-----------------------------------------------------------------------------
TJ Saunders <tj@castaglia.org>
2001-04-07
mod_time: a proftpd module that limits FTP commands based on time of day
and/or day of the week
-------------------------------------------------------------------------
Configuration Directives
-------------------------------------------------------------------------
ClassCommandTimes
Syntax: ClassCommandTimes class-expression|* command-expression named-times
Default: None
Context: server config, <VirtualHost>, <Global>, <Anonymous>, <Directory>,
.ftpaccess
Module: mod_time
Compatibility: 1.2.2 and later
This directive applies a comma-delimited list of NamedTimes, in their
given order, to any of the commands in command-expression, for the users
belonging to classes given by class-expression. Any of the listed FTP
commands from those users that do not occur with the NamedTimes' time
limits will be denied.
A class-expression of "*" will match any class.
The command-expression may be composed of a comma-delimited list of FTP
commands to be restricted by time, as well as the meta-command groups of
<Limit>, such as DIRS, READ, WRITE, LOGIN, and ALL. An additional
meta-command group, NONE, is available for configuring no restrictions,
to be used to relax restrictions imposed by other mod_time directives.
See Also: CommandTimes, DisplayAfterHours, GroupCommandTimes, NamedTime,
UserCommandTimes
---------------------------------------
CommandTimes
Syntax: CommandTimes command-expression named-times
Default: None
Context: server config, <VirtualHost>, <Global>, <Anonymous>, <Directory>
Module: mod_time
Compatibility: 1.2.2 and later
This directive applies a comma-delimited list of NamedTimes, in their
given order, to any of the commands in command-expression, for every user.
Any of the listed FTP commands that do not occur with the NamedTimes' time
limits will be denied.
The command-expression may be composed of a comma-delimited list of FTP
commands to be restricted by time, as well as the meta-command groups of
<Limit>, such as DIRS, READ, WRITE, LOGIN, and ALL. An additional
meta-command group, NONE, is available for configuring no restrictions,
to be used to relax restrictions imposed by other mod_time directives.
See Also: ClassCommandTimes, DisplayAfterHours, GroupCommandTimes,
NamedTime, UserCommandTimes
---------------------------------------
DisplayAfterHours
Syntax: DisplayAfterHours filename
Default: None
Context: server config, <VirtualHost>, <Global>, <Anonymous>
Module: mod_time
Compatibility: 1.2.2 and later
The DisplayAfterHours directive configures an ASCII text filename which
will be displayed to the user should they issue a command that is
restricted by a time limit, and the command occurs outside the allowed
time limits.
DisplayAfterHours supports most of the same "magic cookies" as the
DisplayFirstChdir, as well as one "magic cookies" specific to mod_time:
%c Current FTP command
See Also: ClassCommandTimes, CommandTimes, GroupCommandTimes, NamedTime,
UserCommandTimes
---------------------------------------
GroupCommandTimes
Syntax: GroupCommandTimes group-expression|* command-expression named-times
Default: None
Context: server config, <VirtualHost>, <Global>, <Anonymous>, <Directory>,
.ftpaccess
Module: mod_time
Compatibility: 1.2.2 and later
This directive applies a comma-delimited list of NamedTimes, in their
given order, to any of the commands in command-expression, for the users
to whom group-expression applies. Any of the listed FTP commands from those
users that do not occur with the NamedTimes' time limits will be denied.
A group-expression of "*" will match any group.
The command-expression may be composed of a comma-delimited list of FTP
commands to be restricted by time, as well as the meta-command groups of
<Limit>, such as DIRS, READ, WRITE, LOGIN, and ALL. An additional
meta-command group, NONE, is available for configuring no restrictions,
to be used to relax restrictions imposed by other mod_time directives.
See Also: ClassCommandTimes, CommandTimes, DisplayAfterHours, NamedTime,
UserCommandTimes
---------------------------------------
NamedTime
Syntax: NamedTime nickname [!]hours [!]days|*
Default: None
Context: server config
Module: mod_time
Compatibility: 1.2.2 and later
The nickname parameter is used by the other mod_time directives, as
part of their named-time paramaters, when looking for applicable
NamedTimes, and is case-sensitive.
The hours argument must be formatted like this: "hh:mm:ss-hh:mm:ss". Two
digits are required for each number; single numbers such as 5 would
appear as "05". All times are given according to a 24-hour clock. An
hours argument prefixed with a "!" means every time _except_ that
range specified by the argument.
As per crontab(5) entries, the days of the week are given in
integers, in the following manner: Sunday is the first day of the week
(0, and 7) through Saturday (6). As with the hours argument, a days
argument prefixed with a "!" means all days _except_ the given days.
The days argument must be formatted as a range, eg "1-6", or as
a list of specific days, eg "0,3,4,5". A range and a list may occur
in the same argument, eg "1-4,6". A "*" argument is shorthand for
"all days".
See Also: ClassCommandTimes, CommandTimes, GroupCommandTimes,
UserCommandTimes
---------------------------------------
UserCommandTimes
Syntax: UserCommandTimes user-expression|* command-expression named-times
Default: None
Context: server config, <VirtualHost>, <Global>, <Anonymous>, <Directory>,
.ftpaccess
Module: mod_time
Compatibility: 1.2.2 and later
This directive applies a comma-delimited list of NamedTimes, in their
given order, to any of the commands in command-expression, for the users
in user-expression. Any of the listed FTP commands from those users that
do not occur with the NamedTimes' time limits will be denied.
A user-expression of "*" will match any user.
The command-expression may be composed of a comma-delimited list of FTP
commands to be restricted by time, as well as the meta-command groups of
<Limit>, such as DIRS, READ, WRITE, LOGIN, and ALL. An additional
meta-command group, NONE, is available for configuring no restrictions,
to be used to relax restrictions imposed by other mod_time directives.
See Also: ClassCommandTimes, CommandTimes, DisplayAfterHours,
GroupCommandTimes, NamedTime
---------------------------------------------------------------------------
Usage
---------------------------------------------------------------------------
To use mod_time's functionality, you must first define some time limits
using the NamedTime directive. These NamedTimes are the building blocks
for the rest of mod_time's directives.
For example, to define a named for "normal business hours", you would use
a directive like this:
NamedTime normal-hours 08:00:00-17:00:00 1-5
which creates a NamedTime called "normal-hours" that is applicable from
8 AM to 5 PM, Monday through Friday.
Conversely, if you wanted a NamedTime for everything _outside_ of these
normal hours, you could use something like this:
NamedTime after-hours !08:00:00-17:00:00 0,6
After defining your NamedTimes, you then use the UserCommandTimes,
GroupCommandTimes, ClassCommandTimes, and CommandTimes configuration
directives to apply those times to FTP commands, for the given user,
group, class, or to everyone.
To apply your "normal business hours" to everyone, use this:
CommandTimes ALL normal-hours
However, if you want to allow user "friend" to do anything at any time, but
still restrict everyone else, you would use these directives, in addition
to the above CommandTimes directive:
NamedTime all-hours 00:00:00-23:59:59 *
UserCommandTimes friend ALL all-hours
or, without the use of an "all-hours" NamedTime:
UserCommandTimes friend NONE normal-hours
When searching for NamedTimes that apply to a given connection, the
limits are _always_ searched in this order:
UserCommandTimes
GroupCommandTimes
ClassCommandTimes
CommandTimes
Thus the time restrictions for user "friend" would be found and used first
while everyone else would see the global restriction.
If, for example, you wanted to use multiple NamedTimes to apply to some
commands, you can chain them together in a comma-delimited list, like so:
NamedTime morning-hours 07:00:00-11:00:00 *
NamedTime evening-hours 16:00:00-20:00:00 *
GroupCommandTimes timed-group1,timed-group2 READ morning-hours,evening-hours
This will allow users that appear either in timed-group1 or timed-group2
to download files during the 4-hour windows of the morning or evening
NamedTimes.
When an FTP command is denied, a message will be returned to the client.
If no DisplayAfterHours directive is in effect, mod_time will then check
for a configured AccessDenyMsg, and use that if present. If neither of
these two directives is applicable, a default "%c is not allowed at this
time" will be returned to the client, where %c expands to the FTP command
issued.
A special note about the user-expressions, group-expressions, and
class-expressions used by mod_time configuration directives: they are
NOT like other proftpd expressions, which are Boolean AND expressions --
mod_time expressions are Boolean OR expressions. Some might chide me for
not following the pattern already used by current directives and for
seeding possible confusion. However, I felt that the use of OR expressions
to be so useful, particularly in the case of user- and
class-expressions, as to outweight the potential confusion. Briefly, for
the normal AND expressions to evaluate true, every component must be true;
for user- and class-expressions, this does not make much sense, as a logged
in user can logically only belong to one user, one class. Using OR
expressions, _any_ component that is true will cause the expression to be
true. This means that you need to be careful with those "!user", "!group" or
"!class" components, for any user that is not the given user, or is not
a member of the given group, or is not classified in the given class, will
match.
---------------------------------------------------------------------------
Notes
---------------------------------------------------------------------------
mod_time _does_ honor the TimesGMT, AccessDenyMsg, and UserAlias
configuration directives.
An HTML page describing mod_time can be found at:
http://www.castaglia.org/proftpd/#Modules
2001-09-18: fixed minor bug with ERROR_INT (should be ERROR_MSG)
2001-09-27: fixed bug in processing multiple NamedTimes in *CommandTimes
list. The fix involved removing the functionality for
the %D, %H magic cookies, however.
2001-09-28: fixed bug that would result in SIGSEGV. Thanks to
Ian Marsh <ian.marsh@hants.gov.uk> for helping to debug
by supplying platform details.
2002-03-26: released 2.1
------------------------------------------------------------------------------
Copyright 2001 TJ Saunders -- All Rights Reserved
------------------------------------------------------------------------------
