----------------------------------------------------------------------------- TJ Saunders <tj@castaglia.org> 2001-04-07 mod_time: a proftpd module that limits FTP commands based on time of day and/or day of the week ------------------------------------------------------------------------- Configuration Directives ------------------------------------------------------------------------- ClassCommandTimes Syntax: ClassCommandTimes class-expression|* command-expression named-times Default: None Context: server config, <VirtualHost>, <Global>, <Anonymous>, <Directory>, .ftpaccess Module: mod_time Compatibility: 1.2.2 and later This directive applies a comma-delimited list of NamedTimes, in their given order, to any of the commands in command-expression, for the users belonging to classes given by class-expression. Any of the listed FTP commands from those users that do not occur with the NamedTimes' time limits will be denied. A class-expression of "*" will match any class. The command-expression may be composed of a comma-delimited list of FTP commands to be restricted by time, as well as the meta-command groups of <Limit>, such as DIRS, READ, WRITE, LOGIN, and ALL. An additional meta-command group, NONE, is available for configuring no restrictions, to be used to relax restrictions imposed by other mod_time directives. See Also: CommandTimes, DisplayAfterHours, GroupCommandTimes, NamedTime, UserCommandTimes --------------------------------------- CommandTimes Syntax: CommandTimes command-expression named-times Default: None Context: server config, <VirtualHost>, <Global>, <Anonymous>, <Directory> Module: mod_time Compatibility: 1.2.2 and later This directive applies a comma-delimited list of NamedTimes, in their given order, to any of the commands in command-expression, for every user. Any of the listed FTP commands that do not occur with the NamedTimes' time limits will be denied. The command-expression may be composed of a comma-delimited list of FTP commands to be restricted by time, as well as the meta-command groups of <Limit>, such as DIRS, READ, WRITE, LOGIN, and ALL. An additional meta-command group, NONE, is available for configuring no restrictions, to be used to relax restrictions imposed by other mod_time directives. See Also: ClassCommandTimes, DisplayAfterHours, GroupCommandTimes, NamedTime, UserCommandTimes --------------------------------------- DisplayAfterHours Syntax: DisplayAfterHours filename Default: None Context: server config, <VirtualHost>, <Global>, <Anonymous> Module: mod_time Compatibility: 1.2.2 and later The DisplayAfterHours directive configures an ASCII text filename which will be displayed to the user should they issue a command that is restricted by a time limit, and the command occurs outside the allowed time limits. DisplayAfterHours supports most of the same "magic cookies" as the DisplayFirstChdir, as well as one "magic cookies" specific to mod_time: %c Current FTP command See Also: ClassCommandTimes, CommandTimes, GroupCommandTimes, NamedTime, UserCommandTimes --------------------------------------- GroupCommandTimes Syntax: GroupCommandTimes group-expression|* command-expression named-times Default: None Context: server config, <VirtualHost>, <Global>, <Anonymous>, <Directory>, .ftpaccess Module: mod_time Compatibility: 1.2.2 and later This directive applies a comma-delimited list of NamedTimes, in their given order, to any of the commands in command-expression, for the users to whom group-expression applies. Any of the listed FTP commands from those users that do not occur with the NamedTimes' time limits will be denied. A group-expression of "*" will match any group. The command-expression may be composed of a comma-delimited list of FTP commands to be restricted by time, as well as the meta-command groups of <Limit>, such as DIRS, READ, WRITE, LOGIN, and ALL. An additional meta-command group, NONE, is available for configuring no restrictions, to be used to relax restrictions imposed by other mod_time directives. See Also: ClassCommandTimes, CommandTimes, DisplayAfterHours, NamedTime, UserCommandTimes --------------------------------------- NamedTime Syntax: NamedTime nickname [!]hours [!]days|* Default: None Context: server config Module: mod_time Compatibility: 1.2.2 and later The nickname parameter is used by the other mod_time directives, as part of their named-time paramaters, when looking for applicable NamedTimes, and is case-sensitive. The hours argument must be formatted like this: "hh:mm:ss-hh:mm:ss". Two digits are required for each number; single numbers such as 5 would appear as "05". All times are given according to a 24-hour clock. An hours argument prefixed with a "!" means every time _except_ that range specified by the argument. As per crontab(5) entries, the days of the week are given in integers, in the following manner: Sunday is the first day of the week (0, and 7) through Saturday (6). As with the hours argument, a days argument prefixed with a "!" means all days _except_ the given days. The days argument must be formatted as a range, eg "1-6", or as a list of specific days, eg "0,3,4,5". A range and a list may occur in the same argument, eg "1-4,6". A "*" argument is shorthand for "all days". See Also: ClassCommandTimes, CommandTimes, GroupCommandTimes, UserCommandTimes --------------------------------------- UserCommandTimes Syntax: UserCommandTimes user-expression|* command-expression named-times Default: None Context: server config, <VirtualHost>, <Global>, <Anonymous>, <Directory>, .ftpaccess Module: mod_time Compatibility: 1.2.2 and later This directive applies a comma-delimited list of NamedTimes, in their given order, to any of the commands in command-expression, for the users in user-expression. Any of the listed FTP commands from those users that do not occur with the NamedTimes' time limits will be denied. A user-expression of "*" will match any user. The command-expression may be composed of a comma-delimited list of FTP commands to be restricted by time, as well as the meta-command groups of <Limit>, such as DIRS, READ, WRITE, LOGIN, and ALL. An additional meta-command group, NONE, is available for configuring no restrictions, to be used to relax restrictions imposed by other mod_time directives. See Also: ClassCommandTimes, CommandTimes, DisplayAfterHours, GroupCommandTimes, NamedTime --------------------------------------------------------------------------- Usage --------------------------------------------------------------------------- To use mod_time's functionality, you must first define some time limits using the NamedTime directive. These NamedTimes are the building blocks for the rest of mod_time's directives. For example, to define a named for "normal business hours", you would use a directive like this: NamedTime normal-hours 08:00:00-17:00:00 1-5 which creates a NamedTime called "normal-hours" that is applicable from 8 AM to 5 PM, Monday through Friday. Conversely, if you wanted a NamedTime for everything _outside_ of these normal hours, you could use something like this: NamedTime after-hours !08:00:00-17:00:00 0,6 After defining your NamedTimes, you then use the UserCommandTimes, GroupCommandTimes, ClassCommandTimes, and CommandTimes configuration directives to apply those times to FTP commands, for the given user, group, class, or to everyone. To apply your "normal business hours" to everyone, use this: CommandTimes ALL normal-hours However, if you want to allow user "friend" to do anything at any time, but still restrict everyone else, you would use these directives, in addition to the above CommandTimes directive: NamedTime all-hours 00:00:00-23:59:59 * UserCommandTimes friend ALL all-hours or, without the use of an "all-hours" NamedTime: UserCommandTimes friend NONE normal-hours When searching for NamedTimes that apply to a given connection, the limits are _always_ searched in this order: UserCommandTimes GroupCommandTimes ClassCommandTimes CommandTimes Thus the time restrictions for user "friend" would be found and used first while everyone else would see the global restriction. If, for example, you wanted to use multiple NamedTimes to apply to some commands, you can chain them together in a comma-delimited list, like so: NamedTime morning-hours 07:00:00-11:00:00 * NamedTime evening-hours 16:00:00-20:00:00 * GroupCommandTimes timed-group1,timed-group2 READ morning-hours,evening-hours This will allow users that appear either in timed-group1 or timed-group2 to download files during the 4-hour windows of the morning or evening NamedTimes. When an FTP command is denied, a message will be returned to the client. If no DisplayAfterHours directive is in effect, mod_time will then check for a configured AccessDenyMsg, and use that if present. If neither of these two directives is applicable, a default "%c is not allowed at this time" will be returned to the client, where %c expands to the FTP command issued. A special note about the user-expressions, group-expressions, and class-expressions used by mod_time configuration directives: they are NOT like other proftpd expressions, which are Boolean AND expressions -- mod_time expressions are Boolean OR expressions. Some might chide me for not following the pattern already used by current directives and for seeding possible confusion. However, I felt that the use of OR expressions to be so useful, particularly in the case of user- and class-expressions, as to outweight the potential confusion. Briefly, for the normal AND expressions to evaluate true, every component must be true; for user- and class-expressions, this does not make much sense, as a logged in user can logically only belong to one user, one class. Using OR expressions, _any_ component that is true will cause the expression to be true. This means that you need to be careful with those "!user", "!group" or "!class" components, for any user that is not the given user, or is not a member of the given group, or is not classified in the given class, will match. --------------------------------------------------------------------------- Notes --------------------------------------------------------------------------- mod_time _does_ honor the TimesGMT, AccessDenyMsg, and UserAlias configuration directives. An HTML page describing mod_time can be found at: http://www.castaglia.org/proftpd/#Modules 2001-09-18: fixed minor bug with ERROR_INT (should be ERROR_MSG) 2001-09-27: fixed bug in processing multiple NamedTimes in *CommandTimes list. The fix involved removing the functionality for the %D, %H magic cookies, however. 2001-09-28: fixed bug that would result in SIGSEGV. Thanks to Ian Marsh <ian.marsh@hants.gov.uk> for helping to debug by supplying platform details. 2002-03-26: released 2.1 ------------------------------------------------------------------------------ Copyright 2001 TJ Saunders -- All Rights Reserved ------------------------------------------------------------------------------