ProFTPD module mod

ProFTPD module `mod_time`

This module is contained in the mod_time.c file, found here, for ProFTPD 1.2.x, and is not compiled by default. Installation instructions can be found here.

This module is designed to allow for limiting FTP commands based on the time of day and/or the day of the week. A more detailed explanation of the usage of this module follows the directive explanations.

The most current version of mod_time can be found at:

  http://www.castaglia.org/proftpd/

Author

Please contact TJ Saunders <tj at castaglia.org> with any questions, concerns, or suggestions regarding this module.

Thanks

2001-09-28: Thanks to Ian Marsh <ian.marsh at hants.gov.uk> for helping to debug by supplying platform details for a bug causing segfaults.

ClassCommandTimes

Syntax: ClassCommandTimes class-expression|* command-expression named-times
Default: None
Context: server config, <VirtualHost>, <Global>, <Anonymous>, <Directory>, .ftpaccess
Module: mod_time
Compatibility: 1.2.2 and later

This directive applies a comma-delimited list of NamedTimes, in their given order, to any of the commands in command-expression, for the users belonging to classes given by class-expression. Any of the listed FTP commands from those users that do not occur with the NamedTimes' time limits will be denied.

A class-expression of "*" will match any class.

The command-expression may be composed of a comma-delimited list of FTP commands to be restricted by time, as well as the meta-command groups of <Limit>, such as DIRS, READ, WRITE, LOGIN, and ALL. An additional meta-command group, NONE, is available for configuring no restrictions, to be used to relax restrictions imposed by other mod_time directives.

CommandTimes

Syntax: CommandTimes command-expression named-times
Default: None
Context: server config, <VirtualHost>, <Global>, <Anonymous>, <Directory>
Module: mod_time
Compatibility: 1.2.2 and later

DisplayAfterHours

Syntax: DisplayAfterHours filename
Default: None
Context: server config, <VirtualHost>, <Global>, <Anonymous>
Module: mod_time
Compatibility: 1.2.2 and later

The DisplayAfterHours directive configures an ASCII text filename which will be displayed to the user should they issue a command that is restricted by a time limit, and the command occurs outside the allowed time limits.

DisplayAfterHours supports most of the same "magic cookies" as the DisplayFirstChdir directive, as well as one "magic cookie" specific to mod_time:

  %c   Current FTP command

GroupCommandTimes

Syntax: GroupCommandTimes group-expression|* command-expression named-times
Default: None
Context: server config, <VirtualHost>, <Global>, <Anonymous>, <Directory>, .ftpaccess
Module: mod_time
Compatibility: 1.2.2 and later

A group-expression of "*" will match any group.

NamedTime

Syntax: NamedTime nickname [!]hours [!]days|*
Default: None
Context: server config
Module: mod_time
Compatibility: 1.2.2 and later

The nickname parameter is used by the other mod_time directives, as part of their named-time parameters, when looking for applicable NamedTimes, and is case-sensitive.

The hours argument must be formatted like this: hh:mm:ss-hh:mm:ss. Two digits are required for each number; single numbers such as 5 would need to appear as 05. All times are given according to a 24-hour clock. An hours parameter prefixed with a ! means every time except that range specified by the parameter.

As per crontab(5) entries, the days of the week are given in integers, in the following manner: Sunday is the first day of the week (0, and 7) through Saturday (6). As with the hours parameter, a days parameter prefixed with a ! means all days except the given days. The days parameter must be formatted as a range, e.g. 1-6, or as a list of specific days, e.g. 0,3,4,5. A range and a list may occur in the same parameter, e.g. 1-4,6. A value of * is shorthand for "all days".

UserCommandTimes

Syntax: UserCommandTimes user-expression|* command-expression named-times
Default: None
Context: server config, <VirtualHost>, <Global>, <Anonymous>, <Directory>, .ftpaccess
Module: mod_time
Compatibility: 1.2.2 and later

A user-expression of "*" will match any user.

Usage

To use mod_time's functionality, you must first define some time limits using the NamedTime directive. These NamedTimes are the building blocks for the rest of mod_time's directives.

For example, to define a NamedTime for "normal business hours", you would use a directive like this:

  NamedTime normal-hours 08:00:00-17:00:00 1-5

which creates a NamedTime called "normal-hours" that is applicable from 8 AM to 5 PM, Monday through Friday.

Conversely, if you wanted a NamedTime for everything outside of these normal hours, you could use something like this:

  NamedTime after-hours !08:00:00-17:00:00 0,6

After defining your NamedTimes, you then use the UserCommandTimes, GroupCommandTimes, ClassCommandTimes, and CommandTimes configuration directives to apply those times to FTP commands, for the given user, group, class, or to everyone.

To apply your "normal business hours" to everyone, use this:

  CommandTimes ALL normal-hours

However, if you want to allow user friend to do anything at any time, but still restrict everyone else, you would use these directives, in addition to the above CommandTimes directive:

  NamedTime all-hours 00:00:00-23:59:59 *
  UserCommandTimes friend ALL all-hours

or, without the use of an "all-hours" NamedTime:

  UserCommandTimes friend NONE normal-hours

When searching for NamedTimes that apply to a given connection, the limits are always searched in this order:

  UserCommandTimes
  GroupCommandTimes
  ClassCommandTimes
  CommandTimes

Thus the time restrictions for user friend would be found and used first while everyone else would see the global restriction.

If, for example, you wanted to use multiple NamedTimes to apply to some commands, you can chain them together in a comma-delimited list, like so:

  NamedTime morning-hours 07:00:00-11:00:00 *
  NamedTime evening-hours 16:00:00-20:00:00 *
  GroupCommandTimes timed-group1,timed-group2 READ morning-hours,evening-hours

This will allow users that appear either in timed-group1 or timed-group2 to download files during the 4-hour windows of the morning or evening NamedTimes.

When an FTP command is denied, a message will be returned to the client. If no DisplayAfterHours directive is in effect, mod_time will then check for a configured AccessDenyMsg, and use that if present. If neither of these two directives is applicable, a default "%c is not allowed at this time" will be returned to the client, where %c expands to the FTP command issued.

A special note about the user-expressions, group-expressions, and class-expressions used by mod_time configuration directives: they are not like other proftpd expressions, which are Boolean AND expressions -- mod_time expressions are Boolean OR expressions. Some might chide me for not following the pattern already used by current directives and for seeding possible confusion. However, I felt that the use of OR expressions to be so useful, particularly in the case of user- and class-expressions, as to outweight the potential confusion. Briefly, for the normal AND expressions to evaluate to true, every component must be true; for user- and class-expressions, this does not make much sense, as a logged in user can logically only belong to one user, one class. Using OR expressions, any component that is true will cause the expression to be true. This means that you need to be careful with those !user, !group or !class components, for any user that is not the given user, or is not a member of the given group, or is not classified in the given class, will match.

This modules honors the TimesGMT, AccessDenyMsg, and UserAlias configuration directives.

Installation

To install mod_time, copy the mod_time.c file into

  proftpd-dir/contrib/

after unpacking the latest proftpd-1.2 source code. Then follow the usual steps for using third-party modules in proftpd:

  ./configure --with-modules=mod_time
  make
  make install

Author: $Author: tj $
Last Updated: $Date: 2002/03/27 22:46:41 $