Bug 786623

Summary: ftpdctl doesn't work with out-of-the-box configuration
Product: [Fedora] Fedora Reporter: Philip Prindeville <philipp>
Component: proftpdAssignee: Matthias Saou <matthias>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 16CC: matthias, paul, philipp
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: proftpd-1.3.4a-5.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-08 21:29:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Philip Prindeville 2012-02-01 23:11:38 UTC 
Description of problem:

ftpdctl should work (since it's a basic troubleshooting tool of the FTP service) with no configuration, but it doesn't:

# ftpdctl lsmod
ftpdctl: error contacting server using '/run/proftpd/proftpd.sock': Connection refused
# 

Version-Release number of selected component (if applicable):

proftpd-1.3.4a-3.fc16.x86_64

How reproducible:

As above.

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Paul Howarth 2012-02-02 09:10:58 UTC 
Here's what I added locally to proftpd.conf for ftpdctl to work:

LoadModule mod_ctrls_admin.c

# Allow only user root to load and unload modules, but allow everyone
# to see which modules have been loaded
ModuleControlsACLs insmod,rmmod allow user root
ModuleControlsACLs lsmod allow user *

# Support for ftpdctl
<IfModule mod_ctrls.c>
  ControlsEngine                on
  ControlsACLs                  all allow user root
  ControlsSocketACL             allow user *
  ControlsLog                   /var/log/proftpd/controls.log
</IfModule>
<IfModule mod_ctrls_admin.c>
  AdminControlsEngine           on
  AdminControlsACLs             all allow user root
</IfModule>


Perhaps I should add this by default?
Comment 2 Philip Prindeville 2012-02-02 16:43:08 UTC 
(In reply to comment #1)
> 
> Perhaps I should add this by default?

Mostly looks good... just one thing: instead of "user root" maybe have "group wheel" instead?
Comment 3 Paul Howarth 2012-02-28 14:35:04 UTC 
(In reply to comment #2)
> (In reply to comment #1)
> > 
> > Perhaps I should add this by default?
> 
> Mostly looks good... just one thing: instead of "user root" maybe have "group
> wheel" instead?

I'm not convinced about the usefulness of "group wheel" here; the ftp server only gets the current gid of the process connecting to the controls socket, not any supplementary groups, so a member of the wheel group would have to do "newgrp wheel" before using ftpdctl to see the benefit of this. It would probably be easier to use the wheel group via sudo I think.
Comment 4 Philip Prindeville 2012-02-28 17:09:58 UTC 
(In reply to comment #3)
> I'm not convinced about the usefulness of "group wheel" here; the ftp server
> only gets the current gid of the process connecting to the controls socket, not
> any supplementary groups, so a member of the wheel group would have to do
> "newgrp wheel" before using ftpdctl to see the benefit of this.

Good point.
Comment 5 Fedora Update System 2012-02-28 22:11:40 UTC 
proftpd-1.3.4a-5.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/proftpd-1.3.4a-5.fc17
Comment 6 Fedora Update System 2012-02-28 22:11:57 UTC 
proftpd-1.3.4a-5.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/proftpd-1.3.4a-5.fc16
Comment 7 Fedora Update System 2012-03-06 20:27:21 UTC 
proftpd-1.3.4a-5.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-03-08 21:25:55 UTC 
proftpd-1.3.4a-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.