<Class> section is allowed to be in <Global>, but From directive is not

[offsides]

What I Did

I added a Class in my global config so that it could be used by both to root server config (FTP) and my virtualhost (SFTP). Ex:

<Class internal>
  From 172.16.0.0/16
</Class>

Upon restarting proftpd, I got the following error message:

fatal: From: directive not allowed in <Global> context on line 233 of '/etc/proftpd.conf'

What I Expected/Wanted

I expected to restart Proftpd and have it work.

ProFTPD Version and Configuration

Please help us reproduce the problem/issue you are encountering. To do this,
we need to know which version of ProFTPD you are using, how it was built,
etc. The following command is an easy way to get all of this information:

# proftpd -V
Compile-time Settings:
  Version: 1.3.8 (stable)
  Platform: LINUX [Linux 5.14.0-162.6.1.el9_1.x86_64 x86_64]
  OS/Release:
    NAME="Red Hat Enterprise Linux"
    VERSION="9.1 (Plow)"
    ID="rhel"
    ID_LIKE="fedora"
    VERSION_ID="9.1"
    PLATFORM_ID="platform:el9"
    PRETTY_NAME="Red Hat Enterprise Linux 9.1 (Plow)"
    CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
    
    REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
    REDHAT_BUGZILLA_PRODUCT_VERSION=9.1
    REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
    REDHAT_SUPPORT_PRODUCT_VERSION="9.1"
  Built: Fri Feb 3 2023 00:00:00 UTC
  Built With:
    configure  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--libexecdir=/usr/libexec/proftpd' '--localstatedir=/run/proftpd' '--disable-strip' '--enable-ctrls' '--enable-dso' '--enable-facl' '--enable-ipv6' '--enable-memcache' '--enable-nls' '--enable-openssl' '--disable-pcre' '--enable-pcre2' '--disable-redis' '--enable-shadow' '--enable-tests=nonetwork' '--with-libraries=/usr/lib64/mariadb' '--with-includes=/usr/include/mysql' '--with-modules=mod_readme:mod_auth_pam:mod_tls' '--with-shared=mod_sql:mod_sql_passwd:mod_sql_mysql:mod_sql_postgres:mod_sql_sqlite:mod_quotatab:mod_quotatab_file:mod_quotatab_ldap:mod_quotatab_radius:mod_quotatab_sql:mod_ldap:mod_ban:mod_ctrls_admin:mod_facl:mod_load:mod_vroot:mod_radius:mod_ratio:mod_rewrite:mod_site_misc:mod_exec:mod_shaper:mod_wrap2:mod_wrap2_file:mod_wrap2_sql:mod_copy:mod_deflate:mod_ifversion:mod_qos:mod_sftp:mod_sftp_pam:mod_sftp_sql:mod_tls_shmcache:mod_tls_memcache:mod_unique_id:mod_ifsession' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 ' 'CXX=g++' 'CXXFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'

  CFLAGS: -g2 -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wall -fno-omit-frame-pointer -fno-strict-aliasing -Werror=implicit-function-declaration
  LDFLAGS: -Wl,-L$(top_srcdir)/lib,-L$(top_builddir)/lib -Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -rdynamic -L/usr/lib64/mariadb -L/usr/lib64/ -L/usr/lib64
  LIBS:  -lpcre2-posix -lpcre2-8 -lssl -lcrypto -lcap  -lssl -lcrypto  -lpam -lattr -lidn2 -lresolv -lresolv -lcrypt -lmemcachedutil -lmemcached  -pthread

  Files:
    Configuration File:
      /etc/proftpd.conf
    Pid File:
      /run/proftpd/proftpd.pid
    Scoreboard File:
      /run/proftpd/proftpd.scoreboard
    Header Directory:
      /usr/include/proftpd
    Shared Module Directory:
      /usr/libexec/proftpd

  Info:
    + Max supported UID: 4294967295
    + Max supported GID: 4294967295

  Features:
    - Autoshadow support
    + Controls support
    + curses support
    - Developer support
    + DSO support
    + IPv6 support
    + Largefile support
    - Lastlog support
    + Memcache support
    + ncursesw support
    + NLS support
    + OpenSSL support (OpenSSL 3.0.1 14 Dec 2021)
    - PCRE support
    + PCRE2 support
    + POSIX ACL support
    - Redis support
    + Sendfile support
    + Shadow file support
    - Sodium support
    + Trace support
    + xattr support

  Tunable Options:
    PR_TUNABLE_BUFFER_SIZE = 1024
    PR_TUNABLE_DEFAULT_RCVBUFSZ = 8192
    PR_TUNABLE_DEFAULT_SNDBUFSZ = 8192
    PR_TUNABLE_ENV_MAX = 2048
    PR_TUNABLE_GLOBBING_MAX_MATCHES = 100000
    PR_TUNABLE_GLOBBING_MAX_RECURSION = 8
    PR_TUNABLE_HASH_TABLE_SIZE = 40
    PR_TUNABLE_LOGIN_MAX = 256
    PR_TUNABLE_NEW_POOL_SIZE = 512
    PR_TUNABLE_PATH_MAX = 4096
    PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80
    PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30
    PR_TUNABLE_SELECT_TIMEOUT = 30
    PR_TUNABLE_TIMEOUTIDENT = 10
    PR_TUNABLE_TIMEOUTIDLE = 600
    PR_TUNABLE_TIMEOUTLINGER = 10
    PR_TUNABLE_TIMEOUTLOGIN = 300
    PR_TUNABLE_TIMEOUTNOXFER = 300
    PR_TUNABLE_TIMEOUTSTALLED = 3600
    PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10

In addition, we need to see all of the ProFTPD configuration files you are
using (minus any sensitive information like passwords, of course). Armed
with the version and configuration data, then, we can set up ProFTPD locally
using the same configuration, and see what happens.

proftpd.conf:

# Load modules to extend ProFTPD.  Note that the order below MUST be kept!
LoadModule              mod_ifsession.c
LoadModule              mod_wrap2.c
LoadModule              mod_wrap2_sql.c
LoadModule              mod_sql.c
LoadModule              mod_sql_mysql.c
LoadModule              mod_exec.c
LoadModule              mod_exec_mqueue.c
LoadModule              mod_sftp.c
LoadModule              mod_sftp_sql.c

# Basic server setup for a standalone server.
ServerType              standalone
# Port 21 is the standard FTP port.
Port                    21
# Specify the server IP.
DefaultAddress          <IP>
# Specify the name of the server.
ServerName              <FQDN>
# Disable IPv6
UseIPv6                 off
# Disable Reverse DNS lookups - we only care about the client IP address.
UseReverseDNS           off
# Don't use GMT
TimesGMT                off
# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances            101
MaxClients              100

<Global>
        Trace DEFAULT:10 ssh2:20 sftp:20 ifsession:20 auth.pam:20
        TraceLog /var/log/proftpd/trace.log
# Security settings
# Set the normal user and group permissions for the server.
User                    ftp
Group                   ftp
# Drop root privs right away.
RootRevoke              on
# Show an empty server identification string for security purposes.
ServerIdent             on "FTP Server ready."
# Login banner
DisplayConnect          /etc/ssh/login-banner
# Chroot jail all users to their home directory.
DefaultRoot             ~
# Do not allow .ftpaccess files to override settings.
AllowOverride           off
# Umask 007 makes things group writable for automation purposes, and
# prevents world access.
Umask                   0007
# Allow 60 seconds to authenticate after connection or the client is a
# disconnected.
TimeoutLogin            60
# Allow 10 minutes of inactivity before a client is disconnected.
TimeoutIdle             600
TimeoutNoTransfer       600
# Disconnect the user after a single failed password.
MaxLoginAttempts        5
# Disable the SITE CHGRP and SITE CHMOD commands, and active mode connections.
<Limit SITE_CHGRP SITE_CHMOD PORT>
        DenyAll
</Limit>
# Allow files in /data/ftp to be overwritten.
<Directory /ftp>
        AllowOverwrite  on
        PathDenyFilter  [\x01-\x1f\x7f"*:<>?\|]
</Directory>
# Allow uploads to be restarted.
AllowStoreRestart       on

# Global Logging
# 
# Custom log format similar to the NcFTPd logs.
LogFormat               custom "%a %t %u \"%r\" %s %b"
# Log all commands, including EXIT, using the custom log format.
ExtendedLog             /var/log/proftpd/proftpd.log ALL,EXIT custom

# Authentication
# wtmp logging is irrelevant as all FTP users are virtual.
WtmpLog                 off
# Do not allow PAM users for the same reasons.
AuthPAM                 off
# /etc/ftpusers is irrelevant as no system users are permitted.
UseFtpUsers             off
# Do not require users to have a valid shell because they are virtual.
RequireValidShell       off
# Use the SQL database as the only authentication source.
AuthOrder               mod_sql.c

# SQL parameters for mysql/mariadb.
SQLBackend              mysql
# Only use the SQL engine for authentication
SQLEngine               auth
# Log file for the SQL module.
SQLLogFile              /var/log/proftpd/sql.log
# SQL Connection info.
SQLConnectInfo          <db> <db_user> <db_pass>
# SQL module options
SQLOptions              IgnoreConfigFile
# Use the system crypt(3) to check passwords.
SQLAuthTypes            Crypt
# Only do user lookups via SQL.
SQLAuthenticate         users groups groupset
# UID/GID for all virtual users (ftp/ftp).
SQLDefaultUID           14
SQLDefaultGID           50
# User accounts table (view) and fields for user auth info.  NOTE: This view
# contains the necessary where clauses to determine if a user if active on the
# server.
SQLUserInfo             ftp_userinfo username password sftp_uid NULL homedir NULL
SQLGroupInfo            ftp_groupinfo groupname gid members
# Named queries used to determine what IP addresses a client is permitted
# to connect from.  Used by mod_wrap2, below.
SQLNamedQuery           get-allowed-clients FREEFORM "CALL allowedIPList('%u')"
SQLNamedQuery           get-denied-clients SELECT "'ALL'"

# IP-based access control using mod_wrap2.
WrapEngine              on
# Log file for the IP wrapper module.
WrapLog                 /var/log/proftpd/wrap.log
# Check all users for IP restrictions using the SQLNamedQuery definitions
# above.
WrapUserTables          * sql:/get-allowed-clients sql:/get-denied-clients
# Messager sent to the client when they are allowed access from the
# remote IP.
WrapAllowMsg            "User '%u' allowed by access rules"
# Message sent to the client when the user is denied access due to IP
# restrictions.
WrapDenyMsg             "User '%u' denied by access rules"

<Class internal>
        From 172.16.0.0/16
</Class>

<IfModule mod_delay.c>

  <IfClass internal>
    DelayEngine off
  </IfClass>

  <IfClass !internal>
    DelayEngine on
  </IfClass>

</IfModule>

</Global>

<IfModule mod_sftp.c>
  <VirtualHost 0.0.0.0>

        SFTPEngine on
        Port 44
        SFTPLog /var/log/proftpd/sftp.log
        SFTPDisplayBanner /etc/ssh/login-banner

        AuthPAM on
        AuthOrder mod_sql.c
        SFTPHostKey /data/hostkeys/ssh_host_ecdsa_key
        SFTPHostKey /data/hostkeys/ssh_host_rsa_key

        SFTPAuthMethods password publickey
        SFTPOptions IgnoreSFTPUploadPerms IgnoreSFTPSetExtendedAttributes IgnoreSFTPSetOwners IgnoreSFTPSetPerms IgnoreSFTPSetTimes IgnoreSFTPUploadExtendedAttributes
        SFTPRekey required
        SFTPTrafficPolicy medium

        SFTPCiphers aes256-ctr aes192-ctr aes128-ctr aes256-gcm@openssh.com aes128-gcm@openssh.com
        SFTPDigests hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com umac-128@openssh.com umac-128-etm@openssh.com 
        SFTPKeyLimits MinimumRSASize 2048 MinimumECSize 256
        SFTPKeyExchanges curve448-sha512 ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 diffie-hellman-group18-sha512 diffie-hellman-group16-sha512 diffie-hellman-group14-sha256 diffie-hellman-group-exchange-sha256 

        SQLAuthenticate users groups groupset
        SQLUserInfo     sftp_userinfo username password sftp_uid sftp_gid homedir NULL
        SQLGroupInfo    sftp_groupinfo groupname gid members

        <IfGroup twofactor>
            SFTPAuthMethods publickey+password password+publickey
        </IfGroup>

        <IfModule mod_sftp_sql.c>
            SQLNamedQuery get-user-authorized-keys SELECT "public_key FROM sshkeys WHERE username = '%U'"

            SFTPAuthorizedUserKeys sql:/get-user-authorized-keys
        </IfModule>

  </VirtualHost>
</IfModule>

[Castaglia]

Indeed, it looks like the From directive should be allowed in this configuration, especially in light of Issue #1418. I'll see what's needed to correct this. Thanks for the report!

[Castaglia]

The fix has been merged to the master branch, and backported to the 1.3.8 branch. Thanks!

[offsides]

Thank you very much, I rebuilt proftpd in my dev environment and now it works as expected! Any idea when you are likely to release 1.3.8a with the various fixes you've backported?