NOTE: CentOS Enterprise Linux 5 is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterprise Linux 5 is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux 5.
Although vsftpd may not offer
the level of customization other widely available FTP servers
have, it offers enough options to fill most administrator's
needs. The fact that it is not overly feature-laden limits
configuration and programmatic errors.
All configuration of vsftpd is
handled by its configuration file, /etc/vsftpd/vsftpd.conf. Each
directive is on its own line within the file and follows the
following format:
<directive>=<value>
For each directive, replace
<directive> with a valid
directive and <value> with a
valid value.
Important
There must not be any spaces between the
<directive>, equal symbol,
and the <value> in a
directive.
Comment lines must be preceded by a hash mark (#) and are ignored by the daemon.
For a complete list of all directives available, refer to the
man page for vsftpd.conf.
The following is a list of some of the more important directives
within /etc/vsftpd/vsftpd.conf. All
directives not explicitly found within vsftpd's configuration file are set to
their default value.
22.5.1. Daemon Options
The following is a list of directives which control the
overall behavior of the vsftpd daemon.
listen — When
enabled, vsftpd runs in
stand-alone mode. Red Hat Enterprise Linux sets this value
to YES. This directive
cannot be used in conjunction with the listen_ipv6 directive.
The default value is NO.
listen_ipv6 —
When enabled, vsftpd
runs in stand-alone mode, but listens only to IPv6
sockets. This directive cannot be used in conjunction with
the listen directive.
The default value is NO.
session_support —
When enabled, vsftpd
attempts to maintain login sessions for each user through
Pluggable Authentication Modules (PAM). Refer to Section 42.4, “Pluggable Authentication Modules (PAM)” for more information. If session
logging is not necessary, disabling this option allows
vsftpd to run with less
processes and lower privileges.
The default value is YES.
22.5.2. Log In Options and Access Controls
The following is a list of directives which control the login
behavior and access control mechanisms.
anonymous_enable
— When enabled, anonymous users are allowed to log
in. The usernames anonymous and
ftp are
accepted.
banned_email_file
— If the deny_email_enable directive is
set to YES, this
directive specifies the file containing a list of
anonymous email passwords which are not permitted access
to the server.
The default value is /etc/vsftpd.banned_emails.
banner_file —
Specifies the file containing text displayed when a
connection is established to the server. This option
overrides any text specified in the ftpd_banner directive.
There is no default value for this directive.
cmds_allowed —
Specifies a comma-delimited list of FTP commands allowed
by the server. All other commands are rejected.
There is no default value for this directive.
deny_email_enable
— When enabled, any anonymous user utilizing email
passwords specified in the /etc/vsftpd.banned_emails are
denied access to the server. The name of the file
referenced by this directive can be specified using the
banned_email_file
directive.
The default value is NO.
ftpd_banner —
When enabled, the string specified within this directive
is displayed when a connection is established to the
server. This option can be overridden by the banner_file directive.
By default vsftpd
displays its standard banner.
local_enable —
When enabled, local users are allowed to log into the
system.
pam_service_name
— Specifies the PAM service name for vsftpd.
The default value is ftp. Note, in Red Hat Enterprise
Linux, the value is set to vsftpd.
The default value is NO. Note, in Red Hat Enterprise
Linux, the value is set to YES.
userlist_deny —
When used in conjunction with the userlist_enable directive and
set to NO, all local
users are denied access unless the username is listed in
the file specified by the userlist_file directive. Because
access is denied before the client is asked for a
password, setting this directive to NO prevents local users from
submitting unencrypted passwords over the network.
The default value is YES.
userlist_enable —
When enabled, the users listed in the file specified by
the userlist_file
directive are denied access. Because access is denied
before the client is asked for a password, users are
prevented from submitting unencrypted passwords over the
network.
The default value is NO, however under Red Hat
Enterprise Linux the value is set to YES.
userlist_file —
Specifies the file referenced by vsftpd when the userlist_enable directive is
enabled.
The default value is /etc/vsftpd.user_list and is
created during installation.
cmds_allowed —
Specifies a comma separated list of FTP commands that the
server allows. Any other commands are rejected.
There is no default value for this directive.
22.5.3. Anonymous User Options
The following lists directives which control anonymous user
access to the server. To use these options, the anonymous_enable directive must be
set to YES.
anon_mkdir_write_enable
— When enabled in conjunction with the write_enable directive,
anonymous users are allowed to create new directories
within a parent directory which has write permissions.
The default value is NO.
anon_root —
Specifies the directory vsftpd changes to after an
anonymous user logs in.
There is no default value for this directive.
anon_upload_enable
— When enabled in conjunction with the write_enable directive,
anonymous users are allowed to upload files within a
parent directory which has write permissions.
The default value is NO.
anon_world_readable_only —
When enabled, anonymous users are only allowed to download
world-readable files.
The default value is YES.
ftp_username —
Specifies the local user account (listed in /etc/passwd) used for the
anonymous FTP user. The home directory specified in
/etc/passwd for the
user is the root directory of the anonymous FTP user.
The default value is ftp.
no_anon_password
— When enabled, the anonymous user is not asked for
a password.
The default value is NO.
secure_email_list_enable —
When enabled, only a specified list of email passwords for
anonymous logins are accepted. This is a convenient way to
offer limited security to public content without the need
for virtual users.
Anonymous logins are prevented unless the password
provided is listed in /etc/vsftpd.email_passwords. The
file format is one password per line, with no trailing
white spaces.
The default value is NO.
22.5.4. Local User Options
The following lists directives which characterize the way
local users access the server. To use these options, the
local_enable directive must
be set to YES.
chmod_enable —
When enabled, the FTP command SITE CHMOD is allowed for local
users. This command allows the users to change the
permissions on files.
The default value is YES.
chroot_list_enable
— When enabled, the local users listed in the file
specified in the chroot_list_file directive are
placed in a chroot jail
upon log in.
If enabled in conjunction with the chroot_local_user directive, the
local users listed in the file specified in the chroot_list_file directive are
not placed in a chroot jail upon log in.
The default value is NO.
chroot_list_file
— Specifies the file containing a list of local
users referenced when the chroot_list_enable directive is
set to YES.
The default value is /etc/vsftpd.chroot_list.
chroot_local_user
— When enabled, local users are change-rooted to
their home directories after logging in.
The default value is NO.
Warning
Enabling chroot_local_user opens up a
number of security issues, especially for users with
upload privileges. For this reason, it is
not recommended.
guest_enable —
When enabled, all non-anonymous users are logged in as the
user guest, which is
the local user specified in the guest_username directive.
The default value is NO.
guest_username —
Specifies the username the guest user is mapped to.
The default value is ftp.
local_root —
Specifies the directory vsftpd changes to after a local
user logs in.
There is no default value for this directive.
local_umask —
Specifies the umask value for file creation. Note that the
default value is in octal form (a numerical system with a
base of eight), which includes a "0" prefix. Otherwise the
value is treated as a base-10 integer.
The default value is 022.
passwd_chroot_enable
— When enabled in conjunction with the chroot_local_user directive,
vsftpd change-roots
local users based on the occurrence of the /./ in the home directory field
within /etc/passwd.
The default value is NO.
user_config_dir —
Specifies the path to a directory containing configuration
files bearing the name of local system users that contain
specific setting for that user. Any directive in the
user's configuration file overrides those found in
/etc/vsftpd/vsftpd.conf.
There is no default value for this directive.
22.5.5. Directory Options
The following lists directives which affect directories.
dirlist_enable —
When enabled, users are allowed to view directory lists.
The default value is YES.
dirmessage_enable
— When enabled, a message is displayed whenever a
user enters a directory with a message file. This message
resides within the current directory. The name of
this file is specified in the message_file directive and is
.message by default.
The default value is NO. Note, in Red Hat Enterprise
Linux, the value is set to YES.
force_dot_files —
When enabled, files beginning with a dot (.) are listed in
directory listings, with the exception of the . and .. files.
The default value is NO.
hide_ids — When
enabled, all directory listings show ftp as the user and group
for each file.
The default value is NO.
message_file —
Specifies the name of the message file when using the
dirmessage_enable
directive.
The default value is .message.
text_userdb_names
— When enabled, test usernames and group names are
used in place of UID and GID entries. Enabling this option
may slow performance of the server.
The default value is NO.
use_localtime —
When enabled, directory listings reveal the local time for
the computer instead of GMT.
The default value is NO.
22.5.6. File Transfer Options
The following lists directives which affect directories.
download_enable —
When enabled, file downloads are permitted.
The default value is YES.
chown_uploads —
When enabled, all files uploaded by anonymous users are
owned by the user specified in the chown_username directive.
The default value is NO.
chown_username —
Specifies the ownership of anonymously uploaded files if
the chown_uploads
directive is enabled.
The default value is root.
write_enable —
When enabled, FTP commands which can change the file
system are allowed, such as DELE, RNFR, and STOR.
The default value is YES.
22.5.7. Logging Options
The following lists directives which affect vsftpd's logging behavior.
dual_log_enable —
When enabled in conjunction with xferlog_enable, vsftpd writes two files
simultaneously: a wu-ftpd-compatible log to the
file specified in the xferlog_file directive
(/var/log/xferlog by
default) and a standard vsftpd log file specified in the
vsftpd_log_file
directive (/var/log/vsftpd.log by
default).
The default value is NO.
log_ftp_protocol
— When enabled in conjunction with xferlog_enable and with xferlog_std_format set to
NO, all FTP commands
and responses are logged. This directive is useful for
debugging.
The default value is NO.
syslog_enable —
When enabled in conjunction with xferlog_enable, all logging
normally written to the standard vsftpd log file specified in the
vsftpd_log_file
directive (/var/log/vsftpd.log by default)
is sent to the system logger instead under the FTPD
facility.
The default value is NO.
vsftpd_log_file —
Specifies the vsftpd
log file. For this file to be used, xferlog_enable must be enabled
and xferlog_std_format
must either be set to NO or, if xferlog_std_format is set to
YES, dual_log_enable must be
enabled. It is important to note that if syslog_enable is set to YES, the system log is used
instead of the file specified in this directive.
The default value is /var/log/vsftpd.log.
xferlog_enable —
When enabled, vsftpd
logs connections (vsftpd format only) and file
transfer information to the log file specified in the
vsftpd_log_file
directive (/var/log/vsftpd.log by
default). If xferlog_std_format is set to
YES, file transfer
information is logged but connections are not, and the log
file specified in xferlog_file (/var/log/xferlog by default) is
used instead. It is important to note that both log files
and log formats are used if dual_log_enable is set to
YES.
The default value is NO. Note, in Red Hat Enterprise
Linux, the value is set to YES.
xferlog_file —
Specifies the wu-ftpd-compatible log file. For
this file to be used, xferlog_enable must be enabled
and xferlog_std_format
must be set to YES. It
is also used if dual_log_enable is set to
YES.
The default value is /var/log/xferlog.
xferlog_std_format
— When enabled in conjunction with xferlog_enable, only a wu-ftpd-compatible file transfer
log is written to the file specified in the xferlog_file directive
(/var/log/xferlog by
default). It is important to note that this file only logs
file transfers and does not log connections to the server.
The default value is NO. Note, in Red Hat Enterprise
Linux, the value is set to YES.
Important
To maintain compatibility with log files written by the
older wu-ftpd FTP server,
the xferlog_std_format
directive is set to YES
under Red Hat Enterprise Linux. However, this setting means
that connections to the server are not logged.
To both log connections in vsftpd format and maintain a
wu-ftpd-compatible file
transfer log, set dual_log_enable to YES.
If maintaining a wu-ftpd-compatible file transfer
log is not important, either set xferlog_std_format to NO, comment the line with a hash
mark (#), or delete the
line entirely.
22.5.8. Network Options
The following lists directives which affect how vsftpd interacts with the network.
accept_timeout —
Specifies the amount of time for a client using passive
mode to establish a connection.
The default value is 60.
anon_max_rate —
Specifies the maximum data transfer rate for anonymous
users in bytes per second.
The default value is 0,
which does not limit the transfer rate.
connect_from_port_20
When enabled, vsftpd
runs with enough privileges to open port 20 on the server
during active mode data transfers. Disabling this option
allows vsftpd to run
with less privileges, but may be incompatible with some
FTP clients.
The default value is NO. Note, in Red Hat Enterprise
Linux, the value is set to YES.
connect_timeout —
Specifies the maximum amount of time a client using active
mode has to respond to a data connection, in seconds.
The default value is 60.
data_connection_timeout
— Specifies maximum amount of time data transfers
are allowed to stall, in seconds. Once triggered, the
connection to the remote client is closed.
The default value is 300.
ftp_data_port —
Specifies the port used for active data connections when
connect_from_port_20 is
set to YES.
The default value is 20.
idle_session_timeout
— Specifies the maximum amount of time between
commands from a remote client. Once triggered, the
connection to the remote client is closed.
The default value is 300.
listen_address —
Specifies the IP address on which vsftpd listens for network
connections.
There is no default value for this directive.
Tip
If running multiple copies of vsftpd serving different IP
addresses, the configuration file for each copy of the
vsftpd daemon must have
a different value for this directive. Refer to Section 22.4.1, “Starting Multiple Copies of vsftpd” for more information
about multihomed FTP servers.
listen_address6 —
Specifies the IPv6 address on which vsftpd listens for network
connections when listen_ipv6 is set to YES.
There is no default value for this directive.
Tip
If running multiple copies of vsftpd serving different IP
addresses, the configuration file for each copy of the
vsftpd daemon must have
a different value for this directive. Refer to Section 22.4.1, “Starting Multiple Copies of vsftpd” for more information
about multihomed FTP servers.
listen_port —
Specifies the port on which vsftpd listens for network
connections.
The default value is 21.
local_max_rate —
Specifies the maximum rate data is transferred for local
users logged into the server in bytes per second.
The default value is 0,
which does not limit the transfer rate.
max_clients —
Specifies the maximum number of simultaneous clients
allowed to connect to the server when it is running in
standalone mode. Any additional client connections would
result in an error message.
The default value is 0,
which does not limit connections.
max_per_ip —
Specifies the maximum of clients allowed to connected from
the same source IP address.
The default value is 0,
which does not limit connections.
pasv_address —
Specifies the IP address for the public facing IP address
of the server for servers behind Network Address
Translation (NAT) firewalls. This enables vsftpd to hand out the correct
return address for passive mode connections.
There is no default value for this directive.
pasv_enable —
When enabled, passive mode connects are allowed.
The default value is YES.
pasv_max_port —
Specifies the highest possible port sent to the FTP
clients for passive mode connections. This setting is used
to limit the port range so that firewall rules are easier
to create.
The default value is 0,
which does not limit the highest passive port range. The
value must not exceed 65535.
pasv_min_port —
Specifies the lowest possible port sent to the FTP clients
for passive mode connections. This setting is used to
limit the port range so that firewall rules are easier to
create.
The default value is 0,
which does not limit the lowest passive port range. The
value must not be lower 1024.
pasv_promiscuous
— When enabled, data connections are not checked to
make sure they are originating from the same IP
address. This setting is only useful for certain types of
tunneling.
Caution
Do not enable this option unless absolutely necessary as
it disables an important security feature which verifies
that passive mode connections originate from the same IP
address as the control connection that initiates the
data transfer.
The default value is NO.
port_enable —
When enabled, active mode connects are allowed.