mod_ctrls
What Controls Are
ProFTPD version 1.2.10rc1 introduced a new capability: Controls. Controls
are a way to communicate directly with a standalone proftpd
daemon
while it is running. This provides administrators a way to alter the
daemon's behavior in real time, without having to restart the daemon and
have it re-read its configuration. Changing log levels, kicking connected
clients, disabling individual virtual servers, etc. are all possible.
The Controls functionality includes an API that third-party modules can
use to add new control actions.
The functionality involves a client and a server communicating over a Unix
domain socket, using a simple text-based protocol. A new program,
ftpdctl
, is distributed with ProFTPD; ftpdctl
is a
Controls client. The server side of the Controls functionality is the
mod_ctrls
module, which is compiled into a proftpd
daemon when
the --enable-ctrls configure option is used. Note, however, that
the Controls functionality only works for proftpd
daemons
whose ServerType
is standalone
; proftpd
daemons run via inetd/xinetd cannot support Controls and the
ftpdctl
program.
Configuring mod_ctrls
Here's an example configuration for mod_ctrls
:
<IfModule mod_ctrls.c> ControlsEngine on ControlsACLs all allow group ftpadm ControlsMaxClients 2 ControlsLog /var/log/proftpd/controls.log ControlsInterval 5 ControlsSocket /tmp/ctrls.sock ControlsSocketOwner ftpd ftpd ControlsSocketACL allow group ftpadm </IfModule>The first configuration directive you will want to use is the
ControlsEngine
directive, which enables the processing of
Controls requests by the engine within the mod_ctrls
engine.
When first configuring mod_ctrls
and its modules, you will
probably want to configure a ControlsLog
. The
mod_ctrls
modules will log any errors they have to this
file (unless the module has its own module-specific log), as well as all
control requests made using ftpdctl
. Like most
proftpd
log files, the directive should use the full
path to the log file, and the file cannot be in a world-writeable directory.
The ControlsInterval
directive configures how often
mod_ctrls
checks for connecting clients such as
ftpdctl
. Often when using ftpdctl
, the system
administrator may notice a long pause before ftpdct
responds.
This delay is probably caused by the configured ControlsInterval
.
A related directive is ControlsMaxClients
, which sets how
many clients are handled at one time. If more than the configured maximum
number of clients are attempting to send control requests,
mod_ctrls
will wait to handle the remaining clients until its
next check.
The ControlsSocket
directive is used to configure the path
to the Unix domain socket on which mod_ctrls
should listen.
This path should be in a place where ftpdctl
users have
access to it, and should have read and write permissions. The
ControlsSocketOwner
directive explicitly configures the
ownership the created Unix domain socket file should have. This means
that the configuration above:
ControlsSocket /tmp/ctrls.sock ControlsSocketOwner ftpd ftpdoverrides the default location of the Unix domain socket, and tells
mod_ctrls
to use /tmp/ctrls.sock
, and to make
the socket owned by user ftpd
and group ftpd
.
The default ownership of the socket is user root
, group
root
.
Controls Access Control Lists
Communicating with the daemon process allows for some great features, but
it also allows the potential to easily abuse the system. Thus, by default,
all users including user root
are denied access to all
ftpdctl
actions. Access for control actions must be
explicitly granted. Also, be aware that the users and groups configured
in these ACLs are system users and groups, not the virtual users
and groups that proftpd
may have been configured to use.
The group will be only the primary group of the user; supplemental group
memberships are currently ignored.
The mod_ctrls
first checks whether the connecting client has
been granted the ability to use the Unix domain socket itself. This access
list is controlled by the ControlsSocketACL
directive. By
default, every Controls client can use the socket. Thus, in the example
configuration above:
ControlsSocketACL allow group ftpadmonly the system group
ftpadm
would be allowed to send Controls
requests to the Unix domain socket; all other users and groups will be
denied.
Next, ACLs on the specific control action requested by the connecting
client will be check. Most modules that use the Controls API will have their
own module-specific directives for setting ACLs on the specific actions
implemented by that module. For mod_ctrls
, the
ControlsACLs
configuration directive is used. In the
example configuration we see:
ControlsACLs all allow group ftpadmwhich allows only the system group
ftpadm
to use all of the
control actions provided by mod_ctrls
. If one wanted to
allow all users to use all of the control actions, it would be:
ControlsACLs allow user *However, if one wanted to specify separate ACLs for separate actions, then the
ControlsACLs
directive would be used multiple times, like
so:
ControlsACLs insctrl allow group wheel ControlsACLs lsctrl allow user * ControlsACLs rmctrl deny group ftp
Why is there such complexity for a simple client/server interaction? The
primary answer is that the running proftpd
daemon has a lot of
privileges, and access to the running daemon should be strictly controlled.
Allow few people to have access via control actions; those few should be able
to use only the control actions necessary.
What Controls Do
The mod_ctrls
module provides basic control actions,
or commands that ftpdctl
can send to the daemon:
help
insctrl
lsctrl
rmctrl
Denied Actions Versus Disabled Actions
What is the difference between an action that has been denied via an ACL
versus an action that has been disabled using the rmctrl
action?
A disabled action cannot be used by any client, regardless of any ACLs that
have been configured for that action. Thus if a system administrator
deemed that a particular control action should not be used by anyone, that
action can be disabled. The rmctrl
action can disable any
action implemented by any module using the Controls API, not just actions
provided by mod_ctrls
. Once disabled, a given action can be
re-enabled using the insctrl
action. The insctrl
and rmctrl
actions, in addition to lsctrl
, cannot
themselves be disabled. For example, to disable an action called
foo
:
# ftpdctl rmctrl foo ftpdctl: 'foo' control disabled # ftpdctl lsctrl ftpdctl: help (mod_ctrls.c) ftpdctl: insctrl (mod_ctrls.c) ftpdctl: lsctrl (mod_ctrls.c) ftpdctl: rmctrl (mod_ctrls.c)Note that the
foo
action is not listed by lsctrl
.
Now, reenable that action:
# ftpdctl insctrl foo ftpdctl: 'foo' control enabled # ftpdctl lsctrl ftpdctl: foo (mod_foo.c) ftpdctl: help (mod_ctrls.c) ftpdctl: insctrl (mod_ctrls.c) ftpdctl: lsctrl (mod_ctrls.c) ftpdctl: permit (mod_ban.c) ftpdctl: rmctrl (mod_ctrls.c)And now the
foo
action, provided by the module
mod_foo.c
, appears in the lsctrl
listing.
The following shows an example of attempting to disable the lsctrl
action. It demonstrates the use of the -v
command-line
option for ftpdctl
, for showing a verbose interaction with
mod_ctrls
:
# ftpdctl -v lsctrl ftpdctl: adding "lsctrl" to reqargv ftpdctl: contacting server ftpdctl: sending control request ftpdctl: receiving control response ftpdctl: debug (mod_ctrls_admin.c) ... # ftpdctl rmctrl lsctrl # ftpdctl -v lsctrl ftpdctl: adding "lsctrl" to reqargv ftpdctl: contacting server ftpdctl: sending control request ftpdctl: receiving control response ftpdctl: access deniedThe "access denied" message happens because of the special status of the
lsctrl
action which keeps it from being disablable.
Admin Controls
The mod_ctrls
module, by itself, is rather unexciting. Other
modules, such as mod_ctrls_admin
, provide more interesting
and useful control actions:
debug
dump
kick
restart
shutdown
start
status
stop
proftpd
daemon; see the mod_ctrls_admin
documentation for more information.
A basic mod_ctrls_admin
configuration is:
<IfModule mod_ctrls_admin.c> AdminControlsACLs all allow user * </IfModule>will allows anyone to use any
mod_ctrls_admin
control action.
Here is another configuration, encompassing both mod_ctrls
and mod_ctrls_admin
:
<IfModule mod_ctrls.c> ControlsEngine on ControlsACLs all allow group ftpadm ControlsMaxClients 2 ControlsLog /var/log/proftpd/controls.log ControlsInterval 5 ControlsSocketACL allow group ftpadm ControlsSocket /tmp/ctrls.sock ControlsSocketOwner ftpd ftpd <IfModule mod_ctrls_admin.c> AdminControlsACLs all allow user dave,bob,lisa </IfModule> </IfModule>In this configuration, users
dave
, bob
, and
lisa
are allowed to use all of the control actions supplied
by mod_ctrls_admin
. However, unless these users are members
of group ftpadm
, access will be denied. Only group
ftpadm
has been allowed access to the mod_ctrls
socket itself by the ControlsSocketACL
directive.
What about configuring an ACL for a given control that includes both users and groups? Use:
AdminControlsACLs restart allow user dave,lisa AdminControlsACLs restart allow group ftpadmWhat if user
dave
is not a member of group ftpadm
?
If configured, both user and group ACLs must deny the client.
If either allows access, the client can use that control action.