mod_ifsession
mod_ifsession
is to provide a flexible way of
specifying that certain configuration directives only apply to certain sessions,
based on credentials such as connection class, user, or group membership.
For class-based qualifications, mod_ifsession
will apply
configuration directives to the current session as soon as the client has
connected to the server; for user- and group-based qualifications,
mod_ifsession
applies configuration directives to the current
session, if applicable, only after the client has successfully authenticated.
This means that mod_ifsession
cannot change the effect of some
user- and group-qualified configuration directives, particularly those that
influence the session prior to authentication. These directives include:
AccessDenyMsg AccessGrantMsg AnonRequirePassword <Anonymous> AuthGroupFile AuthUserFile CreateHome DefaultChdir DefaultRoot DefaultTransferMode DisplayConnect ExtendedLog MaxInstances RequireValidShell RootLogin ServerIdent ServerName ShowSymlinks TransferLog UseFtpUsers WtmpLogand the directives from the
mod_pam
module. All of these
can set on based on class qualifications, however.
While the above list of configuration directives is daunting, there are
still valid uses for this module, e.g. configuring
<Directory>
and/or <Limit>
for certain
sessions, Filter
directives, transfer rates, maximum file sizes,
etc. Plus, some of the above directives (e.g. DefaultChdir
,
DefaultRoot
) already have their own configurable restrictions
(group expressions in the case of DefaultChdir
and
DefaultRoot
), so all is not entirely lost.
This module is contained in the mod_ifsession.c
file for
ProFTPD 1.2, and is not compiled by default. Installation instructions
are discussed here.
The most current version of mod_ifsession
can be found at:
http://www.castaglia.org/proftpd/
Please contact TJ Saunders <tj at castaglia.org> with any questions, concerns, or suggestions regarding this module.
<VirtualHost>
, <Global>
The <IfClass>
context should contain any configuration
directives that should be in effect for any sessions that match the
class-expression. Classes
must be enabled for this
context to work properly; the connecting client must be in any of the classes
listed in the expression for the directives contained to be applied. Note
that !
notation in front of a class name in the expression is
supported.
The given class-expression may optionally be prefixed
with either the "AND" or "OR" keywords, which affect how
the expression is evaluated: if "AND" is used, then all
portions of the expression must evaluate to TRUE for the configuration context
to be applied to the current session; if "OR" is used, then any
portion of the expression must be TRUE for the context to be applied. The
default setting for <IfClass>
is "OR".
If the "regex" keyword is used, the regexp should be a regular expression to match class names.
Examples:
# Give friends, and local users, better transfer rates <IfClass local, friends> TransferRate RETR 8192 </IfClass> TransferRate RETR 4096
<VirtualHost>
, <Global>
The <IfGroup>
context should contain any configuration
directives that should be in effect for any sessions that match the
group-AND-expression. The authenticated user must be in all of
the groups listed in the expression for the directives contained to be
applied. Note that !
notation in front of a group name in the
expression is supported.
The given group-expression may optionally be prefixed
with either the "AND" or "OR" keywords, which affect how
the expression is evaluated: if "AND" is used, then all
portions of the expression must evaluate to TRUE for the configuration context
to be applied to the current session; if "OR" is used, then any
portion of the expression must be TRUE for the context to be applied. The
default setting for <IfGroup>
is "AND".
If the "regex" keyword is used, the regexp should be a regular expression to match group names.
Example:
# Only members of group webusers can upload/download HTML files <IfGroup !webusers> PathDenyFilter \.htm$|\.html$ </IfGroup>
<VirtualHost>
, <Global>
The <IfUser>
context should contain any configuration
directives that should be in effect for any sessions that match the
user-OR-expression. The authenticated user must be one of the users
listed in the expression for the directives contained to be applied. Note
that !
notation in front of a user name in the expression is
supported.
The given user-expression may optionally be prefixed
with either the "AND" or "OR" keywords, which affect how
the expression is evaluated: if "AND" is used, then all
portions of the expression must evaluate to TRUE for the configuration context
to be applied to the current session; if "OR" is used, then any
portion of the expression must be TRUE for the context to be applied. The
default setting for <IfUser>
is "OR".
If the "regex" keyword is used, the regexp should be a regular expression to match user names.
Example:
# Alter the view of files for everyone except the admin <IfUser !ftpadm> <Directory /> DirFakeUser on ~ DirFakeGroup on ~ DirFakeMode 0440 </Directory> </IfUser> # Impose a PathDenyFilter on ftp users <IfUser regex ^ftp> PathDenyFilter \.conf$ </IfUser>
See also: <IfClass>, <IfGroup>
mod_ifsession
, copy the mod_ifsession.c
file into:
proftpd-dir/contrib/after unpacking the latest proftpd-1.2 source code. Then follow the usual steps for using third-party modules in proftpd:
./configure --with-modules=mod_ifsession make make installNote that
mod_ifsession
should be the last module
in the --with-modules
list, if multiple modules are listed.
This makes sure that mod_ifsession
's changes will be seen
properly by other modules.