Product SiteDocumentation Site

15.2.5. vsftpd 設定オプション

Although vsftpd may not offer the level of customization other widely available FTP servers have, it offers enough options to fill most administrator's needs. The fact that it is not overly feature-laden limits configuration and programmatic errors.
All configuration of vsftpd is handled by its configuration file, /etc/vsftpd/vsftpd.conf. Each directive is on its own line within the file and follows the following format:
directive=value
For each directive, replace directive with a valid directive and value with a valid value.

Do not use spaces

There must not be any spaces between the directive, equal symbol, and the value in a directive.
Comment lines must be preceded by a hash sign (#) and are ignored by the daemon.
For a complete list of all directives available, refer to the man page for vsftpd.conf.

Securing the vsftpd service

For an overview of ways to secure vsftpd, refer to the Fedora Security Guide.
The following is a list of some of the more important directives within /etc/vsftpd/vsftpd.conf. All directives not explicitly found or commented out within vsftpd's configuration file are set to their default value.

15.2.5.1. デーモンオプション

The following is a list of directives which control the overall behavior of the vsftpd daemon.
  • listen — When enabled, vsftpd runs in stand-alone mode. Fedora sets this value to YES. This directive cannot be used in conjunction with the listen_ipv6 directive.
    デフォルト値は NO です。
  • listen_ipv6 — When enabled, vsftpd runs in stand-alone mode, but listens only to IPv6 sockets. This directive cannot be used in conjunction with the listen directive.
    デフォルト値は NO です。
  • session_support — When enabled, vsftpd attempts to maintain login sessions for each user through Pluggable Authentication Modules (PAM). For more information, refer to the Using Pluggable Authentication Modules (PAM) chapter of the Red Hat Enterprise Linux 6 Managing Single Sign-On and Smart Cards and the PAM man pages. . If session logging is not necessary, disabling this option allows vsftpd to run with less processes and lower privileges.
    デフォルト値は YES です。

15.2.5.2. ログインオプションとアクセス制御

以下にログインの動作とアクセス制御のメカニズムをコントロールするディレクティブをリストで示します。
  • anonymous_enable — 有効なとき、匿名ユーザーがログインを許可されます。ユーザー名 anonymousftp が利用できます。
    デフォルト値は YES です。
    Refer to 「匿名ユーザーオプション」 for a list of directives affecting anonymous users.
  • banned_email_file — If the deny_email_enable directive is set to YES, this directive specifies the file containing a list of anonymous email passwords which are not permitted access to the server.
    The default value is /etc/vsftpd/banned_emails.
  • banner_file — Specifies the file containing text displayed when a connection is established to the server. This option overrides any text specified in the ftpd_banner directive.
    このディレクティブ用のデフォルト値はありません。
  • cmds_allowed — Specifies a comma-delimited list of FTP commands allowed by the server. All other commands are rejected.
    このディレクティブ用のデフォルト値はありません。
  • deny_email_enable — When enabled, any anonymous user utilizing email passwords specified in the /etc/vsftpd/banned_emails are denied access to the server. The name of the file referenced by this directive can be specified using the banned_email_file directive.
    デフォルト値は NO です。
  • ftpd_banner — When enabled, the string specified within this directive is displayed when a connection is established to the server. This option can be overridden by the banner_file directive.
    vsftpd はデフォルトで標準的なバナーを表示します。
  • local_enable — 有効なとき、ローカルユーザーがシステムにログインを許可されます。
    デフォルト値は YES です。
    Refer to 「ローカルユーザーオプション」 for a list of directives affecting local users.
  • pam_service_namevsftpd の PAM サービス名を指定します。
    デフォルト値は ftp です。Fedora において、値は vsftpd に設定されていることに注意してください。
  • デフォルト値は NO です。Fedora において、値は YES に設定されていることに注意してください。
  • userlist_deny — When used in conjunction with the userlist_enable directive and set to NO, all local users are denied access unless the username is listed in the file specified by the userlist_file directive. Because access is denied before the client is asked for a password, setting this directive to NO prevents local users from submitting unencrypted passwords over the network.
    デフォルト値は YES です。
  • userlist_enable — When enabled, the users listed in the file specified by the userlist_file directive are denied access. Because access is denied before the client is asked for a password, users are prevented from submitting unencrypted passwords over the network.
    The default value is NO, however under Fedora the value is set to YES.
  • userlist_file — Specifies the file referenced by vsftpd when the userlist_enable directive is enabled.
    The default value is /etc/vsftpd/user_list and is created during installation.

15.2.5.3. 匿名ユーザーオプション

The following lists directives which control anonymous user access to the server. To use these options, the anonymous_enable directive must be set to YES.
  • anon_mkdir_write_enable — When enabled in conjunction with the write_enable directive, anonymous users are allowed to create new directories within a parent directory which has write permissions.
    デフォルト値は NO です。
  • anon_root — Specifies the directory vsftpd changes to after an anonymous user logs in.
    このディレクティブ用のデフォルト値はありません。
  • anon_upload_enable — When enabled in conjunction with the write_enable directive, anonymous users are allowed to upload files within a parent directory which has write permissions.
    デフォルト値は NO です。
  • anon_world_readable_only — When enabled, anonymous users are only allowed to download world-readable files.
    デフォルト値は YES です。
  • ftp_username — Specifies the local user account (listed in /etc/passwd) used for the anonymous FTP user. The home directory specified in /etc/passwd for the user is the root directory of the anonymous FTP user.
    既定値は ftp です。
  • no_anon_password — When enabled, the anonymous user is not asked for a password.
    デフォルト値は NO です。
  • secure_email_list_enable — When enabled, only a specified list of email passwords for anonymous logins are accepted. This is a convenient way to offer limited security to public content without the need for virtual users.
    Anonymous logins are prevented unless the password provided is listed in /etc/vsftpd/email_passwords. The file format is one password per line, with no trailing white spaces.
    デフォルト値は NO です。

15.2.5.4. ローカルユーザーオプション

The following lists directives which characterize the way local users access the server. To use these options, the local_enable directive must be set to YES.
  • chmod_enable — When enabled, the FTP command SITE CHMOD is allowed for local users. This command allows the users to change the permissions on files.
    デフォルト値は YES です。
  • chroot_list_enable — When enabled, the local users listed in the file specified in the chroot_list_file directive are placed in a chroot jail upon log in.
    If enabled in conjunction with the chroot_local_user directive, the local users listed in the file specified in the chroot_list_file directive are not placed in a chroot jail upon log in.
    デフォルト値は NO です。
  • chroot_list_file — Specifies the file containing a list of local users referenced when the chroot_list_enable directive is set to YES.
    The default value is /etc/vsftpd/chroot_list.
  • chroot_local_user — When enabled, local users are change-rooted to their home directories after logging in.
    デフォルト値は NO です。

    Avoid enabling the chroot_local_user option

    Enabling chroot_local_user opens up a number of security issues, especially for users with upload privileges. For this reason, it is not recommended.
  • guest_enable — When enabled, all non-anonymous users are logged in as the user guest, which is the local user specified in the guest_username directive.
    デフォルト値は NO です。
  • guest_username — Specifies the username the guest user is mapped to.
    既定値は ftp です。
  • local_root — Specifies the directory vsftpd changes to after a local user logs in.
    このディレクティブ用のデフォルト値はありません。
  • local_umask — Specifies the umask value for file creation. Note that the default value is in octal form (a numerical system with a base of eight), which includes a "0" prefix. Otherwise the value is treated as a base-10 integer.
    既定値は 022 です。
  • passwd_chroot_enable — When enabled in conjunction with the chroot_local_user directive, vsftpd change-roots local users based on the occurrence of the /./ in the home directory field within /etc/passwd.
    デフォルト値は NO です。
  • user_config_dir — Specifies the path to a directory containing configuration files bearing the name of local system users that contain specific setting for that user. Any directive in the user's configuration file overrides those found in /etc/vsftpd/vsftpd.conf.
    このディレクティブ用のデフォルト値はありません。

15.2.5.5. ディレクトリオプション

以下にディレクトリに関連するディレクティブのリストを示します。
  • dirlist_enable — 有効なとき、ユーザーはディレクトリの一覧の表示が許可されます。
    デフォルト値は YES です。
  • dirmessage_enable — When enabled, a message is displayed whenever a user enters a directory with a message file. This message resides within the current directory. The name of this file is specified in the message_file directive and is .message by default.
    デフォルト値は NO です。Fedora において、値は YES に設定されていることに注意してください。
  • force_dot_files — When enabled, files beginning with a dot (.) are listed in directory listings, with the exception of the . and .. files.
    デフォルト値は NO です。
  • hide_ids — When enabled, all directory listings show ftp as the user and group for each file.
    デフォルト値は NO です。
  • message_file — Specifies the name of the message file when using the dirmessage_enable directive.
    既定値は .message です。
  • text_userdb_names — When enabled, text usernames and group names are used in place of UID and GID entries. Enabling this option may slow performance of the server.
    デフォルト値は NO です。
  • use_localtime — When enabled, directory listings reveal the local time for the computer instead of GMT.
    デフォルト値は NO です。

15.2.5.6. ファイル転送のオプション

以下にディレクトリに関連するディレクティブのリストを示します。
  • download_enable — When enabled, file downloads are permitted.
    デフォルト値は YES です。
  • chown_uploads — When enabled, all files uploaded by anonymous users are owned by the user specified in the chown_username directive.
    デフォルト値は NO です。
  • chown_username — Specifies the ownership of anonymously uploaded files if the chown_uploads directive is enabled.
    既定値は root です。
  • write_enable — When enabled, FTP commands which can change the file system are allowed, such as DELE, RNFR, and STOR.
    デフォルト値は YES です。

15.2.5.7. ロギングのオプション

The following lists directives which affect vsftpd's logging behavior.
  • dual_log_enable — When enabled in conjunction with xferlog_enable, vsftpd writes two files simultaneously: a wu-ftpd-compatible log to the file specified in the xferlog_file directive (/var/log/xferlog by default) and a standard vsftpd log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log by default).
    デフォルト値は NO です。
  • log_ftp_protocol — When enabled in conjunction with xferlog_enable and with xferlog_std_format set to NO, all FTP commands and responses are logged. This directive is useful for debugging.
    デフォルト値は NO です。
  • syslog_enable — When enabled in conjunction with xferlog_enable, all logging normally written to the standard vsftpd log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log by default) is sent to the system logger instead under the FTPD facility.
    デフォルト値は NO です。
  • vsftpd_log_file — Specifies the vsftpd log file. For this file to be used, xferlog_enable must be enabled and xferlog_std_format must either be set to NO or, if xferlog_std_format is set to YES, dual_log_enable must be enabled. It is important to note that if syslog_enable is set to YES, the system log is used instead of the file specified in this directive.
    既定値は /var/log/vsftpd.log です。
  • xferlog_enable — When enabled, vsftpd logs connections (vsftpd format only) and file transfer information to the log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log by default). If xferlog_std_format is set to YES, file transfer information is logged but connections are not, and the log file specified in xferlog_file (/var/log/xferlog by default) is used instead. It is important to note that both log files and log formats are used if dual_log_enable is set to YES.
    デフォルト値は NO です。Fedora において、値は YES に設定されていることに注意してください。
  • xferlog_file — Specifies the wu-ftpd-compatible log file. For this file to be used, xferlog_enable must be enabled and xferlog_std_format must be set to YES. It is also used if dual_log_enable is set to YES.
    既定値は /var/log/xferlog です。
  • xferlog_std_format — When enabled in conjunction with xferlog_enable, only a wu-ftpd-compatible file transfer log is written to the file specified in the xferlog_file directive (/var/log/xferlog by default). It is important to note that this file only logs file transfers and does not log connections to the server.
    デフォルト値は NO です。Fedora において、値は YES に設定されていることに注意してください。

Maintaining compatibility with older log file formats

To maintain compatibility with log files written by the older wu-ftpd FTP server, the xferlog_std_format directive is set to YES under Fedora. However, this setting means that connections to the server are not logged.
To both log connections in vsftpd format and maintain a wu-ftpd-compatible file transfer log, set dual_log_enable to YES.
If maintaining a wu-ftpd-compatible file transfer log is not important, either set xferlog_std_format to NO, comment the line with a hash sign (#), or delete the line entirely.

15.2.5.8. ネットワークオプション

The following lists directives which affect how vsftpd interacts with the network.
  • accept_timeout — Specifies the amount of time for a client using passive mode to establish a connection.
    The default value is 60.
  • anon_max_rate — Specifies the maximum data transfer rate for anonymous users in bytes per second.
    The default value is 0, which does not limit the transfer rate.
  • connect_from_port_20 When enabled, vsftpd runs with enough privileges to open port 20 on the server during active mode data transfers. Disabling this option allows vsftpd to run with less privileges, but may be incompatible with some FTP clients.
    デフォルト値は NO です。Fedora において、値は YES に設定されていることに注意してください。
  • connect_timeout — Specifies the maximum amount of time a client using active mode has to respond to a data connection, in seconds.
    The default value is 60.
  • data_connection_timeout — Specifies maximum amount of time data transfers are allowed to stall, in seconds. Once triggered, the connection to the remote client is closed.
    The default value is 300.
  • ftp_data_port — Specifies the port used for active data connections when connect_from_port_20 is set to YES.
    The default value is 20.
  • idle_session_timeout — Specifies the maximum amount of time between commands from a remote client. Once triggered, the connection to the remote client is closed.
    The default value is 300.
  • listen_address — Specifies the IP address on which vsftpd listens for network connections.
    このディレクティブ用のデフォルト値はありません。

    Running multiple copies of vsftpd

    If running multiple copies of vsftpd serving different IP addresses, the configuration file for each copy of the vsftpd daemon must have a different value for this directive. Refer to 「Starting Multiple Copies of vsftpd for more information about multihomed FTP servers.
  • listen_address6 — Specifies the IPv6 address on which vsftpd listens for network connections when listen_ipv6 is set to YES.
    このディレクティブ用のデフォルト値はありません。

    Running multiple copies of vsftpd

    If running multiple copies of vsftpd serving different IP addresses, the configuration file for each copy of the vsftpd daemon must have a different value for this directive. Refer to 「Starting Multiple Copies of vsftpd for more information about multihomed FTP servers.
  • listen_port — Specifies the port on which vsftpd listens for network connections.
    The default value is 21.
  • local_max_rate — Specifies the maximum rate data is transferred for local users logged into the server in bytes per second.
    The default value is 0, which does not limit the transfer rate.
  • max_clients — Specifies the maximum number of simultaneous clients allowed to connect to the server when it is running in standalone mode. Any additional client connections would result in an error message.
    The default value is 0, which does not limit connections.
  • max_per_ip — Specifies the maximum of clients allowed to connected from the same source IP address.
    The default value is 0, which does not limit connections.
  • pasv_address — Specifies the IP address for the public facing IP address of the server for servers behind Network Address Translation (NAT) firewalls. This enables vsftpd to hand out the correct return address for passive mode connections.
    このディレクティブ用のデフォルト値はありません。
  • pasv_enable — When enabled, passive mode connects are allowed.
    デフォルト値は YES です。
  • pasv_max_port — Specifies the highest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.
    The default value is 0, which does not limit the highest passive port range. The value must not exceed 65535.
  • pasv_min_port — Specifies the lowest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.
    The default value is 0, which does not limit the lowest passive port range. The value must not be lower 1024.
  • pasv_promiscuous — When enabled, data connections are not checked to make sure they are originating from the same IP address. This setting is only useful for certain types of tunneling.

    Avoid enabling the pasv_promiscuous option

    Do not enable this option unless absolutely necessary as it disables an important security feature which verifies that passive mode connections originate from the same IP address as the control connection that initiates the data transfer.
    デフォルト値は NO です。
  • port_enable — When enabled, active mode connects are allowed.
    デフォルト値は YES です。