Viewing file:  mod_rlimit.html (9.55 KB) -rw-r--r--
Select action/file-type:
 (+) | (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
ProFTPD module mod_rlimit
ProFTPD module mod_rlimit
The mod_rlimit module handles setting and enforcement of
resource limits such as CPU, memory, and file descriptor usage.
By default, the mod_rlimit module will impose one resource
restriction on new session processes: the RLIMIT_NPROC (see
getrlimit(2) limit, which controls the number of processes
which can be forked from this process, is set to zero. There is absolutely
no reason for a proftpd session process to need to create a new
process via fork(2).
This module is contained in the mod_rlimit.c file for
ProFTPD 1.3.x, and is compiled by default. See the
installation section for more details.
The most current version of mod_rlimit can be found in the
ProFTPD source distribution:
http://www.proftpd.org/
Directives
Syntax: RLimitChroot on|off
Default: RLimitChroot on
Context: server config, <VirtualHost>, <Global>
Module: mod_rlimit
Compatibility: 1.3.5rc5
The RLimitChroot directive is used to enable/disable checks
for modifications to "sensitive" directories when a session is chrooted. These
checks are designed to mitigate and guard against attacks such as the
"Roaring Beast" attack; see:
When a session is chrooted, e.g. via the DefaultRoot
directive or by <Anonymous> login, the checks
for the "sensitive" directories are automatically enabled. To disable these
checks, use:
RLimitChroot off
Note: We strongly recommend that you do not disable
these checks.
The checks in question will specifically prevent any attempts to upload
files into the /etc and /lib directories, or
attempts to delete, create, rename, link, or otherwise try to change anything
in these directories. All attempts to make modifications will be rejected
with "Permission denied" errors. In addition, the following message will
be logged (at debug level 2):
WARNING: attempt to use sensitive path '/etc/file' within chroot '/home/user', rejecting
The RLimitChroot directive is not intended to prevent
"Roaring Beast" style attacks entirely; the guarded /etc and
/lib directories might be created via other means, outside of
ProFTPD, which would also allow for the attack. The RLimitChroot
directive is meant to mitigate (not prevent) the attacks by
making sure it cannot be done using just ProFTPD.
Syntax: RLimitCPU [scope] soft-limit|"max" [hard-limit|"max"]
Default: System defaults
Context: server config, <VirtualHost>, <Global>
Module: mod_rlimit
Compatibility: 1.3.5rc2
The RLimitCPU directive is used to set a limit on the CPU usage,
expressed as a maximum number of seconds.
RLimitCPU takes from one to three parameters. The first parameter
is an optional scope parameter, indicating the scope of the resource
limit. The scope parameter may be one of:
- "daemon" (applies the resource limit only to the daemon process)
- "session" (which applies the limit only to session processes handling each client)
- "none" (which disables any possibly inherited limits)
If none of these keywords are used, the resource limit is assumed to apply to
both daemon and session processes.
The next parameters indicate the actual resource limits, both the so-called
"soft limit" and any "hard limit". These parameters may be a number
(indicating the number of seconds), or the value "max" to indicate that
maximum resource limit value allowed is to be used.
Example:
# Limit a given session to 30 minutes of CPU time (which can take
# considerably longer than 30 minutes of wall time, due to CPU scheduling)
RLimitCPU 1800
Syntax: RLimitMemory [scope] soft-limit|"max" [hard-limit|"max"]
Default: System defaults
Context: server config, <VirtualHost>, <Global>
Module: mod_rlimit
Compatibility: 1.3.5rc2
The RLimitMemory directive is used to set a limit on the
memory usage, expressed as a maximum number of bytes.
RLimitMemory takes from one to three parameters. The first
parameter is an optional scope parameter, indicating the scope of the
resource limit. The scope parameter may be one of:
- "daemon" (applies the resource limit only to the daemon process)
- "session" (which applies the limit only to session processes handling each client)
- "none" (which disables any possibly inherited limits)
If none of these keywords are used, the resource limit is assumed to apply to
both daemon and session processes.
The next parameters indicate the actual resource limits, both the so-called
"soft limit" and any "hard limit". These parameters may be a number
(indicating the number of bytes), or the value "max" to indicate that
maximum resource limit value allowed is to be used.
Example:
# Limit a given session to 128MB minutes of memory
RLimitMemory 128MB
Note: If you use RLimitMemory, e.g.:
<IfModule mod_rlimit.c>
RLimitMemory session 64M
</IfModule>
and you use mod_tls
for FTPS transfers:
<IfModule mod_tls.c>
...
</IfModule>
then your transfers are likely to fail. Why? Because OpenSSL will need to
allocate memory for the TLS support, in addition to the memory that ProFTPD
already allocates for data transfers. Depending on the specific ciphersuites
negotiated, and the specific memory limit configured, you are very likely to
hit the RLimitMemory limit. In short, your
RLimitMemory might be too low, and not allowing ProFTPD and
OpenSSL enough memory for the transfer.
Syntax: RLimitOpenFiles [scope] soft-limit|"max" [hard-limit|"max"]
Default: System defaults
Context: server config, <VirtualHost>, <Global>
Module: mod_rlimit
Compatibility: 1.3.5rc2
The RLimitOpenFiles directive is used to set a limit on the
file descriptors, expressed as counts.
RLimitOpenFiles takes from one to three parameters. The first
parameter is an optional scope parameter, indicating the scope of the
resource limit. The scope parameter may be one of:
- "daemon" (applies the resource limit only to the daemon process)
- "session" (which applies the limit only to session processes handling each client)
- "none" (which disables any possibly inherited limits)
If none of these keywords are used, the resource limit is assumed to apply to
both daemon and session processes.
The next parameters indicate the actual resource limits, both the so-called
"soft limit" and any "hard limit". These parameters may be a number, or the
value "max" to indicate that maximum resource limit value allowed is to be
used.
Example:
# Limit a given session to 12 open file descriptors
RLimitOpenFiles session 12
The mod_rlimit module is compiled into proftpd by
default.
FAQ
Frequently Asked Questions
Question: Why can't I create directories named "lib"
or "etc" in the root directory? For example, my FTP client fails like so:
Command: MKD lib
Response: 550 lib: Permission denied
Command: MKD /lib
Response: 550 /lib: Permission denied
Although I don't have anything in my proftpd.conf that would block
these commands, and the filesystem permissions are OK. Why does this
happen?
Answer: For the answer to this, see the description for
the RLimitChroot directive.
© Copyright 2013-2017 The ProFTPD Project
All Rights Reserved
|