Port directive is not overridden inside "<IfModule mod_sftp.c>...</IfModule>"

[teppey]

What I Did

On 1.3.8, Port directive defined in server-config context in proftpd.conf was not overridden by subsequent Port directives defined in <IfModule mod_sftp.c>...</IfModule>.

# cat /tmp/proftpd.conf
Port 21
<IfModule mod_sftp.c>
  Port 12345
  SFTPEngine on
  SFTPHostKey /etc/ssh/ssh_host_rsa_key
  SFTPHostKey /etc/ssh/ssh_host_ed25519_key
  SFTPHostKey /etc/ssh/ssh_host_ecdsa_key
</IfModule>
# /opt/proftpd-1.3.8/sbin/proftpd -v
ProFTPD Version 1.3.8
# /opt/proftpd-1.3.8/sbin/proftpd -c /tmp/proftpd.conf
# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp6       0      0 :::21                   :::*                    LISTEN

On 1.3.7f, applies the latter definition.

# /opt/proftpd-1.3.7f/sbin/proftpd -v
ProFTPD Version 1.3.7f
# /opt/proftpd-1.3.7f/sbin/proftpd -c /tmp/proftpd.conf
# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp6       0      0 :::12345                :::*                    LISTEN

This seems to be triggered by commit 13d5642 between 1.3.8rc2 and 1.3.8rc3.

What I Expected/Wanted

I would like to be able to override the Port defined in server-config with a Port in <IfModule mod_sftp.c>... </IfModule>.

ProFTPD Version and Configuration

Version:

Compile-time Settings:
  Version: 1.3.8 (stable)
  Platform: LINUX [Linux 3.10.0-957.el7.x86_64 x86_64]
  OS/Release:
    NAME="Rocky Linux"
    VERSION="8.7 (Green Obsidian)"
    ID="rocky"
    ID_LIKE="rhel centos fedora"
    VERSION_ID="8.7"
    PLATFORM_ID="platform:el8"
    PRETTY_NAME="Rocky Linux 8.7 (Green Obsidian)"
    CPE_NAME="cpe:/o:rocky:rocky:8:GA"
    ROCKY_SUPPORT_PRODUCT="Rocky-Linux-8"
    ROCKY_SUPPORT_PRODUCT_VERSION="8.7"
    REDHAT_SUPPORT_PRODUCT="Rocky Linux"
    REDHAT_SUPPORT_PRODUCT_VERSION="8.7"
  Built: Tue May 2 2023 08:32:39 UTC
  Built With:
    configure  '--prefix=/opt/proftpd-1.3.8' '--with-modules=mod_sftp'

  CFLAGS: -g2 -O2 -Wall -fno-omit-frame-pointer -fno-strict-aliasing
  LDFLAGS: -Wl,-L$(top_srcdir)/lib,-L$(top_builddir)/lib  -rdynamic
  LIBS:  -lssl -lcrypto -lsodium -lcrypto -lcrypt -ldl  -pthread

  Files:
    Configuration File:
      /opt/proftpd-1.3.8/etc/proftpd.conf
    Pid File:
      /opt/proftpd-1.3.8/var/proftpd.pid
    Scoreboard File:
      /opt/proftpd-1.3.8/var/proftpd.scoreboard

  Info:
    + Max supported UID: 4294967295
    + Max supported GID: 4294967295

  Features:
    - Autoshadow support
    - Controls support
    - curses support
    - Developer support
    - DSO support
    + IPv6 support
    + Largefile support
    - Lastlog support
    - Memcache support
    - ncurses support
    - NLS support
    + OpenSSL support (OpenSSL 1.1.1k  FIPS 25 Mar 2021, FIPS enabled)
    - PCRE support
    - PCRE2 support
    - POSIX ACL support
    - Redis support
    + Sendfile support
    + Shadow file support
    + Sodium support
    + Trace support
    + xattr support

  Tunable Options:
    PR_TUNABLE_BUFFER_SIZE = 1024
    PR_TUNABLE_DEFAULT_RCVBUFSZ = 8192
    PR_TUNABLE_DEFAULT_SNDBUFSZ = 8192
    PR_TUNABLE_ENV_MAX = 2048
    PR_TUNABLE_GLOBBING_MAX_MATCHES = 100000
    PR_TUNABLE_GLOBBING_MAX_RECURSION = 8
    PR_TUNABLE_HASH_TABLE_SIZE = 40
    PR_TUNABLE_LOGIN_MAX = 256
    PR_TUNABLE_NEW_POOL_SIZE = 512
    PR_TUNABLE_PATH_MAX = 4096
    PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80
    PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30
    PR_TUNABLE_SELECT_TIMEOUT = 30
    PR_TUNABLE_TIMEOUTIDENT = 10
    PR_TUNABLE_TIMEOUTIDLE = 600
    PR_TUNABLE_TIMEOUTLINGER = 10
    PR_TUNABLE_TIMEOUTLOGIN = 300
    PR_TUNABLE_TIMEOUTNOXFER = 300
    PR_TUNABLE_TIMEOUTSTALLED = 3600
    PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10

Configuration:

Port 21
<IfModule mod_sftp.c>
  Port 12345
  SFTPEngine on
  SFTPHostKey /etc/ssh/ssh_host_rsa_key
  SFTPHostKey /etc/ssh/ssh_host_ed25519_key
  SFTPHostKey /etc/ssh/ssh_host_ecdsa_key
</IfModule>

[Castaglia]

The <IfModule> line is not a configuration context, like <VirtualHost> or <Limit> or <Directory>. It is a condition, a way of telling the config parser to include (or not) the enclosed section.

In your case, I think you want this:

Port 21
<IfModule mod_sftp.c>
  <VirtualHost ...>
    Port 12345
    SFTPEngine on
    SFTPHostKey /etc/ssh/ssh_host_rsa_key
    SFTPHostKey /etc/ssh/ssh_host_ed25519_key
    SFTPHostKey /etc/ssh/ssh_host_ecdsa_key
  </VirtualHost>
</IfModule>

[teppey]

@Castaglia Thanks for your comment. When I used <VirtualHost>, the Port was not overridden and both Port seemed to be enabled (both in 1.3.7f and 1.3.8).

I see that <IfModule> does not create a context. Indeed, removing <IfModule> did not change the behavior, and it seemed that the first Port was applied in 1.3.8, whereas the later Port was applied in 1.3.7f.

1.3.8:

# cat /tmp/proftpd.conf
Port 21
Port 12345
SFTPEngine on
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_ed25519_key
SFTPHostKey /etc/ssh/ssh_host_ecdsa_key
# /opt/proftpd-1.3.8/sbin/proftpd -c /tmp/proftpd.conf
# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp6       0      0 :::21                   :::*                    LISTEN

1.3.7f:

# /opt/proftpd-1.3.7f/sbin/proftpd -c /tmp/proftpd.conf
# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp6       0      0 :::12345                :::*                    LISTEN

If Port is written more than once, is the order of application indefinite?

[Castaglia]

If Port is written more than once, is the order of application indefinite?

Yes. The configuration parser parses these directives into an internal hashtable, and thus the lookup order of these values is not guaranteed.

[teppey]

I see. I had assumed that the Port I wrote later would apply. I would like to make sure that I only write Port in proftpd.conf once.

You may close this issue. Thank you for your explanation.

[Castaglia]

I would like to make sure that I only write Port in proftpd.conf once.

I see. In that case, you might be able to use an approach like this:

<IfModule mod_sftp.c>
  # If mod_sftp is loaded, then use this port ...
  Port 12345
  ...
</IfModule>

<IfModule !mod_sftp.c>
  # If mod_sftp is NOT loaded, then use this port instead
  Port 21
</IfModule>

[teppey]

Oh, I didn't know ! in <IfModule>. Thanks for the helpful information!

[Castaglia]

I'll add more text to the <IfModule> docs to try make the ! functionality more visible, as part of this ticket.

[Castaglia]

I've committed some text to master, and it should shortly replicate to the public website. Thanks!

[FliegenKLATSCH]

@Castaglia Debian has an Include line at the end of their config file, it would be nice if users could just overwrite the port in a conf.d/custom.conf file. I used to do that, but as pointed out here in this issue, it doesn't work anymore.
(I assume an alternative would be to ask them remove the line, since it's anyways the default.. But..)

[jlecour]

Hi, I have the same problem on a server recently upgraded from Debian 11 (ProFTPd 1.3.7) to Debian 12 (ProFTPd 1.3.8).

For years I've had the original config file untouched with some overrides in /etc/proftpd/conf.d/custom.conf.
In there I also have an <IfModule mod_sftp.c> and a Port directive that has been working until the upgrade.

It works if I add a <VirtualHost> context but it must be specified with a Host or an IP. What if I want the SFP configuration to be global ? Note: it doesn't work if i surround my SFP configuration with a <Global> context.

It seems like a regression to me, but I don't have the full picture.