1 diff -Nru vsftpd-2.0.6.orig/Makefile vsftpd-2.0.6/Makefile
2 --- vsftpd-2.0.6.orig/Makefile 2008-02-14 11:06:23.000000000 +0100
3 +++ vsftpd-2.0.6/Makefile 2008-02-14 11:06:37.000000000 +0100
4 @@ -3,7 +3,7 @@
5 INSTALL = install
6 IFLAGS = -idirafter dummyinc
7 #CFLAGS = -g
8 -CFLAGS = -O2 -Wall -W -Wshadow #-pedantic -Werror -Wconversion
9 +CFLAGS += -Wall -W -Wshadow #-pedantic -Werror -Wconversion
10
11 LIBS = `./vsf_findlibs.sh`
12 LINK = -Wl,-s
13 @@ -24,21 +24,10 @@
14 $(CC) -o vsftpd $(OBJS) $(LINK) $(LIBS) $(LDFLAGS)
15
16 install:
17 - if [ -x /usr/local/sbin ]; then \
18 - $(INSTALL) -m 755 vsftpd /usr/local/sbin/vsftpd; \
19 - else \
20 - $(INSTALL) -m 755 vsftpd /usr/sbin/vsftpd; fi
21 - if [ -x /usr/local/man ]; then \
22 - $(INSTALL) -m 644 vsftpd.8 /usr/local/man/man8/vsftpd.8; \
23 - $(INSTALL) -m 644 vsftpd.conf.5 /usr/local/man/man5/vsftpd.conf.5; \
24 - elif [ -x /usr/share/man ]; then \
25 - $(INSTALL) -m 644 vsftpd.8 /usr/share/man/man8/vsftpd.8; \
26 - $(INSTALL) -m 644 vsftpd.conf.5 /usr/share/man/man5/vsftpd.conf.5; \
27 - else \
28 - $(INSTALL) -m 644 vsftpd.8 /usr/man/man8/vsftpd.8; \
29 - $(INSTALL) -m 644 vsftpd.conf.5 /usr/man/man5/vsftpd.conf.5; fi
30 - if [ -x /etc/xinetd.d ]; then \
31 - $(INSTALL) -m 644 xinetd.d/vsftpd /etc/xinetd.d/vsftpd; fi
32 + $(INSTALL) -D -m 755 vsftpd $(DESTDIR)/usr/sbin/vsftpd
33 + $(INSTALL) -D -m 644 vsftpd.8 $(DESTDIR)/usr/man/man8/vsftpd.8
34 + $(INSTALL) -D -m 644 vsftpd.conf.5 $(DESTDIR)/usr/man/man5/vsftpd.conf.5
35 + $(INSTALL) -D -m 600 vsftpd.conf $(DESTDIR)/etc/vsftpd.conf
36
37 clean:
38 rm -f *.o *.swp vsftpd
39 diff -Nru vsftpd-2.0.6.orig/builddefs.h vsftpd-2.0.6/builddefs.h
40 --- vsftpd-2.0.6.orig/builddefs.h 2008-02-14 11:06:23.000000000 +0100
41 +++ vsftpd-2.0.6/builddefs.h 2008-02-14 11:06:37.000000000 +0100
42 @@ -1,9 +1,9 @@
43 #ifndef VSF_BUILDDEFS_H
44 #define VSF_BUILDDEFS_H
45
46 -#undef VSF_BUILD_TCPWRAPPERS
47 -#define VSF_BUILD_PAM
48 -#undef VSF_BUILD_SSL
49 +#define VSF_BUILD_TCPWRAPPERS
50 +#undef VSF_BUILD_PAM
51 +#define VSF_BUILD_SSL
52
53 #endif /* VSF_BUILDDEFS_H */
54
55 diff -Nru vsftpd-2.0.6.orig/tunables.c vsftpd-2.0.6/tunables.c
56 --- vsftpd-2.0.6.orig/tunables.c 2008-02-14 11:06:23.000000000 +0100
57 +++ vsftpd-2.0.6/tunables.c 2008-02-14 11:06:37.000000000 +0100
58 @@ -100,7 +100,7 @@
59 /* -rw------- */
60 unsigned int tunable_chown_upload_mode = 0600;
61
62 -const char* tunable_secure_chroot_dir = "/usr/share/empty";
63 +const char* tunable_secure_chroot_dir = "/var/empty";
64 const char* tunable_ftp_username = "ftp";
65 const char* tunable_chown_username = "root";
66 const char* tunable_xferlog_file = "/var/log/xferlog";
67 @@ -125,10 +125,10 @@
68 const char* tunable_deny_file = 0;
69 const char* tunable_user_sub_token = 0;
70 const char* tunable_email_password_file = "/etc/vsftpd.email_passwords";
71 -const char* tunable_rsa_cert_file = "/usr/share/ssl/certs/vsftpd.pem";
72 +const char* tunable_rsa_cert_file = "/etc/ssl/certs/vsftpd.crt";
73 const char* tunable_dsa_cert_file = 0;
74 const char* tunable_ssl_ciphers = "DES-CBC3-SHA";
75 -const char* tunable_rsa_private_key_file = 0;
76 +const char* tunable_rsa_private_key_file = "/etc/ssl/keys/vsftpd.key";
77 const char* tunable_dsa_private_key_file = 0;
78 const char* tunable_ca_certs_file = 0;
79
80 diff -Nru vsftpd-2.0.6.orig/vsftpd.conf vsftpd-2.0.6/vsftpd.conf
81 --- vsftpd-2.0.6.orig/vsftpd.conf 2008-02-14 11:06:23.000000000 +0100
82 +++ vsftpd-2.0.6/vsftpd.conf 2008-02-14 11:06:37.000000000 +0100
83 @@ -8,11 +8,25 @@
84 # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
85 # capabilities.
86 #
87 +#
88 +# Run standalone
89 +listen=YES
90 +background=YES
91 +#
92 +# Use tcp_wrappers library
93 +tcp_wrappers=YES
94 +#
95 +# Enable SSL support
96 +#ssl_enable=YES
97 +#ssl_sslv3=YES
98 +#
99 # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
100 anonymous_enable=YES
101 #
102 # Uncomment this to allow local users to log in.
103 #local_enable=YES
104 +#force_local_logins_ssl=YES
105 +#force_local_data_ssl=YES
106 #
107 # Uncomment this to enable any form of FTP write command.
108 #write_enable=YES
109 diff -Nru vsftpd-2.0.6.orig/vsftpd.conf.5 vsftpd-2.0.6/vsftpd.conf.5
110 --- vsftpd-2.0.6.orig/vsftpd.conf.5 2008-02-14 11:06:23.000000000 +0100
111 +++ vsftpd-2.0.6/vsftpd.conf.5 2008-02-14 11:06:37.000000000 +0100
112 @@ -897,21 +897,21 @@
113 This option specifies the location of the RSA certificate to use for SSL
114 encrypted connections.
115
116 -Default: /usr/share/ssl/certs/vsftpd.pem
117 +Default: /etc/ssl/certs/vsftpd.crt
118 .TP
119 .B rsa_private_key_file
120 This option specifies the location of the RSA private key to use for SSL
121 encrypted connections. If this option is not set, the private key is expected
122 to be in the same file as the certificate.
123
124 -Default: (none)
125 +Default: /etc/ssl/keys/vsftpd.key
126 .TP
127 .B secure_chroot_dir
128 This option should be the name of a directory which is empty. Also, the
129 directory should not be writable by the ftp user. This directory is used
130 as a secure chroot() jail at times vsftpd does not require filesystem access.
131
132 -Default: /usr/share/empty
133 +Default: /var/empty
134 .TP
135 .B ssl_ciphers
136 This option can be used to select which SSL ciphers vsftpd will allow for
137 diff -Nru vsftpd-2.0.6.orig/vsftpd.conf.5~ vsftpd-2.0.6/vsftpd.conf.5~
138 --- vsftpd-2.0.6.orig/vsftpd.conf.5~ 1970-01-01 01:00:00.000000000 +0100
139 +++ vsftpd-2.0.6/vsftpd.conf.5~ 2008-02-12 05:56:32.000000000 +0100
140 @@ -0,0 +1,1000 @@
141 +.TH VSFTPD.CONF 5
142 +.SH NAME
143 +vsftpd.conf \- config file for vsftpd
144 +.SH DESCRIPTION
145 +vsftpd.conf may be used to control various aspects of vsftpd's behaviour. By
146 +default, vsftpd looks for this file at the location
147 +.BR /etc/vsftpd.conf .
148 +However, you may override this by specifying a command line argument to
149 +vsftpd. The command line argument is the pathname of the configuration file
150 +for vsftpd. This behaviour is useful because you may wish to use an advanced
151 +inetd such as
152 +.BR xinetd
153 +to launch vsftpd with different configuration files on a per virtual host
154 +basis.
155 +
156 +.SH FORMAT
157 +The format of vsftpd.conf is very simple. Each line is either a comment or
158 +a directive. Comment lines start with a # and are ignored. A directive line
159 +has the format:
160 +
161 +option=value
162 +
163 +It is important to note that it is an error to put any space between the
164 +option, = and value.
165 +
166 +Each setting has a compiled in default which may be modified in the
167 +configuration file.
168 +
169 +.SH BOOLEAN OPTIONS
170 +Below is a list of boolean options. The value for a boolean option may be set
171 +to
172 +.BR YES
173 +or
174 +.BR NO .
175 +
176 +.TP
177 +.B allow_anon_ssl
178 +Only applies if
179 +.BR ssl_enable
180 +is active. If set to YES, anonymous users will be allowed to use secured SSL
181 +connections.
182 +
183 +Default: NO
184 +.TP
185 +.B anon_mkdir_write_enable
186 +If set to YES, anonymous users will be permitted to create new directories
187 +under certain conditions. For this to work, the option
188 +.BR write_enable
189 +must be activated, and the anonymous ftp user must have write permission on
190 +the parent directory.
191 +
192 +Default: NO
193 +.TP
194 +.B anon_other_write_enable
195 +If set to YES, anonymous users will be permitted to perform write operations
196 +other than upload and create directory, such as deletion and renaming. This
197 +is generally not recommended but included for completeness.
198 +
199 +Default: NO
200 +.TP
201 +.B anon_upload_enable
202 +If set to YES, anonymous users will be permitted to upload files under certain
203 +conditions. For this to work, the option
204 +.BR write_enable
205 +must be activated, and the anonymous ftp user must have write permission on
206 +desired upload locations. This setting is also required for virtual users to
207 +upload; by default, virtual users are treated with anonymous (i.e. maximally
208 +restricted) privilege.
209 +
210 +Default: NO
211 +.TP
212 +.B anon_world_readable_only
213 +When enabled, anonymous users will only be allowed to download files which
214 +are world readable. This is recognising that the ftp user may own files,
215 +especially in the presence of uploads.
216 +
217 +Default: YES
218 +.TP
219 +.B anonymous_enable
220 +Controls whether anonymous logins are permitted or not. If enabled,
221 +both the usernames
222 +.BR ftp
223 +and
224 +.BR anonymous
225 +are recognised as anonymous logins.
226 +
227 +Default: YES
228 +.TP
229 +.B ascii_download_enable
230 +When enabled, ASCII mode data transfers will be honoured on downloads.
231 +
232 +Default: NO
233 +.TP
234 +.B ascii_upload_enable
235 +When enabled, ASCII mode data transfers will be honoured on uploads.
236 +
237 +Default: NO
238 +.TP
239 +.B async_abor_enable
240 +When enabled, a special FTP command known as "async ABOR" will be enabled.
241 +Only ill advised FTP clients will use this feature. Additionally, this feature
242 +is awkward to handle, so it is disabled by default. Unfortunately, some FTP
243 +clients will hang when cancelling a transfer unless this feature is available,
244 +so you may wish to enable it.
245 +
246 +Default: NO
247 +.TP
248 +.B background
249 +When enabled, and vsftpd is started in "listen" mode, vsftpd will background
250 +the listener process. i.e. control will immediately be returned to the shell
251 +which launched vsftpd.
252 +
253 +Default: NO
254 +.TP
255 +.B check_shell
256 +Note! This option only has an effect for non-PAM builds of vsftpd. If disabled,
257 +vsftpd will not check /etc/shells for a valid user shell for local logins.
258 +
259 +Default: YES
260 +.TP
261 +.B chmod_enable
262 +When enables, allows use of the SITE CHMOD command. NOTE! This only applies
263 +to local users. Anonymous users never get to use SITE CHMOD.
264 +
265 +Default: YES
266 +.TP
267 +.B chown_uploads
268 +If enabled, all anonymously uploaded files will have the ownership changed
269 +to the user specified in the setting
270 +.BR chown_username .
271 +This is useful from an administrative, and perhaps security, standpoint.
272 +
273 +Default: NO
274 +.TP
275 +.B chroot_list_enable
276 +If activated, you may provide a list of local users who are placed in a
277 +chroot() jail in their home directory upon login. The meaning is slightly
278 +different if chroot_local_user is set to YES. In this case, the list becomes
279 +a list of users which are NOT to be placed in a chroot() jail.
280 +By default, the file containing this list is
281 +/etc/vsftpd.chroot_list, but you may override this with the
282 +.BR chroot_list_file
283 +setting.
284 +
285 +Default: NO
286 +.TP
287 +.B chroot_local_user
288 +If set to YES, local users will be (by default) placed in a chroot() jail in
289 +their home directory after login.
290 +.BR Warning:
291 +This option has security implications, especially if the users have upload
292 +permission, or shell access. Only enable if you know what you are doing.
293 +Note that these security implications are not vsftpd specific. They apply to
294 +all FTP daemons which offer to put local users in chroot() jails.
295 +
296 +Default: NO
297 +.TP
298 +.B connect_from_port_20
299 +This controls whether PORT style data connections use port 20 (ftp-data) on
300 +the server machine. For security reasons, some clients may insist that this
301 +is the case. Conversely, disabling this option enables vsftpd to run with
302 +slightly less privilege.
303 +
304 +Default: NO (but the sample config file enables it)
305 +.TP
306 +.B debug_ssl
307 +If true, OpenSSL connection diagnostics are dumped to the vsftpd log file.
308 +(Added in v2.0.6).
309 +
310 +Default: NO
311 +.TP
312 +.B deny_email_enable
313 +If activated, you may provide a list of anonymous password e-mail responses
314 +which cause login to be denied. By default, the file containing this list is
315 +/etc/vsftpd.banned_emails, but you may override this with the
316 +.BR banned_email_file
317 +setting.
318 +
319 +Default: NO
320 +.TP
321 +.B dirlist_enable
322 +If set to NO, all directory list commands will give permission denied.
323 +
324 +Default: YES
325 +.TP
326 +.B dirmessage_enable
327 +If enabled, users of the FTP server can be shown messages when they first
328 +enter a new directory. By default, a directory is scanned for the
329 +file .message, but that may be overridden with the configuration setting
330 +.BR message_file .
331 +
332 +Default: NO (but the sample config file enables it)
333 +.TP
334 +.B download_enable
335 +If set to NO, all download requests will give permission denied.
336 +
337 +Default: YES
338 +.TP
339 +.B dual_log_enable
340 +If enabled, two log files are generated in parallel, going by default to
341 +.BR /var/log/xferlog
342 +and
343 +.BR /var/log/vsftpd.log .
344 +The former is a wu-ftpd style transfer log, parseable by standard tools. The
345 +latter is vsftpd's own style log.
346 +
347 +Default: NO
348 +.TP
349 +.B force_dot_files
350 +If activated, files and directories starting with . will be shown in directory
351 +listings even if the "a" flag was not used by the client. This override
352 +excludes the "." and ".." entries.
353 +
354 +Default: NO
355 +.TP
356 +.B force_anon_data_ssl
357 +Only applies if
358 +.BR ssl_enable
359 +is activated. If activated, all anonymous logins are forced to use a secure
360 +SSL connection in order to send and receive data on data connections.
361 +
362 +Default: NO
363 +.TP
364 +.B force_anon_logins_ssl
365 +Only applies if
366 +.BR ssl_enable
367 +is activated. If activated, all anonymous logins are forced to use a secure
368 +SSL connection in order to send the password.
369 +
370 +Default: NO
371 +.TP
372 +.B force_local_data_ssl
373 +Only applies if
374 +.BR ssl_enable
375 +is activated. If activated, all non-anonymous logins are forced to use a secure
376 +SSL connection in order to send and receive data on data connections.
377 +
378 +Default: YES
379 +.TP
380 +.B force_local_logins_ssl
381 +Only applies if
382 +.BR ssl_enable
383 +is activated. If activated, all non-anonymous logins are forced to use a secure
384 +SSL connection in order to send the password.
385 +
386 +Default: YES
387 +.TP
388 +.B guest_enable
389 +If enabled, all non-anonymous logins are classed as "guest" logins. A guest
390 +login is remapped to the user specified in the
391 +.BR guest_username
392 +setting.
393 +
394 +Default: NO
395 +.TP
396 +.B hide_ids
397 +If enabled, all user and group information in directory listings will be
398 +displayed as "ftp".
399 +
400 +Default: NO
401 +.TP
402 +.B listen
403 +If enabled, vsftpd will run in standalone mode. This means that vsftpd must
404 +not be run from an inetd of some kind. Instead, the vsftpd executable is
405 +run once directly. vsftpd itself will then take care of listening for and
406 +handling incoming connections.
407 +
408 +Default: NO
409 +.TP
410 +.B listen_ipv6
411 +Like the listen parameter, except vsftpd will listen on an IPv6 socket instead
412 +of an IPv4 one. This parameter and the listen parameter are mutually
413 +exclusive.
414 +
415 +Default: NO
416 +.TP
417 +.B local_enable
418 +Controls whether local logins are permitted or not. If enabled, normal
419 +user accounts in /etc/passwd (or wherever your PAM config references) may be
420 +used to log in. This must be enable for any non-anonymous login to work,
421 +including virtual users.
422 +
423 +Default: NO
424 +.TP
425 +.B lock_upload_files
426 +When enabled, all uploads proceed with a write lock on the upload file. All
427 +downloads proceed with a shared read lock on the download file. WARNING!
428 +Before enabling this, be aware that malicious readers could starve a writer
429 +wanting to e.g. append a file.
430 +
431 +Default: YES
432 +.TP
433 +.B log_ftp_protocol
434 +When enabled, all FTP requests and responses are logged, providing the option
435 +xferlog_std_format is not enabled. Useful for debugging.
436 +
437 +Default: NO
438 +.TP
439 +.B ls_recurse_enable
440 +When enabled, this setting will allow the use of "ls -R". This is a minor
441 +security risk, because a ls -R at the top level of a large site may consume
442 +a lot of resources.
443 +
444 +Default: NO
445 +.TP
446 +.B mdtm_write
447 +When enabled, this setting will allow MDTM to set file modification times
448 +(subject to the usual access checks).
449 +
450 +Default: YES
451 +.TP
452 +.B no_anon_password
453 +When enabled, this prevents vsftpd from asking for an anonymous password -
454 +the anonymous user will log straight in.
455 +
456 +Default: NO
457 +.TP
458 +.B no_log_lock
459 +When enabled, this prevents vsftpd from taking a file lock when writing to log
460 +files. This option should generally not be enabled. It exists to workaround
461 +operating system bugs such as the Solaris / Veritas filesystem combination
462 +which has been observed to sometimes exhibit hangs trying to lock log files.
463 +
464 +Default: NO
465 +.TP
466 +.B one_process_model
467 +If you have a Linux 2.4 kernel, it is possible to use a different security
468 +model which only uses one process per connection. It is a less pure security
469 +model, but gains you performance. You really don't want to enable this unless
470 +you know what you are doing, and your site supports huge numbers of
471 +simultaneously connected users.
472 +
473 +Default: NO
474 +.TP
475 +.B passwd_chroot_enable
476 +If enabled, along with
477 +.BR chroot_local_user
478 +, then a chroot() jail location may be specified on a per-user basis. Each
479 +user's jail is derived from their home directory string in /etc/passwd. The
480 +occurrence of /./ in the home directory string denotes that the jail is at that
481 +particular location in the path.
482 +
483 +Default: NO
484 +.TP
485 +.B pasv_addr_resolve
486 +Set to YES if you want to use a hostname (as opposed to IP address) in the
487 +.BR pasv_address
488 +option.
489 +
490 +Default: NO
491 +.TP
492 +.B pasv_enable
493 +Set to NO if you want to disallow the PASV method of obtaining a data
494 +connection.
495 +
496 +Default: YES
497 +.TP
498 +.B pasv_promiscuous
499 +Set to YES if you want to disable the PASV security check that ensures the
500 +data connection originates from the same IP address as the control connection.
501 +Only enable if you know what you are doing! The only legitimate use for this
502 +is in some form of secure tunnelling scheme, or perhaps to facilitate FXP
503 +support.
504 +
505 +Default: NO
506 +.TP
507 +.B port_enable
508 +Set to NO if you want to disallow the PORT method of obtaining a data
509 +connection.
510 +
511 +Default: YES
512 +.TP
513 +.B port_promiscuous
514 +Set to YES if you want to disable the PORT security check that ensures that
515 +outgoing data connections can only connect to the client. Only enable if
516 +you know what you are doing!
517 +
518 +Default: NO
519 +.TP
520 +.B require_cert
521 +If set to yes, all SSL client connections are required to present a client
522 +certificate. The degree of validation applied to this certificate is
523 +controlled by
524 +.BR validate_cert
525 +(Added in v2.0.6).
526 +
527 +Default: NO
528 +.TP
529 +.B run_as_launching_user
530 +Set to YES if you want vsftpd to run as the user which launched vsftpd. This is
531 +useful where root access is not available. MASSIVE WARNING! Do NOT enable this
532 +option unless you totally know what you are doing, as naive use of this option
533 +can create massive security problems. Specifically, vsftpd does not / cannot
534 +use chroot technology to restrict file access when this option is set (even if
535 +launched by root). A poor substitute could be to use a
536 +.BR deny_file
537 +setting such as {/*,*..*}, but the reliability of this cannot compare to
538 +chroot, and should not be relied on.
539 +If using this option, many restrictions on other options
540 +apply. For example, options requiring privilege such as non-anonymous logins,
541 +upload ownership changing, connecting from port 20 and listen ports less than
542 +1024 are not expected to work. Other options may be impacted.
543 +
544 +Default: NO
545 +.TP
546 +.B secure_email_list_enable
547 +Set to YES if you want only a specified list of e-mail passwords for anonymous
548 +logins to be accepted. This is useful as a low-hassle way of restricting
549 +access to low-security content without needing virtual users. When enabled,
550 +anonymous logins are prevented unless the password provided is listed in the
551 +file specified by the
552 +.BR email_password_file
553 +setting. The file format is one password per line, no extra whitespace. The
554 +default filename is /etc/vsftpd.email_passwords.
555 +
556 +Default: NO
557 +.TP
558 +.B session_support
559 +This controls whether vsftpd attempts to maintain sessions for logins. If
560 +vsftpd is maintaining sessions, it will try and update utmp and wtmp. It
561 +will also open a pam_session if using PAM to authenticate, and only close
562 +this upon logout. You may wish to disable this if you do not need session
563 +logging, and you wish to give vsftpd more opportunity to run with less
564 +processes and / or less privilege. NOTE - utmp and wtmp support is only
565 +provided with PAM enabled builds.
566 +
567 +Default: NO
568 +.TP
569 +.B setproctitle_enable
570 +If enabled, vsftpd will try and show session status information in the system
571 +process listing. In other words, the reported name of the process will change
572 +to reflect what a vsftpd session is doing (idle, downloading etc). You
573 +probably want to leave this off for security purposes.
574 +
575 +Default: NO
576 +.TP
577 +.B ssl_enable
578 +If enabled, and vsftpd was compiled against OpenSSL, vsftpd will support secure
579 +connections via SSL. This applies to the control connection (including login)
580 +and also data connections. You'll need a client with SSL support too. NOTE!!
581 +Beware enabling this option. Only enable it if you need it. vsftpd can make no
582 +guarantees about the security of the OpenSSL libraries. By enabling this
583 +option, you are declaring that you trust the security of your installed
584 +OpenSSL library.
585 +
586 +Default: NO
587 +.TP
588 +.B ssl_sslv2
589 +Only applies if
590 +.BR ssl_enable
591 +is activated. If enabled, this option will permit SSL v2 protocol connections.
592 +TLS v1 connections are preferred.
593 +
594 +Default: NO
595 +.TP
596 +.B ssl_sslv3
597 +Only applies if
598 +.BR ssl_enable
599 +is activated. If enabled, this option will permit SSL v3 protocol connections.
600 +TLS v1 connections are preferred.
601 +
602 +Default: NO
603 +.TP
604 +.B ssl_tlsv1
605 +Only applies if
606 +.BR ssl_enable
607 +is activated. If enabled, this option will permit TLS v1 protocol connections.
608 +TLS v1 connections are preferred.
609 +
610 +Default: YES
611 +.TP
612 +.B syslog_enable
613 +If enabled, then any log output which would have gone to /var/log/vsftpd.log
614 +goes to the system log instead. Logging is done under the FTPD facility.
615 +
616 +Default: NO
617 +.TP
618 +.B tcp_wrappers
619 +If enabled, and vsftpd was compiled with tcp_wrappers support, incoming
620 +connections will be fed through tcp_wrappers access control. Furthermore,
621 +there is a mechanism for per-IP based configuration. If tcp_wrappers sets
622 +the VSFTPD_LOAD_CONF environment variable, then the vsftpd session will try
623 +and load the vsftpd configuration file specified in this variable.
624 +
625 +Default: NO
626 +.TP
627 +.B text_userdb_names
628 +By default, numeric IDs are shown in the user and group fields of directory
629 +listings. You can get textual names by enabling this parameter. It is off
630 +by default for performance reasons.
631 +
632 +Default: NO
633 +.TP
634 +.B tilde_user_enable
635 +If enabled, vsftpd will try and resolve pathnames such as ~chris/pics, i.e. a
636 +tilde followed by a username. Note that vsftpd will always resolve the
637 +pathnames ~ and ~/something (in this case the ~ resolves to the initial
638 +login directory). Note that ~user paths will only resolve if the file
639 +.BR /etc/passwd
640 +may be found within the _current_ chroot() jail.
641 +
642 +Default: NO
643 +.TP
644 +.B use_localtime
645 +If enabled, vsftpd will display directory listings with the time in your
646 +local time zone. The default is to display GMT. The times returned by the
647 +MDTM FTP command are also affected by this option.
648 +
649 +Default: NO
650 +.TP
651 +.B use_sendfile
652 +An internal setting used for testing the relative benefit of using the
653 +sendfile() system call on your platform.
654 +
655 +Default: YES
656 +.TP
657 +.B userlist_deny
658 +This option is examined if
659 +.B userlist_enable
660 +is activated. If you set this setting to NO, then users will be denied login
661 +unless they are explicitly listed in the file specified by
662 +.BR userlist_file .
663 +When login is denied, the denial is issued before the user is asked for a
664 +password.
665 +
666 +Default: YES
667 +.TP
668 +.B userlist_enable
669 +If enabled, vsftpd will load a list of usernames, from the filename given by
670 +.BR userlist_file .
671 +If a user tries to log in using a name in this file, they will be denied
672 +before they are asked for a password. This may be useful in preventing
673 +cleartext passwords being transmitted. See also
674 +.BR userlist_deny .
675 +
676 +Default: NO
677 +.TP
678 +.B validate_cert
679 +If set to yes, all SSL client certificates received must validate OK.
680 +Self-signed certs do not constitute OK validation. (New in v2.0.6).
681 +
682 +Default: NO
683 +.TP
684 +.B virtual_use_local_privs
685 +If enabled, virtual users will use the same privileges as local users. By
686 +default, virtual users will use the same privileges as anonymous users, which
687 +tends to be more restrictive (especially in terms of write access).
688 +
689 +Default: NO
690 +.TP
691 +.B write_enable
692 +This controls whether any FTP commands which change the filesystem are allowed
693 +or not. These commands are: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE.
694 +
695 +Default: NO
696 +.TP
697 +.B xferlog_enable
698 +If enabled, a log file will be maintained detailling uploads and downloads.
699 +By default, this file will be placed at /var/log/vsftpd.log, but this location
700 +may be overridden using the configuration setting
701 +.BR vsftpd_log_file .
702 +
703 +Default: NO (but the sample config file enables it)
704 +.TP
705 +.B xferlog_std_format
706 +If enabled, the transfer log file will be written in standard xferlog format,
707 +as used by wu-ftpd. This is useful because you can reuse existing transfer
708 +statistics generators. The default format is more readable, however. The
709 +default location for this style of log file is /var/log/xferlog, but you may
710 +change it with the setting
711 +.BR xferlog_file .
712 +
713 +Default: NO
714 +
715 +.SH NUMERIC OPTIONS
716 +Below is a list of numeric options. A numeric option must be set to a non
717 +negative integer. Octal numbers are supported, for convenience of the umask
718 +options. To specify an octal number, use 0 as the first digit of the number.
719 +
720 +.TP
721 +.B accept_timeout
722 +The timeout, in seconds, for a remote client to establish connection with
723 +a PASV style data connection.
724 +
725 +Default: 60
726 +.TP
727 +.B anon_max_rate
728 +The maximum data transfer rate permitted, in bytes per second, for anonymous
729 +clients.
730 +
731 +Default: 0 (unlimited)
732 +.TP
733 +.B anon_umask
734 +The value that the umask for file creation is set to for anonymous users. NOTE! If you want to specify octal values, remember the "0" prefix otherwise the
735 +value will be treated as a base 10 integer!
736 +
737 +Default: 077
738 +.TP
739 +.B chown_upload_mode
740 +The file mode to force for chown()ed anonymous uploads. (Added in v2.0.6).
741 +
742 +Default: 0600
743 +.TP
744 +.B connect_timeout
745 +The timeout, in seconds, for a remote client to respond to our PORT style
746 +data connection.
747 +
748 +Default: 60
749 +.TP
750 +.B data_connection_timeout
751 +The timeout, in seconds, which is roughly the maximum time we permit data
752 +transfers to stall for with no progress. If the timeout triggers, the remote
753 +client is kicked off.
754 +
755 +Default: 300
756 +.TP
757 +.B delay_failed_login
758 +The number of seconds to pause prior to reporting a failed login.
759 +
760 +Default: 1
761 +.TP
762 +.B delay_successful_login
763 +The number of seconds to pause prior to allowing a successful login.
764 +
765 +Default: 0
766 +.TP
767 +.B file_open_mode
768 +The permissions with which uploaded files are created. Umasks are applied
769 +on top of this value. You may wish to change to 0777 if you want uploaded
770 +files to be executable.
771 +
772 +Default: 0666
773 +.TP
774 +.B ftp_data_port
775 +The port from which PORT style connections originate (as long as the poorly
776 +named
777 +.BR connect_from_port_20
778 +is enabled).
779 +
780 +Default: 20
781 +.TP
782 +.B idle_session_timeout
783 +The timeout, in seconds, which is the maximum time a remote client may spend
784 +between FTP commands. If the timeout triggers, the remote client is kicked
785 +off.
786 +
787 +Default: 300
788 +.TP
789 +.B listen_port
790 +If vsftpd is in standalone mode, this is the port it will listen on for
791 +incoming FTP connections.
792 +
793 +Default: 21
794 +.TP
795 +.B local_max_rate
796 +The maximum data transfer rate permitted, in bytes per second, for local
797 +authenticated users.
798 +
799 +Default: 0 (unlimited)
800 +.TP
801 +.B local_umask
802 +The value that the umask for file creation is set to for local users. NOTE! If
803 +you want to specify octal values, remember the "0" prefix otherwise the value
804 +will be treated as a base 10 integer!
805 +
806 +Default: 077
807 +.TP
808 +.B max_clients
809 +If vsftpd is in standalone mode, this is the maximum number of clients which
810 +may be connected. Any additional clients connecting will get an error message.
811 +
812 +Default: 0 (unlimited)
813 +.TP
814 +.B max_login_fails
815 +After this many login failures, the session is killed.
816 +
817 +Default: 3
818 +.TP
819 +.B max_per_ip
820 +If vsftpd is in standalone mode, this is the maximum number of clients which
821 +may be connected from the same source internet address. A client will get an
822 +error message if they go over this limit.
823 +
824 +Default: 0 (unlimited)
825 +.TP
826 +.B pasv_max_port
827 +The maximum port to allocate for PASV style data connections. Can be used to
828 +specify a narrow port range to assist firewalling.
829 +
830 +Default: 0 (use any port)
831 +.TP
832 +.B pasv_min_port
833 +The minimum port to allocate for PASV style data connections. Can be used to
834 +specify a narrow port range to assist firewalling.
835 +
836 +Default: 0 (use any port)
837 +.TP
838 +.B trans_chunk_size
839 +You probably don't want to change this, but try setting it to something like
840 +8192 for a much smoother bandwidth limiter.
841 +
842 +Default: 0 (let vsftpd pick a sensible setting)
843 +
844 +.SH STRING OPTIONS
845 +Below is a list of string options.
846 +
847 +.TP
848 +.B anon_root
849 +This option represents a directory which vsftpd will try to change into
850 +after an anonymous login. Failure is silently ignored.
851 +
852 +Default: (none)
853 +.TP
854 +.B banned_email_file
855 +This option is the name of a file containing a list of anonymous e-mail
856 +passwords which are not permitted. This file is consulted if the option
857 +.BR deny_email_enable
858 +is enabled.
859 +
860 +Default: /etc/vsftpd.banned_emails
861 +.TP
862 +.B banner_file
863 +This option is the name of a file containing text to display when someone
864 +connects to the server. If set, it overrides the banner string provided by
865 +the
866 +.BR ftpd_banner
867 +option.
868 +
869 +Default: (none)
870 +.TP
871 +.B ca_certs_file
872 +This option is the name of a file to load Certificate Authority certs from, for
873 +the purpose of validating client certs. Regrettably, the default SSL CA cert
874 +paths are not used, because of vsftpd's use of restricted filesystem spaces
875 +(chroot). (Added in v2.0.6).
876 +
877 +Default: (none)
878 +.TP
879 +.B chown_username
880 +This is the name of the user who is given ownership of anonymously uploaded
881 +files. This option is only relevant if another option,
882 +.BR chown_uploads ,
883 +is set.
884 +
885 +Default: root
886 +.TP
887 +.B chroot_list_file
888 +The option is the name of a file containing a list of local users which
889 +will be placed in a chroot() jail in their home directory. This option is
890 +only relevant if the option
891 +.BR chroot_list_enable
892 +is enabled. If the option
893 +.BR chroot_local_user
894 +is enabled, then the list file becomes a list of users to NOT place in a
895 +chroot() jail.
896 +
897 +Default: /etc/vsftpd.chroot_list
898 +.TP
899 +.B cmds_allowed
900 +This options specifies a comma separated list of allowed FTP commands (post
901 +login. USER, PASS and QUIT are always allowed pre-login). Other
902 +commands are rejected. This is a powerful method of really locking down an
903 +FTP server. Example: cmds_allowed=PASV,RETR,QUIT
904 +
905 +Default: (none)
906 +.TP
907 +.B deny_file
908 +This option can be used to set a pattern for filenames (and directory names
909 +etc.) which should not be accessible in any way. The affected items are not
910 +hidden, but any attempt to do anything to them (download, change into
911 +directory, affect something within directory etc.) will be denied. This option
912 +is very simple, and should not be used for serious access control - the
913 +filesystem's permissions should be used in preference. However, this option
914 +may be useful in certain virtual user setups. In particular aware that if
915 +a filename is accessible by a variety of names (perhaps due to symbolic
916 +links or hard links), then care must be taken to deny access to all the names.
917 +Access will be denied to items if their name contains the string given by
918 +hide_file, or if they match the regular expression specified by hide_file.
919 +Note that vsftpd's regular expression matching code is a simple implementation
920 +which is a subset of full regular expression functionality. Because of this,
921 +you will need to carefully and exhaustively test any application of this
922 +option. And you are recommended to use filesystem permissions for any
923 +important security policies due to their greater reliability. Supported
924 +regex syntax is any number of *, ? and unnested {,} operators. Regex
925 +matching is only supported on the last component of a path, e.g. a/b/? is
926 +supported but a/?/c is not.
927 +Example: deny_file={*.mp3,*.mov,.private}
928 +
929 +Default: (none)
930 +.TP
931 +.B dsa_cert_file
932 +This option specifies the location of the DSA certificate to use for SSL
933 +encrypted connections.
934 +
935 +Default: (none - an RSA certificate suffices)
936 +.TP
937 +.B dsa_private_key_file
938 +This option specifies the location of the DSA private key to use for SSL
939 +encrypted connections. If this option is not set, the private key is expected
940 +to be in the same file as the certificate.
941 +
942 +Default: (none)
943 +.TP
944 +.B email_password_file
945 +This option can be used to provide an alternate file for usage by the
946 +.BR secure_email_list_enable
947 +setting.
948 +
949 +Default: /etc/vsftpd.email_passwords
950 +.TP
951 +.B ftp_username
952 +This is the name of the user we use for handling anonymous FTP. The home
953 +directory of this user is the root of the anonymous FTP area.
954 +
955 +Default: ftp
956 +.TP
957 +.B ftpd_banner
958 +This string option allows you to override the greeting banner displayed
959 +by vsftpd when a connection first comes in.
960 +
961 +Default: (none - default vsftpd banner is displayed)
962 +.TP
963 +.B guest_username
964 +See the boolean setting
965 +.BR guest_enable
966 +for a description of what constitutes a guest login. This setting is the
967 +real username which guest users are mapped to.
968 +
969 +Default: ftp
970 +.TP
971 +.B hide_file
972 +This option can be used to set a pattern for filenames (and directory names
973 +etc.) which should be hidden from directory listings. Despite being hidden,
974 +the files / directories etc. are fully accessible to clients who know what
975 +names to actually use. Items will be hidden if their names contain the string
976 +given by hide_file, or if they match the regular expression specified by
977 +hide_file. Note that vsftpd's regular expression matching code is a simple
978 +implementation which is a subset of full regular expression functionality.
979 +See
980 +.BR deny_file
981 +for details of exactly what regex syntax is supported.
982 +Example: hide_file={*.mp3,.hidden,hide*,h?}
983 +
984 +Default: (none)
985 +.TP
986 +.B listen_address
987 +If vsftpd is in standalone mode, the default listen address (of all local
988 +interfaces) may be overridden by this setting. Provide a numeric IP address.
989 +
990 +Default: (none)
991 +.TP
992 +.B listen_address6
993 +Like listen_address, but specifies a default listen address for the IPv6
994 +listener (which is used if listen_ipv6 is set). Format is standard IPv6
995 +address format.
996 +
997 +Default: (none)
998 +.TP
999 +.B local_root
1000 +This option represents a directory which vsftpd will try to change into
1001 +after a local (i.e. non-anonymous) login. Failure is silently ignored.
1002 +
1003 +Default: (none)
1004 +.TP
1005 +.B message_file
1006 +This option is the name of the file we look for when a new directory is
1007 +entered. The contents are displayed to the remote user. This option is
1008 +only relevant if the option
1009 +.BR dirmessage_enable
1010 +is enabled.
1011 +
1012 +Default: .message
1013 +.TP
1014 +.B nopriv_user
1015 +This is the name of the user that is used by vsftpd when it wants to be
1016 +totally unprivileged. Note that this should be a dedicated user, rather
1017 +than nobody. The user nobody tends to be used for rather a lot of important
1018 +things on most machines.
1019 +
1020 +Default: nobody
1021 +.TP
1022 +.B pam_service_name
1023 +This string is the name of the PAM service vsftpd will use.
1024 +
1025 +Default: ftp
1026 +.TP
1027 +.B pasv_address
1028 +Use this option to override the IP address that vsftpd will advertise in
1029 +response to the PASV command. Provide a numeric IP address, unless
1030 +.BR pasv_addr_resolve
1031 +is enabled, in which case you can provide a hostname which will be DNS
1032 +resolved for you at startup.
1033 +
1034 +Default: (none - the address is taken from the incoming connected socket)
1035 +.TP
1036 +.B rsa_cert_file
1037 +This option specifies the location of the RSA certificate to use for SSL
1038 +encrypted connections.
1039 +
1040 +Default: /usr/share/ssl/certs/vsftpd.pem
1041 +.TP
1042 +.B rsa_private_key_file
1043 +This option specifies the location of the RSA private key to use for SSL
1044 +encrypted connections. If this option is not set, the private key is expected
1045 +to be in the same file as the certificate.
1046 +
1047 +Default: (none)
1048 +.TP
1049 +.B secure_chroot_dir
1050 +This option should be the name of a directory which is empty. Also, the
1051 +directory should not be writable by the ftp user. This directory is used
1052 +as a secure chroot() jail at times vsftpd does not require filesystem access.
1053 +
1054 +Default: /usr/share/empty
1055 +.TP
1056 +.B ssl_ciphers
1057 +This option can be used to select which SSL ciphers vsftpd will allow for
1058 +encrpyted SSL connections. See the
1059 +.BR ciphers
1060 +man page for further details. Note that restricting ciphers can be a useful
1061 +security precaution as it prevents malicious remote parties forcing a cipher
1062 +which they have found problems with.
1063 +
1064 +Default: DES-CBC3-SHA
1065 +.TP
1066 +.B user_config_dir
1067 +This powerful option allows the override of any config option specified in
1068 +the manual page, on a per-user basis. Usage is simple, and is best illustrated
1069 +with an example. If you set
1070 +.BR user_config_dir
1071 +to be
1072 +.BR /etc/vsftpd_user_conf
1073 +and then log on as the user "chris", then vsftpd will apply the settings in
1074 +the file
1075 +.BR /etc/vsftpd_user_conf/chris
1076 +for the duration of the session. The format of this file is as detailed in
1077 +this manual page! PLEASE NOTE that not all settings are effective on a
1078 +per-user basis. For example, many settings only prior to the user's session
1079 +being started. Examples of settings which will not affect any behviour on
1080 +a per-user basis include listen_address, banner_file, max_per_ip, max_clients,
1081 +xferlog_file, etc.
1082 +
1083 +Default: (none)
1084 +.TP
1085 +.B user_sub_token
1086 +This option is useful is conjunction with virtual users. It is used to
1087 +automatically generate a home directory for each virtual user, based on a
1088 +template. For example, if the home directory of the real user specified via
1089 +.BR guest_username
1090 +is
1091 +.BR /home/virtual/$USER ,
1092 +and
1093 +.BR user_sub_token
1094 +is set to
1095 +.BR $USER ,
1096 +then when virtual user fred logs in, he will end up (usually chroot()'ed) in
1097 +the directory
1098 +.BR /home/virtual/fred .
1099 +This option also takes affect if
1100 +.BR local_root
1101 +contains
1102 +.BR user_sub_token .
1103 +
1104 +Default: (none)
1105 +.TP
1106 +.B userlist_file
1107 +This option is the name of the file loaded when the
1108 +.BR userlist_enable
1109 +option is active.
1110 +
1111 +Default: /etc/vsftpd.user_list
1112 +.TP
1113 +.B vsftpd_log_file
1114 +This option is the name of the file to which we write the vsftpd style
1115 +log file. This log is only written if the option
1116 +.BR xferlog_enable
1117 +is set, and
1118 +.BR xferlog_std_format
1119 +is NOT set. Alternatively, it is written if you have set the option
1120 +.BR dual_log_enable .
1121 +One further complication - if you have set
1122 +.BR syslog_enable ,
1123 +then this file is not written and output is sent to the system log instead.
1124 +
1125 +Default: /var/log/vsftpd.log
1126 +.TP
1127 +.B xferlog_file
1128 +This option is the name of the file to which we write the wu-ftpd style
1129 +transfer log. The transfer log is only written if the option
1130 +.BR xferlog_enable
1131 +is set, along with
1132 +.BR xferlog_std_format .
1133 +Alternatively, it is written if you have set the option
1134 +.BR dual_log_enable .
1135 +
1136 +Default: /var/log/xferlog
1137 +
1138 +.SH AUTHOR
1139 +scarybeasts@gmail.com
1140 +
|
