From 0ea5c7fdb4be3d2f5cc45253dcafd29856fd9e33 Mon Sep 17 00:00:00 2001 From: Jan Chaloupka Date: Mon, 29 Sep 2014 21:35:56 +0200 Subject: [PATCH] vsftpd.5 isolate_* options --- vsftpd/man5/vsftpd.conf.5 | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/vsftpd/man5/vsftpd.conf.5 b/vsftpd/man5/vsftpd.conf.5 index 08aaf81..3aed7fc 100644 --- a/vsftpd/man5/vsftpd.conf.5 +++ b/vsftpd/man5/vsftpd.conf.5 @@ -644,6 +644,21 @@ change it with the setting .BR xferlog_file . Default: NO +.TP +.B isolate_network +If enabled, use CLONE_NEWNET to isolate the untrusted processes so that +they can't do arbitrary connect() and instead have to ask the privileged +process for sockets ( +.BR port_promiscuous +have to be disabled). + +Default: YES +.TP +.B isolate +If enabled, use CLONE_NEWPID and CLONE_NEWIPC to isolate processes to their +ipc and pid namespaces. So separated processes can not interact with each other. + +Default: YES .SH NUMERIC OPTIONS Below is a list of numeric options. A numeric option must be set to a non @@ -741,8 +756,9 @@ Default: 077 .B max_clients If vsftpd is in standalone mode, this is the maximum number of clients which may be connected. Any additional clients connecting will get an error message. +The value 0 switches off the limit. -Default: 0 (unlimited) +Default: 2000 .TP .B max_login_fails After this many login failures, the session is killed. @@ -752,9 +768,9 @@ Default: 3 .B max_per_ip If vsftpd is in standalone mode, this is the maximum number of clients which may be connected from the same source internet address. A client will get an -error message if they go over this limit. +error message if they go over this limit. The value 0 switches off the limit. -Default: 0 (unlimited) +Default: 50 .TP .B pasv_max_port The maximum port to allocate for PASV style data connections. Can be used to -- 1.9.3