Chinaunix首页 | 论坛 | 博客
  • 博客访问: 19269374
  • 博文数量: 7460
  • 博客积分: 10434
  • 博客等级: 上将
  • 技术积分: 78178
  • 用 户 组: 普通用户
  • 注册时间: 2008-03-02 22:54
文章分类

全部博文(7460)

文章存档

2011年(1)

2009年(669)

2008年(6790)

分类: BSD

2008-03-20 17:46:02

NAME

vsftpd.conf - config file for vsftpd

 

DESCRIPTION

vsftpd.conf may be used to control various aspects of vsftpd's behaviour. By default, vsftpd looks for this file at the location /etc/vsftpd.conf. However, you may override this by specifying a command line argument to vsftpd. The command line argument is the pathname of the configuration file for vsftpd. This behaviour is useful because you may wish to use an advanced inetd such as xinetd to launch vsftpd with different configuration files on a per virtual host basis.

 

vsftpd.conf用来控制vsftpd的行为,默认情况下,它位于/etc/vsftpd.conf。不过,可以通过vsftpd的命令行下改变它的位置,这个特性是非常有用的,尤其是当你希望更高级的inted,例如xinetd来启动不同配置文件的vsftpd的时候,这个功能非常有用. 可以使用不同的配置文件来启动基于虚拟主机的每个服务。

(注:使用xinetd可以在需要的时候才启动ftp,不过我没用过)

 

FORMAT

The format of vsftpd.conf is very simple. Each line is either a comment or a directive. Comment lines start with a # and are ignored. A directive line has the format:

option=value

It is important to note that it is an error to put any space between the option, = and value.

Each setting has a compiled in default which may be modified in the configuration file.

vsftpd.conf的格式很简单,每一行要么是注释,要么是一个条目。注释是以#号开头,vsftpd会忽略它们。一个条目的格式是:

option=value

必须注意的是在option=value之间不能用空格。

每个设置都有相应的默认值,你可以酌情修改。

 

BOOLEAN OPTIONS

 

Below is a list of boolean options. The value for a boolean option may be set to YES or NO.

以下列出的选项仅能设置为YES或者NO

 

allow_anon_ssl

Only applies if ssl_enable is active. If set to YES, anonymous users will be allowed to use secured SSL connections.

Default: NO

只有当ssl_enable设置为YES才生效,如果设置为YES,匿名用户将被允许以ssl连接。

默认:NO

 

anon_mkdir_write_enable

If set to YES, anonymous users will be permitted to create new directories under certain conditions. For this to work, the option write_enable must be activated, and the anonymous ftp user must have write permission on the parent directory.

Default: NO

如果设置为YES,匿名用户将被允许创建新的目录,以下条件必须满足:write_enable选项设置为YES;匿名用户对父目录有写权限。

默认:NO

 

anon_other_write_enable

If set to YES, anonymous users will be permitted to perform write operations other than upload and create directory, such as deletion and renaming. This is generally not recommended but included for completeness.

Default: NO

如果设置为YES,匿名用户将会被允许创建目录之外的写操作,例如删除、重命名,不推荐这么做,除非您完全理解此项功能。

默认:NO

 

anon_upload_enable

If set to YES, anonymous users will be permitted to upload files under certain conditions. For this to work, the option write_enable must be activated, and the anonymous ftp user must have write permission on desired upload locations.

Default: NO

如果设置为YES,匿名用户将被允许上传文件,以下条件必须满足:write_enable选项设置为YES;匿名用户对将要上传到的目录有写权限。

 

anon_world_readable_only

When enabled, anonymous users will only be allowed to download files which are world readable. This is recognising that the ftp user may own files, especially in the presence of uploads.

Default: YES

如果启用,匿名用户将仅被允许下载具有全局读权限的文件。这就意味着ftp用户可以拥有自己的文件,特别是前边提到的上传的文件。

默认:YES

 

anonymous_enable

Controls whether anonymous logins are permitted or not. If enabled, both the usernames ftp and anonymous are recognised as anonymous logins.

Default: YES

控制是否允许匿名用户登陆,如果启用,用户名为ftpanonymous的用户均被视为匿名用户。

默认:YES

 

ascii_download_enable

When enabled, ASCII mode data transfers will be honoured on downloads.

Default: NO

启用后,下载将启用ASCII传输模式。

默认:NO

 

ascii_upload_enable

When enabled, ASCII mode data transfers will be honoured on uploads.

Default: NO

启用后,上传将启用ASCII传输模式

默认:NO

 

async_abor_enable

When enabled, a special FTP command known as "async ABOR" will be enabled. Only ill advised FTP clients will use this feature. Additionally, this feature is awkward to handle, so it is disabled by default. Unfortunately, some FTP clients will hang when cancelling a transfer unless this feature is available, so you may wish to enable it.

Default: NO

启用后,一个特殊的FTP命令“async ABOR”将被启用,只有某些特殊的FTP客户端才需要使用这一特性。另外,这个特性并不是很好控制,因此默认没有开启,但是不幸的是,如果该特性没有开启,一些FTP客户端在取消一个传输的时候会挂起,因此,您可能需要启用它。

默认:NO

 

background

When enabled, and vsftpd is started in "listen" mode, vsftpd will background the listener process. i.e. control will immediately be returned to the shell which launched vsftpd.

Default: NO

启用该选项,同时vsftpd是以“listen”模式启动的,则vsftpd会以background方式监听进程,也就是,控制会很快的返回给shell

默认: NO

 

check_shell

Note! This option only has an effect for non-PAM builds of vsftpd. If disabled, vsftpd will not check /etc/shells for a valid user shell for local logins.

Default: YES

注意!这个选项仅仅对加了non-PAM参数编译安装的vsftpd有效,如果禁用它,vsftpd将不检查有效用户的用于本地登陆的/etc/shells

默认:YES

 

chmod_enable

When enables, allows use of the SITE CHMOD command. NOTE! This only applies to local users. Anonymous users never get to use SITE CHMOD.

Default: YES

启用后,SITE CHMOD命令将被允许使用。注意!这只对本地用户有效,匿名用户从不允许使用SITE CHMOD命令。

默认: YES

 

chown_uploads

If enabled, all anonymously uploaded files will have the ownership changed to the user specified in the setting chown_username. This is useful from an administrative, and perhaps security, standpoint.

Default: NO

启用后,所有匿名用户上传的文件的宿主将被更改为chown_username中指定的用户,这样便于管理,特别是从安全的角度考虑。

默认: NO

 

chroot_list_enable

If activated, you may provide a list of local users who are placed in a chroot() jail in their home directory upon login. The meaning is slightly different if chroot_local_user is set to YES. In this case, the list becomes a list of users which are NOT to be placed in a chroot() jail. By default, the file containing this list is /etc/vsftpd.chroot_list, but you may override this with the chroot_list_file setting.

Default: NO

启用后,你需要提供一个要将其限制在它home目录的本地用户列表,如果chroot_local_user设置为YES,则意义略有不同。在这种情况下,该列表将变成不需要将其限制在它home目录的本地用户列表,默认情况下,该文件是/etc/vsftpd.chroot_list,但你可以通过chroot_list_file来更改它的位置。

默认: NO

 

chroot_local_user

If set to YES, local users will be (by default) placed in a chroot() jail in their home directory after login. Warning: This option has security implications, especially if the users have upload permission, or shell access. Only enable if you know what you are doing. Note that these security implications are not vsftpd specific. They apply to all FTP daemons which offer to put local users in chroot() jails.

Default: NO

如果设置为YES,本地用户在登陆后将被限制在其home目录中(也是默认情况)。警告:此选项有安全隐患,特别的是当用户拥有上传权限,或有shell访问权限时。只有当你确切的明白后果以后再启用它。注意这并不是vsftpd所特有的,所有提供将本地用户限制在home目录的FTP守护进程都存在这种隐患。

默认:NO

 

connect_from_port_20

This controls whether PORT style data connections use port 20 (ftp-data) on the server machine. For security reasons, some clients may insist that this is the case. Conversely, disabling this option enables vsftpd to run with slightly less privilege.

Default: NO (but the sample config file enables it)

该选项用于控制在服务器端是否使用20ftp-data)端口来进行数据连接。基于安全的考虑,一些客户端需要这样做,相反,禁用该选项,将使vsftpd能以较小的特权运行。

默认: NO(但是在示范的配置文件中启用了该选项)

 

deny_email_enable

If activated, you may provide a list of anonymous password e-mail responses which cause login to be denied. By default, the file containing this list is /etc/vsftpd.banned_emails, but you may override this with the banned_email_file setting.

Default: NO

如果启用该选项,您应该提供一个禁止匿名用户作密码的EMAIL地址列表,默认情况下,这个文件是/etc/vsftpd.banned_emails,但是你可以通过banned_email_file选项来指定其他位置。

默认: NO

 

dirlist_enable

If set to NO, all directory list commands will give permission denied.

Default: YES

如果设置为NO,所有的列目录命令将被拒绝执行。

默认:YES

 

dirmessage_enable

If enabled, users of the FTP server can be shown messages when they first enter a new directory. By default, a directory is scanned for the file .message, but that may be overridden with the configuration setting message_file.

Default: NO (but the sample config file enables it)

如果启用它,当ftp用户第一次进入一个新目录时,FTP服务器将显示欢迎信息。默认情况下扫描目录下的.message文件,可以通过message_file选项指定为其他文件。

默认: NO(但是在示范的配置文件中启用了该选项)

 

download_enable

If set to NO, all download requests will give permission denied.

Default: YES

如果设置为NO,则所有的下载请求均被拒绝执行。

默认:YES

 

dual_log_enable

If enabled, two log files are generated in parallel, going by default to /var/log/xferlog and /var/log/vsftpd.log. The former is a wu-ftpd style transfer log, parseable by standard tools. The latter is vsftpd's own style log.

Default: NO

如果启动该选项,将生成两个相似的日志文件,默认是/var/log/xferlog/var/log/vsftpd.log,前者是wu-ftpd类型的传输日志,可用于标准工具分析,后者是vsftpd自己类型的日志。

默认: NO

 

force_dot_files

If activated, files and directories starting with . will be shown in directory listings even if the "a" flag was not used by the client. This override excludes the "." and ".." entries.

Default: NO

如果启用,以点开头的文件和目录在目录列取的时候会被显示,即使客户端没有使用“a”标识,这不包括“.”和“..”目录。

默认: NO

 

force_local_data_ssl

Only applies if ssl_enable is activated. If activated, all non-anonymous logins are forced to use a secure SSL connection in order to send and receive data on data connections.

Default: YES

该选项只有当ssl_enable选项被启用才能使用,如果启用,则所有的非匿名用户登陆时将被强迫使用ssl连接来传输、接受数据。

默认: YES

 

force_local_logins_ssl

Only applies if ssl_enable is activated. If activated, all non-anonymous logins are forced to use a secure SSL connection in order to send the password.

Default: YES

该选项只有当ssl_enable选项被启用才能使用,如果启用,则所有的非匿名用户登陆时将被强迫使用ssl连接来传送密码。

默认: YES

 

guest_enable

If enabled, all non-anonymous logins are classed as "guest" logins. A guest login is remapped to the user specified in the guest_username setting.

Default: NO

如果启用,则所有的非匿名用户都将以“guest”身份登陆,登陆以后将被映射到guest_username选项指定的用户。

默认: NO

 

hide_ids

If enabled, all user and group information in directory listings will be displayed as "ftp".

Default: NO

如果启用,则所有目录中的用户和组信息在列取的时候将被显示为“ftp”。

默认: NO

 

listen

If enabled, vsftpd will run in standalone mode. This means that vsftpd must not be run from an inetd of some kind. Instead, the vsftpd executable is run once directly. vsftpd itself will then take care of listening for and handling incoming connections.

Default: NO

如果启用,vsftpd将以独立模式运行,这意味着vsftpd不能由inetd来启动,相反,vsftpd应当直接执行,vsftpd自身监听并处理连接请求。

默认: NO

 

listen_ipv6

Like the listen parameter, except vsftpd will listen on an IPv6 socket instead of an IPv4 one. This parameter and the listen parameter are mutually exclusive.

Default: NO

类似于listen参数,区别是,vsftpd将监听IPv6接口,而不是IPv4接口,该参数和listen参数是相互独立的。

默认: NO

 

local_enable

Controls whether local logins are permitted or not. If enabled, normal user accounts in /etc/passwd may be used to log in.

Default: NO

用于控制是否运行本地登陆,如果启用,/etc/passwd中的普通账号可用于登陆。

默认: NO

 

log_ftp_protocol

When enabled, all FTP requests and responses are logged, providing the option xferlog_std_format is not enabled. Useful for debugging.

Default: NO

如果启用,当xferlog_std_format没有启用的时候,所有的FTP请求和应答都将被记录。此选项对于调试非常有用。

默认: NO

 

ls_recurse_enable

When enabled, this setting will allow the use of "ls -R". This is a minor security risk, because a ls -R at the top level of a large site may consume a lot of resources.

Default: NO

如果启用,该选项将允许用户使用“ls -R”,这有点安全威胁,因为在大型站点的根下运行“ls -R”会消耗很多资源。

默认: NO

 

no_anon_password

When enabled, this prevents vsftpd from asking for an anonymous password - the anonymous user will log straight in.

Default: NO

如果启用,匿名用户登录将不再需要密码,可以直接登陆。

默认: NO

 

no_log_lock

When enabled, this prevents vsftpd from taking a file lock when writing to log files. This option should generally not be enabled. It exists to workaround operating system bugs such as the Solaris / Veritas filesystem combination which has been observed to sometimes exhibit hangs trying to lock log files.

Default: NO

如果启用,在写日志文件时,将会阻止vsftpd使用文件锁定。这个选项通常并不会启用,它的存在是为了处理操作系统的一个bug,如Solaris / Veritas文件系统组合某些情况下会因试图锁定日志文件而挂起。

默认: NO

 

one_process_model

If you have a Linux 2.4 kernel, it is possible to use a different security model which only uses one process per connection. It is a less pure security model, but gains you performance. You really don't want to enable this unless you know what you are doing, and your site supports huge numbers of simultaneously connected users.

Default: NO

如果你使用 Linux 2.4内核,那么可以使用一种不同的安全模式,它只允许一个连接使用一个进程,这是一种稍有安全问题的模式,不过值得一试。如果您不清楚后果,并且你的站点要承受大量的用户并发连接的时候,请不要启用该选项。

默认: NO

 

passwd_chroot_enable

If enabled, along with chroot_local_user , then a chroot() jail location may be specified on a per-user basis. Each user's jail is derived from their home directory string in /etc/passwd. The occurrence of /./ in the home directory string denotes that the jail is at that particular location in the path.

Default: NO

如果启用,并且与chroot_local_user选项一起使用,将会针对每个用户限制目录,将他们限制在/etc/passwd中设置的home目录,当home目录中包含/./时,用户将被限制在那个特殊的位置。

默认:NO

 

pasv_enable

Set to NO if you want to disallow the PASV method of obtaining a data connection.

Default: YES

如果你不允许在数据连接的时候使用PASV模式,则将该选项设置为NO

默认: YES

 

pasv_promiscuous

Set to YES if you want to disable the PASV security check that ensures the data connection originates from the same IP address as the control connection. Only enable if you know what you are doing! The only legitimate use for this is in some form of secure tunnelling scheme, or perhaps to facilitate FXP support.

Default: NO

如果您要禁用PASV安全检查,将该选项设置为YES,该安全检查用于确保数据连接与控制源于同一IP地址。如果不清楚后果,请不要启用该选项!该选项只有在某些使用安全隧道,或者得到FXP支持的情况下使用才是合理的。

默认: NO

 

port_enable

Set to NO if you want to disallow the PORT method of obtaining a data connection.

Default: YES

如果你不允许在数据连接的时候使用PORT模式,则将该选项设置为NO

默认: YES

 

port_promiscuous

Set to YES if you want to disable the PORT security check that ensures that outgoing data connections can only connect to the client. Only enable if you know what you are doing!

Default: NO

如果您想禁用PORT安全检查,将该选项设置为YES,该安全检查用于确保出站的数据确实是流向客户端。如果不清楚后果,请不要启用该选项!

默认: NO

 

run_as_launching_user

Set to YES if you want vsftpd to run as the user which launched vsftpd. This is useful where root access is not available. MASSIVE WARNING! Do NOT enable this option unless you totally know what you are doing, as naive use of this option can create massive security problems. Specifically, vsftpd does not / cannot use chroot technology to restrict file access when this option is set (even if launched by root). A poor substitute could be to use a deny_file setting such as {/*,*..*}, but the reliability of this cannot compare to chroot, and should not be relied on. If using this option, many restrictions on other options apply. For example, options requiring privilege such as non-anonymous logins, upload ownership changing, connecting from port 20 and listen ports less than 1024 are not expected to work. Other options may be impacted.

Default: NO

如果您希望由用户来启动vsftpd,将此选项设置为YES。当root不能登陆的时候,这将非常有用。严重警告!如果你不清楚后果请不要启用该选项,随意的使用该选项将导致非常严重的安全问题。特别的,当该选项启用后,vsftpd没有/不能使用目录限制技术来限制文件访问(甚至是由root启用的)。一个愚蠢的替代方法是将选项deny_file设置为{/*,*..*},但是这种方法的可靠性不如chroot,不应该信赖它。如果启用它,应该限制其他很多选项。例如,需要权限的选项,如非匿名用户登陆,上传文件宿主转换,使用20端口连接监听低于1024的端口不能工作,其他的选项也可能会有影响。

默认值: NO

 

secure_email_list_enable

Set to YES if you want only a specified list of e-mail passwords for anonymous logins to be accepted. This is useful as a low-hassle way of restricting access to low-security content without needing virtual users. When enabled, anonymous logins are prevented unless the password provided is listed in the file specified by the email_password_file setting. The file format is one password per line, no extra whitespace. The default filename is /etc/vsftpd.email_passwords.

Default: NO

如果你要为匿名用户指定一个作为密码的邮件地址列表,将该选项设置为YES,这是在不创建虚拟用户的条件下,构建一个低安全性访问控制目录的方法。启用以后,匿名用户只有使用在email_password_file选项中指定的文件内列出的邮件地址作为密码,才被允许访问,文件的格式是每行一个密码,不要空格,默认文件名是/etc/vsftpd.email_passwords

默认:NO

 

session_support

This controls whether vsftpd attempts to maintain sessions for logins. If vsftpd is maintaining sessions, it will try and update utmp and wtmp. It will also open a pam_session if using PAM to authenticate, and only close this upon logout. You may wish to disable this if you do not need session logging, and you wish to give vsftpd more opportunity to run with less processes and / or less privilege. NOTE - utmp and wtmp support is only provided with PAM enabled builds.

Default: NO

该选项用于控制vsftpd是否为登陆保持会话,如果保持会话,vsftpd将尝试和更新utmpwtmp。如果使用了PAM认证,将同时打开pam_session,直到用户退出登陆。如果不需要保持登陆会话,并且希望vsftpd以更少的进程和/或更少的权限来运行,请禁用它。注意:utmpwtmp只有在启用了PAM的情况下才被支持。

默认:NO

 

setproctitle_enable

If enabled, vsftpd will try and show session status information in the system process listing. In other words, the reported name of the process will change to reflect what a vsftpd session is doing (idle, downloading etc). You probably want to leave this off for security purposes.

Default: NO

如果启用,vsftpd将会尝试在系统进程列表中显示会话状态信息。也就是说,进程报告会显示每个vsftpd会话在干什么(空闲、下载等等)。出于安全的考虑,你可能需要将其关闭。

默认: NO

 

ssl_enable

If enabled, and vsftpd was compiled against OpenSSL, vsftpd will support secure connections via SSL. This applies to the control connection (including login) and also data connections. You'll need a client with SSL support too. NOTE!! Beware enabling this option. Only enable it if you need it. vsftpd can make no guarantees about the security of the OpenSSL libraries. By enabling this option, you are declaring that you trust the security of your installed OpenSSL library.

Default: NO

如果启用,并且在编译时加入了OpenSSL支持,vsftpd将支持通过SSL进行安全连接。用于控制连接(包括登陆)和数据连接,客户端也需要支持SSL。注意!启用该选项需小心,仅在需要的时候再启用它。vsftpd对使用OpenSS库的安全性不做任何担保,启用该选项,就意味着你信任你所安装的OpenSSL库的安全性。
默认: NO

 

ssl_sslv2

Only applies if ssl_enable is activated. If enabled, this option will permit SSL v2 protocol connections. TLS v1 connections are preferred.

Default: NO

只有启用了ssl_enable后才生效,如果启用,该选项将允许使用SSL v2协议进行连接,TLS v1连接仍为首选。

默认: NO

ssl_sslv3

Only applies if ssl_enable is activated. If enabled, this option will permit SSL v3 protocol connections. TLS v1 connections are preferred.

Default: NO

只有启用了ssl_enable后才生效,如果启用,该选项将允许使用SSL v3协议进行连接,TLS v1连接仍为首选。

默认: NO

 

ssl_tlsv1

Only applies if ssl_enable is activated. If enabled, this option will permit TLS v1 protocol connections. TLS v1 connections are preferred.

Default: YES

只有启用了ssl_enable后才生效,如果启用,该选项将允许使用TLS v1协议进行连接,TLS v1连接为首选方式。

默认: YES

 

syslog_enable

If enabled, then any log output which would have gone to /var/log/vsftpd.log goes to the system log instead. Logging is done under the FTPD facility.

Default: NO

如果启用,任何本应该输出到/var/log/vsftpd.log的日志,将会输出到系统日志中,记录由FTPD完成。

默认: NO

 

tcp_wrappers

If enabled, and vsftpd was compiled with tcp_wrappers support, incoming connections will be fed through tcp_wrappers access control. Furthermore, there is a mechanism for per-IP based configuration. If tcp_wrappers sets the VSFTPD_LOAD_CONF environment variable, then the vsftpd session will try and load the vsftpd configuration file specified in this variable.

Default: NO

如果启用,并且在编译时加入了tcp_wrappers的支持,则连入请求由tcp_wrappers控制,另外,这是基于每个IP的配置机制,如果tcp_wrappers设置为VSFTPD_LOAD_CONF环境变量,则vsftpd会话会试图加载该变量中指定的vsftpd配置文件。

默认: NO

 

text_userdb_names

By default, numeric IDs are shown in the user and group fields of directory listings. You can get textual names by enabling this parameter. It is off by default for performance reasons.

Default: NO

默认情况下,目录列表时usergroup字段显示的是数字ID,如果启用该选项将可以显示文本名称,基于性能的考虑,默认是关闭的。

默认: NO

 

tilde_user_enable

If enabled, vsftpd will try and resolve pathnames such as ~chris/pics, i.e. a tilde followed by a username. Note that vsftpd will always resolve the pathnames ~ and ~/something (in this case the ~ resolves to the initial login directory). Note that ~user paths will only resolve if the file /etc/passwd may be found within the _current_ chroot() jail.

Default: NO

如果启用,vsftpd将试图解析类似~chris/pics的路径名,即一个~后面跟着用户名,注意,vsftpd会一直解析路径名~和~/something(在这里,~被解析为初始登陆路径),~user只有在可以找到包含/etc/passwd的当前虚根下才被解析。

默认值: NO

 

use_localtime

If enabled, vsftpd will display directory listings with the time in your local time zone. The default is to display GMT. The times returned by the MDTM FTP command are also affected by this option.

Default: NO

如果启用,vsftpd在列取目录时,将显示你本地时区的时间,默认显示为GMT MDTM FTP 命令返回的时间同样也受此选项的影响.
默认: NO

 

use_sendfile

An internal setting used for testing the relative benefit of using the sendfile() system call on your platform.

Default: YES

一个内部设定,用于测试在您的平台上使用 sendfile() 系统调用的相对性能。
默认: YES

 

userlist_deny

This option is examined if userlist_enable is activated. If you set this setting to NO, then users will be denied login unless they are explicitly listed in the file specified by userlist_file. When login is denied, the denial is issued before the user is asked for a password.

Default: YES

该选项只有在启用userlist_enable选项以后才会被检查,如果将它设置为NO,则只有在userlist_file选项指定的文件中明确列出的用户才能登陆系统,用户将被拒绝在询问密码之前。

默认: YES

 

userlist_enable

If enabled, vsftpd will load a list of usernames, from the filename given by userlist_file. If a user tries to log in using a name in this file, they will be denied before they are asked for a password. This may be useful in preventing cleartext passwords being transmitted. See also userlist_deny.

Default: NO

如果启用,vsftpd将会从userlist_file选项指定的文件中加载一份用户名列表,如果用户试图使用该列表中的用户名登陆,他们将在被询问密码之前被拒绝,这有助于阻止明文传输密码。另见userlist_deny

默认: NO

 

virtual_use_local_privs

If enabled, virtual users will use the same privileges as local users. By default, virtual users will use the same privileges as anonymous users, which tends to be more restrictive (especially in terms of write access).

Default: NO

如果启用,虚拟用户将拥有同本地用户一样的权限。默认情况下,虚拟用户同匿名用户权限相同,这倾向于更多限制 (特别是在写权限上).
默认: NO

 

write_enable

This controls whether any FTP commands which change the filesystem are allowed or not. These commands are: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE.

Default: NO

该选项用于控制是否允许FTP命令更改文件系统。这些命令包括:STORDELERNFRRNTOMKDRMDAPPESITE
默认: NO

 

xferlog_enable

If enabled, a log file will be maintained detailling uploads and downloads. By default, this file will be placed at /var/log/vsftpd.log, but this location may be overridden using the configuration setting vsftpd_log_file.

Default: NO (but the sample config file enables it)

如果启用,将会维护一个日志文件,用于详细记录上传和下载。默认情况下,这个日志文件是/var/log/vsftpd.log。但是也可以通过配置文件中的vsftpd_log_file选项来指定。
默认: NO(但是在示范的配置文件中启用了该选项)

 

xferlog_std_format

If enabled, the transfer log file will be written in standard xferlog format, as used by wu-ftpd. This is useful because you can reuse existing transfer statistics generators. The default format is more readable, however. The default location for this style of log file is /var/log/xferlog, but you may change it with the setting xferlog_file.

Default: NO

如果启用,传输日志文件将以标准xferlog格式记录,如同wu-ftpd一样。这可以用于重新使用传输统计生成器。然而默认格式更加易读。此格式的日志文件默认为 /var/log/xferlog,但是您也可以通过xferlog_file选项来指定。
默认: NO

 

NUMERIC OPTIONS

数字选项

 

Below is a list of numeric options. A numeric option must be set to a non negative integer. Octal numbers are supported, for convenience of the umask options. To specify an octal number, use 0 as the first digit of the number.

下边是数字选项的列表。数字选项必须设置一个非负的整数。为了便于umask选项, 同样也支持八进制数字,八进制数字首位应为0

 

accept_timeout

The timeout, in seconds, for a remote client to establish connection with a PASV style data connection.

Default: 60

超时,以秒计,用于远程客户端以 PASV 模式建立数据连接。
默认: 60

 

anon_max_rate

The maximum data transfer rate permitted, in bytes per second, for anonymous clients.

Default: 0 (unlimited)

允许的最大数据传输速率,单位为每秒多少bytes, 用于匿名客户端。
默认: 0 (无限制)

 

anon_umask

The value that the umask for file creation is set to for anonymous users. NOTE! If you want to specify octal values, remember the "0" prefix otherwise the value will be treated as a base 10 integer!

Default: 077

用于设定匿名用户建立文件时的umask值。注意!如果您要指定一个八进制的数字,首位应当是“0”,否则将视作10进制数字。
默认: 077

 

connect_timeout

The timeout, in seconds, for a remote client to respond to our PORT style data connection.

Default: 60

超时,单位秒,用于远程客户端响应我们PORT方式的数据连接。
默认: 60

 

data_connection_timeout

The timeout, in seconds, which is roughly the maximum time we permit data transfers to stall for with no progress. If the timeout triggers, the remote client is kicked off.

Default: 300

超时,单位秒,用于设定空闲的数据连接所允许的最大时长。如果触发超时,则远程客户端将被断开。
默认: 300

 

file_open_mode

The permissions with which uploaded files are created. Umasks are applied on top of this value. You may wish to change to 0777 if you want uploaded files to be executable.

Default: 0666

用于设定创建上传文件的权限,Umasks的优先级高于这个设定。如果想允许上传的文件可以执行,将此值修改为0777
默认: 0666

 

ftp_data_port

The port from which PORT style connections originate (as long as the poorly named connect_from_port_20 is enabled).

Default: 20

PORT方式的数据连接端口(只要启用connect_from_port_20选项)
默认: 20

 

idle_session_timeout

The timeout, in seconds, which is the maximum time a remote client may spend between FTP commands. If the timeout triggers, the remote client is kicked off.

Default: 300

超时,单位秒,远程客户端的最大FTP命令间隔,如果超时被触发,远程客户端将被断开。
默认: 300

 

listen_port

If vsftpd is in standalone mode, this is the port it will listen on for incoming FTP connections.

Default: 21

如果vsftpd以独立模式启动,此端口将会监听FTP 连入请求。

默认: 21

 

local_max_rate

The maximum data transfer rate permitted, in bytes per second, for local authenticated users.

Default: 0 (unlimited)

允许的最大数据传输速率,单位为每秒钟多少bytes,用于限制本地授权用户。
默认: 0 (无限制)

 

local_umask

The value that the umask for file creation is set to for local users. NOTE! If you want to specify octal values, remember the "0" prefix otherwise the value will be treated as a base 10 integer!

Default: 077

用于设定本地用户上传文件的umask值。注意!如果您要指定一个八进制的数字,首位应当是“0”,否则将视作10进制数字。
默认: 077

 

max_clients

If vsftpd is in standalone mode, this is the maximum number of clients which may be connected. Any additional clients connecting will get an error message.

Default: 0 (unlimited)

如果vsftpd以独立模式启动,此选项用于设定最大客户端连接数。超过部分将返回错误信息。
默认: 0 (无限制)

 

max_per_ip

If vsftpd is in standalone mode, this is the maximum number of clients which may be connected from the same source internet address. A client will get an error message if they go over this limit.

Default: 0 (unlimited)

如果vsftpd以独立模式启动,此选项用于设定源于同一网络地址的最大连接数。超过部分将返回错误信息。
默认: 0 (无限制)

 

pasv_max_port

The maximum port to allocate for PASV style data connections. Can be used to specify a narrow port range to assist firewalling.

Default: 0 (use any port)

PASV方式数据连接分配的最大端口。基于安全性考虑,可以把端口范围指定在一个较小的范围内。
默认: 0 (可以使用任意端口)

 

pasv_min_port

The minimum port to allocate for PASV style data connections. Can be used to specify a narrow port range to assist firewalling.

Default: 0 (use any port)

PASV方式数据连接分配的最小端口。基于安全性考虑,可以把端口范围指定在一个较小的范围内。
默认: 0 (可以使用任意端口)

 

trans_chunk_size

You probably don't want to change this, but try setting it to something like 8192 for a much smoother bandwidth limiter.

Default: 0 (let vsftpd pick a sensible setting)

您可能不想修改这个设置,但也可以尝试改为如8192去减小带宽限制的影响。

默认值:0(让vsftpd自行选择)

 

STRING OPTIONS

Below is a list of string options.

字符选项
下边是字符选项列表

 

anon_root

This option represents a directory which vsftpd will try to change into after an anonymous login. Failure is silently ignored.

Default: (none)

该选项为匿名用户在登陆后指定一个将被转向的目录,失败时将被忽略。
默认: ()

 

banned_email_file

This option is the name of a file containing a list of anonymous e-mail passwords which are not permitted. This file is consulted if the option deny_email_enable is enabled.

Default: /etc/vsftpd.banned_emails

此选项用于指定包含不允许用作匿名用户登录密码的电子邮件地址列表的文件。使用此选项需要启用deny_email_enable选项。
默认: /etc/vsftpd.banned_emails

 

banner_file

This option is the name of a file containing text to display when someone connects to the server. If set, it overrides the banner string provided by the ftpd_banner option.

Default: (none)

此选项用于指定包含用户登录时显示文本的文件,设置此选项,将取代ftpd_banner选项指定的欢迎标识。
默认: ()

 

chown_username

This is the name of the user who is given ownership of anonymously uploaded files. This option is only relevant if another option, chown_uploads, is set.

Default: root

用于指定匿名用户上传文件后改变为的宿主。此选项只有在chown_uploads选项设定后才会生效。
默认;root

 

chroot_list_file

The option is the name of a file containing a list of local users which will be placed in a chroot() jail in their home directory. This option is only relevant if the option chroot_list_enable is enabled. If the option chroot_local_user is enabled, then the list file becomes a list of users to NOT place in a chroot() jail.

Default: /etc/vsftpd.chroot_list

该选项用于指定包含被限制在home目录中的用户列表的文件,使用此选项,该选项只有在启用了chroot_list_enable选项以后才生效。如果启用了chroot_local_user选项,此文件所包含的则为不会被限制在home目录中的用户列表。
默认: /etc/vsftpd.chroot_list

 

cmds_allowed

This options specifies a comma separated list of allowed FTP commands (post login. USER, PASS and QUIT are always allowed pre-login). Other commands are rejected. This is a powerful method of really locking down an FTP server. Example: cmds_allowed=PASV,RETR,QUIT

Default: (none)

该选项以逗号分割指定允许使用的FTP命令(post login. USER, PASSQUIT是登陆前始终可用的命令),其他命令将被拒绝,这是一个强有力的锁定FTP服务器的方法。例如:mds_allowed=PASV,RETR,QUIT
默认: ()

 

deny_file

This option can be used to set a pattern for filenames (and directory names etc.) which should not be accessible in any way. The affected items are not hidden, but any attempt to do anything to them (download, change into directory, affect something within directory etc.) will be denied. This option is very simple, and should not be used for serious access control - the filesystem's permissions should be used in preference. However, this option may be useful in certain virtual user setups. In particular aware that if a filename is accessible by a variety of names (perhaps due to symbolic links or hard links), then care must be taken to deny access to all the names. Access will be denied to items if their name contains the string given by hide_file, or if they match the regular expression specified by hide_file. Note that vsftpd's regular expression matching code is a simple implementation which is a subset of full regular expression functionality. Because of this, you will need to carefully and exhaustively test any application of this option. And you are recommended to use filesystem permissions for any important security policies due to their greater reliability. Example: deny_file={*.mp3,*.mov,.private}

Default: (none)

该选项用于设置拒绝访问的文件名字(和目录名等)。该设置不是对文件进行隐藏,而是控制你不能对其操作(下载、更换目录、以及其它操作)。该选项非常简单,不能用于严格的访问控制-文件系统限制的优先级要高一些。然而,此选项对于某些虚拟用户的设定非常有效。特别是在一个文件可以通过各种名称访问时(可能时通过符号连接或者硬连接),应当注意是对所有的名字拒绝访问,如果包含hide_file中的字符串,或者匹配hide_file指定的正则表达式,访问将被拒绝。注意vsftpd的正则表达式匹配只支持部分功能,基于此种原因,您需要尽可能的对此选项的设置进行测试。同时基于安全性考虑,建议您使用文件系统自身的访问控制。例如: deny_file={*.mp3,*.mov,.private}
默认: ()

 

dsa_cert_file

This option specifies the location of the DSA certificate to use for SSL encrypted connections.

Default: (none - an RSA certificate suffices)

该选项用于指定用于SSL加密连接的 DSA 证书的位置。
默认: ( - 使用 RSA 证书)

 

email_password_file

This option can be used to provide an alternate file for usage by the secure_email_list_enable setting.

Default: /etc/vsftpd.email_passwords

该选项用于提供启用 secure_email_list_enable 选项所需要的可替代文件。
默认: /etc/vsftpd.email_passwords

ftp_username

This is the name of the user we use for handling anonymous FTP. The home directory of this user is the root of the anonymous FTP area.

Default: ftp

用于处理匿名FTP的用户名,该用户的home目录即为匿名用户的根目录。
默认: ftp

 

ftpd_banner

This string option allows you to override the greeting banner displayed by vsftpd when a connection first comes in.

Default: (none - default vsftpd banner is displayed)

用于替换首次连入vsftpd 时显示的欢迎语句。
默认: ( - 显示vsftpd默认的语句)

 

guest_username

See the boolean setting guest_enable for a description of what constitutes a guest login. This setting is the real username which guest users are mapped to.

Default: ftp

参阅布尔选项guest_enable中对于一个guest用户登陆的描述,该选项用于将guest用户映射到一个真实用户。
默认: ftp

 

hide_file

This option can be used to set a pattern for filenames (and directory names etc.) which should be hidden from directory listings. Despite being hidden, the files / directories etc. are fully accessible to clients who know what names to actually use. Items will be hidden if their names contain the string given by hide_file, or if they match the regular expression specified by hide_file. Note that vsftpd's regular expression matching code is a simple implementation which is a subset of full regular expression functionality. Example: hide_file={*.mp3,.hidden,hide*,h?}

Default: (none)

该选项用于设定列取目录时要隐藏的文件名(以及目录等)。尽管隐藏了,知道其名字的客户端仍然能对文件/目录等有完全访问权限。名字中包含hide_file中的字符串,或者匹配hide_file指定的正则表达式的项将被隐藏,注意vsftpd的正则表达式匹配只支持部分功能,例如: hide_file={*.mp3,.hidden,hide*,h?}
默认: ()

 

listen_address

If vsftpd is in standalone mode, the default listen address (of all local interfaces) may be overridden by this setting. Provide a numeric IP address.

Default: (none)

如果vsftpd 以独立模式运行,该选项将重置默认的(所有本地接口)监听地址,格式为数字IP 地址。
默认: ()

 

listen_address6

Like listen_address, but specifies a default listen address for the IPv6 listener (which is used if listen_ipv6 is set). Format is standard IPv6 address format.

Default: (none)

类似于listen_address选项,不过应该指定一个IPv6 地址作为默认监听地址(如果指定了listen_ipv6选项),格式为标准 IPv6 地址格式.
默认: ()

 

local_root

This option represents a directory which vsftpd will try to change into after a local (i.e. non-anonymous) login. Failure is silently ignored.

Default: (none)

该选项用于指定本地用户(即非匿名用户)登录后将会转向的目录,失败时将被忽略。
默认: ()

 

message_file

This option is the name of the file we look for when a new directory is entered. The contents are displayed to the remote user. This option is only relevant if the option dirmessage_enable is enabled.

Default: .message

该选项用于指定进入新目录时要查询的文件名,这个文件的内容为显示给远程用户的欢迎信息,该选项只有当dirmessage_enable选项启用了才生效。
默认: .message

 

nopriv_user

This is the name of the user that is used by vsftpd when it wants to be totally unprivileged. Note that this should be a dedicated user, rather than nobody. The user nobody tends to be used for rather a lot of important things on most machines.

Default: nobody

用于指定一个当vsftpd要切换到无权限状态时使用的用户,注意这最好是一个专用用户,而不是用户nobody,在大多数机器上,用户nobody 被用于大量重要的事情。
默认: nobody

 

pam_service_name

This string is the name of the PAM service vsftpd will use.

Default: ftp

用于指定vsftpd将使用的PAM服务的名称。
默认: ftp

 

pasv_address

Use this option to override the IP address that vsftpd will advertise in response to the PASV command. Provide a numeric IP address.

Default: (none - the address is taken from the incoming connected socket)

该选项为vsftpd指定一个IP地址来响应PASV命令,格式为数字IP地址。
默认: (-即地址从连入的连接套接字中获取)

 

rsa_cert_file

This option specifies the location of the RSA certificate to use for SSL encrypted connections.

Default: /usr/share/ssl/certs/vsftpd.pem

该选项用于指定SSL加密连接所用RSA证书的位置。
默认: /usr/share/ssl/certs/vsftpd.pem

 

secure_chroot_dir

This option should be the name of a directory which is empty. Also, the directory should not be writable by the ftp user. This directory is used as a secure chroot() jail at times vsftpd does not require filesystem access.

Default: /usr/share/empty

该选项用于指定一个空目录,并且ftp用户不应对此目录有写权限,当vsftpd不需要访问文件系统时此目录做为一个限制目录,将用户限制在此目录中。
默认: /usr/share/empty

 

ssl_ciphers

This option can be used to select which SSL ciphers vsftpd will allow for encrpyted SSL connections. See the ciphers man page for further details. Note that restricting ciphers can be a useful security precaution as it prevents malicious remote parties forcing a cipher which they have found problems with.

Default: DES-CBC3-SHA

该选项用于选择vsftpd允许使用哪些SSL加密算法来用于SSL 加密连接。更多信息请参阅 ciphers的联机手册,注意这样可以有效的防止那些发现某些算法漏洞的人进行恶意的远程攻击。
默认: DES-CBC3-SHA

 

user_config_dir

This powerful option allows the override of any config option specified in the manual page, on a per-user basis. Usage is simple, and is best illustrated with an example. If you set user_config_dir to be /etc/vsftpd_user_conf and then log on as the user "chris", then vsftpd will apply the settings in the file /etc/vsftpd_user_conf/chris for the duration of the session. The format of this file is as detailed in this manual page! PLEASE NOTE that not all settings are effective on a per-user basis. For example, many settings only prior to the user's session being started. Examples of settings which will not affect any behviour on a per-user basis include listen_address, banner_file, max_per_ip, max_clients, xferlog_file, etc.

Default: (none)

该选项允许根据每个用户重置任何联机手册中指定的配置选项,使用非常简单,一个例子即可说明。如果您将user_config_dir设置为/etc/vsftpd_user_conf 并以用户“chris”登录,那么 vsftpd将对此用户使用文件/etc/vsftpd_user_conf/chris中的设置,此文件的格式在联机手册中有详细说明。请注意, 不是每个设置都能影响用户的,例如,许多设置只在用户会话开始时起作用,这包括listen_address, banner_file, max_per_ip, max_clients, xferlog_file等等。
默认: ()

 

user_sub_token

This option is useful is conjunction with virtual users. It is used to automatically generate a home directory for each virtual user, based on a template. For example, if the home directory of the real user specified via guest_username is /home/virtual/$USER, and user_sub_token is set to $USER, then when virtual user fred logs in, he will end up (usually chroot()'ed) in the directory /home/virtual/fred. This option also takes affect if local_root contains user_sub_token.

Default: (none)

该选项需要和虚拟用户联合使用,根据一个模板为每个虚拟用户创建home目录,例如,如果真实用户的home目录由选项guest_username指定为/home/virtual/$USER,并且user_sub_token选项被设置为$USER,则当虚拟用户fred登入后, 将会进入(限制)目录 /home/virtual/fred,如果local_root选项中包含了user_sub_token该选项也会生效。
默认: ()

 

userlist_file

This option is the name of the file loaded when the userlist_enable option is active.

Default: /etc/vsftpd.user_list

该选项用于指定启用userlist_enable选项后需要加载文件的名称。
默认: /etc/vsftpd.user_list

 

vsftpd_log_file

This option is the name of the file to which we write the vsftpd style log file. This log is only written if the option xferlog_enable is set, and xferlog_std_format is NOT set. Alternatively, it is written if you have set the option dual_log_enable. One further complication - if you have set syslog_enable, then this file is not written and output is sent to the system log instead.

Default: /var/log/vsftpd.log

该选项用于指定写入vsftpd格式日志的文件,如果启用了xferlog_enable选项,而没有设置 xferlog_std_format选项的话,日志将只会写入此文件。 如果设置了dual_log_enable选项的话,日志同样会写入此文件。更复杂一点,,如果您启用了syslog_enable,输出将不会写入此文件,而是写入系统日志文件。
默认: /var/log/vsftpd.log

 

xferlog_file

This option is the name of the file to which we write the wu-ftpd style transfer log. The transfer log is only written if the option xferlog_enable is set, along with xferlog_std_format. Alternatively, it is written if you have set the option dual_log_enable.

Default: /var/log/xferlog

选项用于指定写入wu-ftpd 格式日志的文件,只有在xferlog_enable选项和 xferlog_std_format选项中做了相应设置,才会记录到该文件,另外, 如果设置了 dual_log_enable选项,也会记录此日志。
默认: /var/log/xferlog

阅读(563) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~