enabled, this option will permit SSL v2 protocol connections. TLS v1 connections
are preferred.
Default: NO
只有启用了ssl_enable后才生效,如果启用,该选项将允许使用SSL v2协议进行连接,TLS v1连接仍为首选。
默认: NO
ssl_sslv3
Only applies if ssl_enable is activated. If
enabled, this option will permit SSL v3 protocol connections. TLS v1 connections
are preferred.
Default: NO
只有启用了ssl_enable后才生效,如果启用,该选项将允许使用SSL v3协议进行连接,TLS v1连接仍为首选。
默认: NO
ssl_tlsv1
Only applies if ssl_enable is activated. If
enabled, this option will permit TLS v1 protocol connections. TLS v1 connections
are preferred.
Default: YES
只有启用了ssl_enable后才生效,如果启用,该选项将允许使用TLS v1协议进行连接,TLS v1连接为首选方式。
默认: YES
syslog_enable
If enabled, then any log output which would
have gone to /var/log/vsftpd.log goes to the system log instead. Logging is done
under the FTPD facility.
Default: NO
如果启用,任何本应该输出到/var/log/vsftpd.log的日志,将会输出到系统日志中,记录由FTPD完成。
默认: NO
tcp_wrappers
If enabled, and vsftpd was compiled with
tcp_wrappers support, incoming connections will be fed through tcp_wrappers
access control. Furthermore, there is a mechanism for per-IP based
configuration. If tcp_wrappers sets the VSFTPD_LOAD_CONF environment variable,
then the vsftpd session will try and load the vsftpd configuration file
specified in this variable.
Default: NO
如果启用,并且在编译时加入了tcp_wrappers的支持,则连入请求由tcp_wrappers控制,另外,这是基于每个IP的配置机制,如果tcp_wrappers设置为VSFTPD_LOAD_CONF环境变量,则vsftpd会话会试图加载该变量中指定的vsftpd配置文件。
默认: NO
text_userdb_names
By default, numeric IDs are shown in the
user and group fields of directory listings. You can get textual names by
enabling this parameter. It is off by default for performance reasons.
Default: NO
默认情况下,目录列表时user和group字段显示的是数字ID,如果启用该选项将可以显示文本名称,基于性能的考虑,默认是关闭的。
默认: NO
tilde_user_enable
If enabled, vsftpd will try and resolve
pathnames such as ~chris/pics, i.e. a tilde followed by a username. Note that
vsftpd will always resolve the pathnames ~ and ~/something (in this case the ~
resolves to the initial login directory). Note that ~user paths will only
resolve if the file /etc/passwd may be found within the _current_ chroot() jail.
Default: NO
如果启用,vsftpd将试图解析类似~chris/pics的路径名,即一个~后面跟着用户名,注意,vsftpd会一直解析路径名~和~/something(在这里,~被解析为初始登陆路径),~user只有在可以找到包含/etc/passwd的当前虚根下才被解析。
默认值: NO
use_localtime
If enabled, vsftpd will display directory
listings with the time in your local time zone. The default is to display GMT.
The times returned by the MDTM FTP command are also affected by this option.
Default: NO
如果启用,vsftpd在列取目录时,将显示你本地时区的时间,默认显示为GMT,由 MDTM FTP 命令返回的时间同样也受此选项的影响.
默认: NO
use_sendfile
An internal setting used for testing the
relative benefit of using the sendfile() system call on your platform.
Default: YES
一个内部设定,用于测试在您的平台上使用 sendfile() 系统调用的相对性能。
默认: YES
userlist_deny
This option is examined if userlist_enable
is activated. If you set this setting to NO, then users will be denied login
unless they are explicitly listed in the file specified by userlist_file. When
login is denied, the denial is issued before the user is asked for a password.
Default: YES
该选项只有在启用userlist_enable选项以后才会被检查,如果将它设置为NO,则只有在userlist_file选项指定的文件中明确列出的用户才能登陆系统,用户将被拒绝在询问密码之前。
默认: YES
userlist_enable
If enabled, vsftpd will load a list of
usernames, from the filename given by userlist_file. If a user tries to log in
using a name in this file, they will be denied before they are asked for a
password. This may be useful in preventing cleartext passwords being
transmitted. See also userlist_deny.
Default: NO
如果启用,vsftpd将会从userlist_file选项指定的文件中加载一份用户名列表,如果用户试图使用该列表中的用户名登陆,他们将在被询问密码之前被拒绝,这有助于阻止明文传输密码。另见userlist_deny
默认: NO
virtual_use_local_privs
If enabled, virtual users will use the same
privileges as local users. By default, virtual users will use the same
privileges as anonymous users, which tends to be more restrictive (especially in
terms of write access).
Default: NO
如果启用,虚拟用户将拥有同本地用户一样的权限。默认情况下,虚拟用户同匿名用户权限相同,这倾向于更多限制 (特别是在写权限上).
默认: NO
write_enable
This controls whether any FTP commands which
change the filesystem are allowed or not. These commands are: STOR, DELE, RNFR,
RNTO, MKD, RMD, APPE and SITE.
Default:
NO
该选项用于控制是否允许FTP命令更改文件系统。这些命令包括:STOR、DELE、RNFR、RNTO、MKD、RMD、APPE和SITE。
默认: NO
xferlog_enable
If enabled, a log file will be maintained
detailling uploads and downloads. By default, this file will be placed at
/var/log/vsftpd.log, but this location may be overridden using the configuration
setting vsftpd_log_file.
Default: NO (but the sample config file
enables it)
如果启用,将会维护一个日志文件,用于详细记录上传和下载。默认情况下,这个日志文件是/var/log/vsftpd.log。但是也可以通过配置文件中的vsftpd_log_file选项来指定。
默认: NO(但是在示范的配置文件中启用了该选项)
xferlog_std_format
If enabled, the transfer log file will be
written in standard xferlog format, as used by wu-ftpd. This is useful because
you can reuse existing transfer statistics generators. The default format is
more readable, however. The default location for this style of log file is
/var/log/xferlog, but you may change it with the setting xferlog_file.
Default:
NO
如果启用,传输日志文件将以标准xferlog格式记录,如同wu-ftpd一样。这可以用于重新使用传输统计生成器。然而默认格式更加易读。此格式的日志文件默认为 /var/log/xferlog,但是您也可以通过xferlog_file选项来指定。
默认: NO
NUMERIC
OPTIONS
数字选项
Below is a list of numeric options. A
numeric option must be set to a non negative integer. Octal numbers are
supported, for convenience of the umask options. To specify an octal number, use
0 as the first digit of the number.
下边是数字选项的列表。数字选项必须设置一个非负的整数。为了便于umask选项, 同样也支持八进制数字,八进制数字首位应为0。
accept_timeout
The timeout, in seconds, for a remote client
to establish connection with a PASV style data connection.
Default: 60
超时,以秒计,用于远程客户端以 PASV 模式建立数据连接。
默认: 60
anon_max_rate
The maximum data transfer rate permitted, in
bytes per second, for anonymous clients.
Default: 0 (unlimited)
允许的最大数据传输速率,单位为每秒多少bytes, 用于匿名客户端。
默认: 0 (无限制)
anon_umask
The value that the umask for file creation
is set to for anonymous users. NOTE! If you want to specify octal values,
remember the "0" prefix otherwise the value will be treated as a base 10
integer!
Default: 077
用于设定匿名用户建立文件时的umask值。注意!如果您要指定一个八进制的数字,首位应当是“0”,否则将视作10进制数字。
默认: 077
connect_timeout
The timeout, in seconds, for a remote client
to respond to our PORT style data connection.
Default: 60
超时,单位秒,用于远程客户端响应我们PORT方式的数据连接。
默认: 60
data_connection_timeout
The timeout, in seconds, which is roughly
the maximum time we permit data transfers to stall for with no progress. If the
timeout triggers, the remote client is kicked off.
Default: 300
超时,单位秒,用于设定空闲的数据连接所允许的最大时长。如果触发超时,则远程客户端将被断开。
默认: 300
file_open_mode
The permissions with which uploaded files
are created. Umasks are applied on top of this value. You may wish to change to
0777 if you want uploaded files to be executable.
Default: 0666
用于设定创建上传文件的权限,Umasks的优先级高于这个设定。如果想允许上传的文件可以执行,将此值修改为0777。
默认: 0666
ftp_data_port
The port from which PORT style connections
originate (as long as the poorly named connect_from_port_20 is enabled).
Default: 20
PORT方式的数据连接端口(只要启用connect_from_port_20选项)
默认: 20
idle_session_timeout
The timeout, in seconds, which is the
maximum time a remote client may spend between FTP commands. If the timeout
triggers, the remote client is kicked off.
Default: 300
超时,单位秒,远程客户端的最大FTP命令间隔,如果超时被触发,远程客户端将被断开。
默认: 300
listen_port
If vsftpd is in standalone mode, this is the
port it will listen on for incoming FTP connections.
Default: 21
如果vsftpd以独立模式启动,此端口将会监听FTP 连入请求。
默认: 21
local_max_rate
The maximum data transfer rate permitted, in
bytes per second, for local authenticated users.
Default: 0 (unlimited)
允许的最大数据传输速率,单位为每秒钟多少bytes,用于限制本地授权用户。
默认: 0 (无限制)
local_umask
The value that the umask for file creation
is set to for local users. NOTE! If you want to specify octal values, remember
the "0" prefix otherwise the value will be treated as a base 10 integer!
Default: 077
用于设定本地用户上传文件的umask值。注意!如果您要指定一个八进制的数字,首位应当是“0”,否则将视作10进制数字。
默认: 077
max_clients
If vsftpd is in standalone mode, this is the
maximum number of clients which may be connected. Any additional clients
connecting will get an error message.
Default: 0 (unlimited)
如果vsftpd以独立模式启动,此选项用于设定最大客户端连接数。超过部分将返回错误信息。
默认: 0 (无限制)
max_per_ip
If vsftpd is in standalone mode, this is the
maximum number of clients which may be connected from the same source internet
address. A client will get an error message if they go over this limit.
Default: 0 (unlimited)
如果vsftpd以独立模式启动,此选项用于设定源于同一网络地址的最大连接数。超过部分将返回错误信息。
默认: 0 (无限制)
pasv_max_port
The maximum port to allocate for PASV style
data connections. Can be used to specify a narrow port range to assist
firewalling.
Default: 0 (use any port)
为 PASV方式数据连接分配的最大端口。基于安全性考虑,可以把端口范围指定在一个较小的范围内。
默认: 0 (可以使用任意端口)
pasv_min_port
The minimum port to allocate for PASV style
data connections. Can be used to specify a narrow port range to assist
firewalling.
Default: 0 (use any port)
为 PASV方式数据连接分配的最小端口。基于安全性考虑,可以把端口范围指定在一个较小的范围内。
默认: 0 (可以使用任意端口)
trans_chunk_size
You probably don't want to change this, but
try setting it to something like 8192 for a much smoother bandwidth limiter.
Default: 0 (let vsftpd pick a sensible
setting)
您可能不想修改这个设置,但也可以尝试改为如8192去减小带宽限制的影响。
默认值:0(让vsftpd自行选择)
STRING
OPTIONS
Below is a list of string options.
字符选项
下边是字符选项列表
anon_root
This option represents a directory which
vsftpd will try to change into after an anonymous login. Failure is silently
ignored.
Default: (none)
该选项为匿名用户在登陆后指定一个将被转向的目录,失败时将被忽略。
默认: (无)
banned_email_file
This option is the name of a file containing
a list of anonymous e-mail passwords which are not permitted. This file is
consulted if the option deny_email_enable is enabled.
Default: /etc/vsftpd.banned_emails
此选项用于指定包含不允许用作匿名用户登录密码的电子邮件地址列表的文件。使用此选项需要启用deny_email_enable选项。
默认:
/etc/vsftpd.banned_emails
banner_file
This option is the name of a file containing
text to display when someone connects to the server. If set, it overrides the
banner string provided by the ftpd_banner option.
Default: (none)
此选项用于指定包含用户登录时显示文本的文件,设置此选项,将取代ftpd_banner选项指定的欢迎标识。
默认: (无)
chown_username
This is the name of the user who is given
ownership of anonymously uploaded files. This option is only relevant if another
option, chown_uploads, is set.
Default: root
用于指定匿名用户上传文件后改变为的宿主。此选项只有在chown_uploads选项设定后才会生效。
默认;root
chroot_list_file
The option is the name of a file containing
a list of local users which will be placed in a chroot() jail in their home
directory. This option is only relevant if the option chroot_list_enable is
enabled. If the option chroot_local_user is enabled, then the list file becomes
a list of users to NOT place in a chroot() jail.
Default: /etc/vsftpd.chroot_list
该选项用于指定包含被限制在home目录中的用户列表的文件,使用此选项,该选项只有在启用了chroot_list_enable选项以后才生效。如果启用了chroot_local_user选项,此文件所包含的则为不会被限制在home目录中的用户列表。
默认:
/etc/vsftpd.chroot_list
cmds_allowed
This options specifies a comma separated
list of allowed FTP commands (post login. USER, PASS and QUIT are always allowed
pre-login). Other commands are rejected. This is a powerful method of really
locking down an FTP server. Example: cmds_allowed=PASV,RETR,QUIT
Default: (none)
该选项以逗号分割指定允许使用的FTP命令(post login. USER, PASS和QUIT是登陆前始终可用的命令),其他命令将被拒绝,这是一个强有力的锁定FTP服务器的方法。例如:mds_allowed=PASV,RETR,QUIT
默认: (无)
deny_file
This option can be used to set a pattern for
filenames (and directory names etc.) which should not be accessible in any way.
The affected items are not hidden, but any attempt to do anything to them
(download, change into directory, affect something within directory etc.) will
be denied. This option is very simple, and should not be used for serious access
control - the filesystem's permissions should be used in preference. However,
this option may be useful in certain virtual user setups. In particular aware
that if a filename is accessible by a variety of names (perhaps due to symbolic
links or hard links), then care must be taken to deny access to all the names.
Access will be denied to items if their name contains the string given by
hide_file, or if they match the regular expression specified by hide_file. Note
that vsftpd's regular expression matching code is a simple implementation which
is a subset of full regular expression functionality. Because of this, you will
need to carefully and exhaustively test any application of this option. And you
are recommended to use filesystem permissions for any important security
policies due to their greater reliability. Example:
deny_file={*.mp3,*.mov,.private}
Default: (none)
该选项用于设置拒绝访问的文件名字(和目录名等)。该设置不是对文件进行隐藏,而是控制你不能对其操作(下载、更换目录、以及其它操作)。该选项非常简单,不能用于严格的访问控制-文件系统限制的优先级要高一些。然而,此选项对于某些虚拟用户的设定非常有效。特别是在一个文件可以通过各种名称访问时(可能时通过符号连接或者硬连接),应当注意是对所有的名字拒绝访问,如果包含hide_file中的字符串,或者匹配hide_file指定的正则表达式,访问将被拒绝。注意vsftpd的正则表达式匹配只支持部分功能,基于此种原因,您需要尽可能的对此选项的设置进行测试。同时基于安全性考虑,建议您使用文件系统自身的访问控制。例如:
deny_file={*.mp3,*.mov,.private}
默认: (无)
dsa_cert_file
This option specifies the location of the
DSA certificate to use for SSL encrypted connections.
Default: (none - an RSA certificate
suffices)
该选项用于指定用于SSL加密连接的 DSA 证书的位置。
默认: (无 - 使用 RSA 证书)
email_password_file
This option can be used to provide an
alternate file for usage by the secure_email_list_enable setting.
Default: /etc/vsftpd.email_passwords
该选项用于提供启用 secure_email_list_enable
选项所需要的可替代文件。
默认: /etc/vsftpd.email_passwords
ftp_username
This is the name of the user we use for
handling anonymous FTP. The home directory of this user is the root of the
anonymous FTP area.
Default: ftp
用于处理匿名FTP的用户名,该用户的home目录即为匿名用户的根目录。
默认: ftp
ftpd_banner
This string option allows you to override
the greeting banner displayed by vsftpd when a connection first comes in.
Default: (none - default vsftpd banner is
displayed)
用于替换首次连入vsftpd 时显示的欢迎语句。
默认: (无 - 显示vsftpd默认的语句)
guest_username
See the boolean setting guest_enable for a
description of what constitutes a guest login. This setting is the real username
which guest users are mapped to.
Default: ftp
参阅布尔选项guest_enable中对于一个guest用户登陆的描述,该选项用于将guest用户映射到一个真实用户。
默认: ftp
hide_file
This option can be used to set a pattern for
filenames (and directory names etc.) which should be hidden from directory
listings. Despite being hidden, the files / directories etc. are fully
accessible to clients who know what names to actually use. Items will be hidden
if their names contain the string given by hide_file, or if they match the
regular expression specified by hide_file. Note that vsftpd's regular expression
matching code is a simple implementation which is a subset of full regular
expression functionality. Example: hide_file={*.mp3,.hidden,hide*,h?}
Default: (none)
该选项用于设定列取目录时要隐藏的文件名(以及目录等)。尽管隐藏了,知道其名字的客户端仍然能对文件/目录等有完全访问权限。名字中包含hide_file中的字符串,或者匹配hide_file指定的正则表达式的项将被隐藏,注意vsftpd的正则表达式匹配只支持部分功能,例如:
hide_file={*.mp3,.hidden,hide*,h?}
默认: (无)
listen_address
If vsftpd is in standalone mode, the default
listen address (of all local interfaces) may be overridden by this setting.
Provide a numeric IP address.
Default: (none)
如果vsftpd 以独立模式运行,该选项将重置默认的(所有本地接口)监听地址,格式为数字IP 地址。
默认: (无)
listen_address6
Like listen_address, but specifies a default
listen address for the IPv6 listener (which is used if listen_ipv6 is set).
Format is standard IPv6 address format.
Default: (none)
类似于listen_address选项,不过应该指定一个IPv6 地址作为默认监听地址(如果指定了listen_ipv6选项),格式为标准 IPv6 地址格式.
默认: (无)
local_root
This option represents a directory which
vsftpd will try to change into after a local (i.e. non-anonymous) login. Failure
is silently ignored.
Default: (none)
该选项用于指定本地用户(即非匿名用户)登录后将会转向的目录,失败时将被忽略。
默认: (无)
message_file
This option is the name of the file we look
for when a new directory is entered. The contents are displayed to the remote
user. This option is only relevant if the option dirmessage_enable is enabled.
Default: .message
该选项用于指定进入新目录时要查询的文件名,这个文件的内容为显示给远程用户的欢迎信息,该选项只有当dirmessage_enable选项启用了才生效。
默认: .message
nopriv_user
This is the name of the user that is used by
vsftpd when it wants to be totally unprivileged. Note that this should be a
dedicated user, rather than nobody. The user nobody tends to be used for rather
a lot of important things on most machines.
Default: nobody
用于指定一个当vsftpd要切换到无权限状态时使用的用户,注意这最好是一个专用用户,而不是用户nobody,在大多数机器上,用户nobody 被用于大量重要的事情。
默认: nobody
pam_service_name
This string is the name of the PAM service
vsftpd will use.
Default: ftp
用于指定vsftpd将使用的PAM服务的名称。
默认: ftp
pasv_address
Use this option to override the IP address
that vsftpd will advertise in response to the PASV command. Provide a numeric IP
address.
Default: (none - the address is taken from
the incoming connected socket)
该选项为vsftpd指定一个IP地址来响应PASV命令,格式为数字IP地址。
默认: (无-即地址从连入的连接套接字中获取)
rsa_cert_file
This option specifies the location of the
RSA certificate to use for SSL encrypted connections.
Default:
/usr/share/ssl/certs/vsftpd.pem
该选项用于指定SSL加密连接所用RSA证书的位置。
默认:
/usr/share/ssl/certs/vsftpd.pem
secure_chroot_dir
This option should be the name of a
directory which is empty. Also, the directory should not be writable by the ftp
user. This directory is used as a secure chroot() jail at times vsftpd does not
require filesystem access.
Default: /usr/share/empty
该选项用于指定一个空目录,并且ftp用户不应对此目录有写权限,当vsftpd不需要访问文件系统时此目录做为一个限制目录,将用户限制在此目录中。
默认:
/usr/share/empty
ssl_ciphers
This option can be used to select which SSL
ciphers vsftpd will allow for encrpyted SSL connections. See the ciphers man
page for further details. Note that restricting ciphers can be a useful security
precaution as it prevents malicious remote parties forcing a cipher which they
have found problems with.
Default: DES-CBC3-SHA
该选项用于选择vsftpd允许使用哪些SSL加密算法来用于SSL 加密连接。更多信息请参阅 ciphers的联机手册,注意这样可以有效的防止那些发现某些算法漏洞的人进行恶意的远程攻击。
默认: DES-CBC3-SHA
user_config_dir
This powerful option allows the override of
any config option specified in the manual page, on a per-user basis. Usage is
simple, and is best illustrated with an example. If you set user_config_dir to
be /etc/vsftpd_user_conf and then log on as the user "chris", then vsftpd will
apply the settings in the file /etc/vsftpd_user_conf/chris for the duration of
the session. The format of this file is as detailed in this manual page! PLEASE
NOTE that not all settings are effective on a per-user basis. For example, many
settings only prior to the user's session being started. Examples of settings
which will not affect any behviour on a per-user basis include listen_address,
banner_file, max_per_ip, max_clients, xferlog_file, etc.
Default: (none)
该选项允许根据每个用户重置任何联机手册中指定的配置选项,使用非常简单,一个例子即可说明。如果您将user_config_dir设置为/etc/vsftpd_user_conf
并以用户“chris”登录,那么 vsftpd将对此用户使用文件/etc/vsftpd_user_conf/chris中的设置,此文件的格式在联机手册中有详细说明。请注意, 不是每个设置都能影响用户的,例如,许多设置只在用户会话开始时起作用,这包括listen_address, banner_file, max_per_ip,
max_clients, xferlog_file等等。
默认: (无)
user_sub_token
This option is useful is conjunction with
virtual users. It is used to automatically generate a home directory for each
virtual user, based on a template. For example, if the home directory of the
real user specified via guest_username is /home/virtual/$USER, and
user_sub_token is set to $USER, then when virtual user fred logs in, he will end
up (usually chroot()'ed) in the directory /home/virtual/fred. This option also
takes affect if local_root contains user_sub_token.
Default: (none)
该选项需要和虚拟用户联合使用,根据一个模板为每个虚拟用户创建home目录,例如,如果真实用户的home目录由选项guest_username指定为/home/virtual/$USER,并且user_sub_token选项被设置为$USER,则当虚拟用户fred登入后, 将会进入(限制)目录 /home/virtual/fred,如果local_root选项中包含了user_sub_token该选项也会生效。
默认: (无)
userlist_file
This option is the name of the file loaded
when the userlist_enable option is active.
Default: /etc/vsftpd.user_list
该选项用于指定启用userlist_enable选项后需要加载文件的名称。
默认:
/etc/vsftpd.user_list
vsftpd_log_file
This option is the name of the file to which
we write the vsftpd style log file. This log is only written if the option
xferlog_enable is set, and xferlog_std_format is NOT set. Alternatively, it is
written if you have set the option dual_log_enable. One further complication -
if you have set syslog_enable, then this file is not written and output is sent
to the system log instead.
Default:
/var/log/vsftpd.log
该选项用于指定写入vsftpd格式日志的文件,如果启用了xferlog_enable选项,而没有设置 xferlog_std_format选项的话,日志将只会写入此文件。 如果设置了dual_log_enable选项的话,日志同样会写入此文件。更复杂一点,,如果您启用了syslog_enable,输出将不会写入此文件,而是写入系统日志文件。
默认:
/var/log/vsftpd.log
xferlog_file
This option is the name of the file to which
we write the wu-ftpd style transfer log. The transfer log is only written if the
option xferlog_enable is set, along with xferlog_std_format. Alternatively, it
is written if you have set the option dual_log_enable.
Default: /var/log/xferlog
该选项用于指定写入wu-ftpd 格式日志的文件,只有在xferlog_enable选项和 xferlog_std_format选项中做了相应设置,才会记录到该文件,另外, 如果设置了 dual_log_enable选项,也会记录此日志。
默认:
/var/log/xferlog