mod_rlimit
The mod_rlimit module handles setting and enforcement of resource limits such as CPU, memory, and file descriptor usage.
By default, the mod_rlimit module will impose one resource restriction on new session processes: the RLIMIT_NPROC (see getrlimit(2) limit, which controls the number of processes which can be forked from this process, is set to zero. There is absolutely no reason for a proftpd session process to need to create a new process via fork(2).
RLIMIT_NPROC
getrlimit(2)
proftpd
fork(2)
This module is contained in the mod_rlimit.c file for ProFTPD 1.3.x, and is compiled by default. See the installation section for more details.
mod_rlimit.c
The most current version of mod_rlimit can be found in the ProFTPD source distribution:
http://www.proftpd.org/
<VirtualHost>
<Global>
The RLimitChroot directive is used to enable/disable checks for modifications to "sensitive" directories when a session is chrooted. These checks are designed to mitigate and guard against attacks such as the "Roaring Beast" attack; see:
RLimitChroot
When a session is chrooted, e.g. via the DefaultRoot directive or by <Anonymous> login, the checks for the "sensitive" directories are automatically enabled. To disable these checks, use:
DefaultRoot
<Anonymous>
RLimitChroot off
The checks in question will specifically prevent any attempts to upload files into the /etc and /lib directories, or attempts to delete, create, rename, link, or otherwise try to change anything in these directories. All attempts to make modifications will be rejected with "Permission denied" errors. In addition, the following message will be logged (at debug level 2):
/etc
/lib
WARNING: attempt to use sensitive path '/etc/file' within chroot '/home/user', rejecting
The RLimitChroot directive is not intended to prevent "Roaring Beast" style attacks entirely; the guarded /etc and /lib directories might be created via other means, outside of ProFTPD, which would also allow for the attack. The RLimitChroot directive is meant to mitigate (not prevent) the attacks by making sure it cannot be done using just ProFTPD.
The RLimitCPU directive is used to set a limit on the CPU usage, expressed as a maximum number of seconds.
RLimitCPU
RLimitCPU takes from one to three parameters. The first parameter is an optional scope parameter, indicating the scope of the resource limit. The scope parameter may be one of:
The next parameters indicate the actual resource limits, both the so-called "soft limit" and any "hard limit". These parameters may be a number (indicating the number of seconds), or the value "max" to indicate that maximum resource limit value allowed is to be used.
Example:
# Limit a given session to 30 minutes of CPU time (which can take # considerably longer than 30 minutes of wall time, due to CPU scheduling) RLimitCPU 1800
The RLimitMemory directive is used to set a limit on the memory usage, expressed as a maximum number of bytes.
RLimitMemory
RLimitMemory takes from one to three parameters. The first parameter is an optional scope parameter, indicating the scope of the resource limit. The scope parameter may be one of:
The next parameters indicate the actual resource limits, both the so-called "soft limit" and any "hard limit". These parameters may be a number (indicating the number of bytes), or the value "max" to indicate that maximum resource limit value allowed is to be used.
# Limit a given session to 128MB minutes of memory RLimitMemory 128MB
Note: If you use RLimitMemory, e.g.:
<IfModule mod_rlimit.c> RLimitMemory session 64M </IfModule>
mod_tls
<IfModule mod_tls.c> ... </IfModule>
The RLimitOpenFiles directive is used to set a limit on the file descriptors, expressed as counts.
RLimitOpenFiles
RLimitOpenFiles takes from one to three parameters. The first parameter is an optional scope parameter, indicating the scope of the resource limit. The scope parameter may be one of:
The next parameters indicate the actual resource limits, both the so-called "soft limit" and any "hard limit". These parameters may be a number, or the value "max" to indicate that maximum resource limit value allowed is to be used.
# Limit a given session to 12 open file descriptors RLimitOpenFiles session 12
FAQ Frequently Asked Questions
Question: Why can't I create directories named "lib" or "etc" in the root directory? For example, my FTP client fails like so: Command: MKD lib Response: 550 lib: Permission denied Command: MKD /lib Response: 550 /lib: Permission denied Although I don't have anything in my proftpd.conf that would block these commands, and the filesystem permissions are OK. Why does this happen? Answer: For the answer to this, see the description for the RLimitChroot directive.
Command: MKD lib Response: 550 lib: Permission denied Command: MKD /lib Response: 550 /lib: Permission denied
proftpd.conf