login / logout scripts?

[Luke Jaeger]

I would like to run this command every time a user logs out:
touch ~/.lastLogout

Tried adding this to .logout but it didn't work. Tried renaming .logout to .bash_logout too.

Most users are connecting via SMB with AD auth but I'd like it to work for SSH logins too. Anyone know what's wrong here?

 

[m0nkey_]

The logout script file depends on the shell that's being used.

• bash shell: ~/.bash_logout
• tcsh / csh: ~/.logout

You can also set a 'trap' to run a script on logout in the .profile file:

Code:

trap '. $HOME/.my_shell_logout; exit' 0

 

[wblock]

This won't do a thing for SMB connections, as far as I know. Samba should have logs that might be useful, or even just running smbstatus periodically to a log.

What is the end goal? This could point out which users log in with SSH and then walk away, except it is trivial to circumvent.

 

[Luke Jaeger]

I have a nightly script that recurses thru all userhomes and changes certain permissions. It takes almost an hour. The end goal is to make it go faster.

On any given night, only a tiny number of those files have wrong permissions. I figured that if each userhome had a .lastLogin and .lastLogout file that get touched on each login & logout, I could make my script compare those timestamps to the time the script last ran. If a user hasn't logged in or out since last time the script ran, we know that user's permissions are OK.

I know it's a little fudgy, but it's an important component of our system for students submitting assignments to our code review system. Best combination of convenience, security, and anti-plagiarism we could come up with.

putting the 'touch' command into .bash_logout didn't do anything btw.

 

[Ericloewe]

I have a nightly script that recurses thru all userhomes and changes certain permissions.

Do I dare to ask why?

 

[Luke Jaeger]

Do I dare to ask why?

There's a pretty complex combination of permissions we need to enforce in order to allow faculty to do their jobs while preventing students from seeing one another's work, or posting source code in public folders either accidentally or on purpose.

 

[Luke Jaeger]

Adding this to the smb4.conf worked:

Code:

preexec = touch /mnt/pool1/userhomes/%U/.lastLogin
postexec = touch /mnt/pool1/userhomes/%U/.lastLogout

 

[anodos]

Sounds like you're using Unix permissions type with Samba +zfsacls. This is known to bork things up. A better option might be to eschew zfsacls in favor of either vfs.acl_xattr (and basically treat samba and Unix permissions differently) or just rely on POSIX modebits entirely.

 

[Luke Jaeger]

Yes I'm using a combination of Unix permissions and ACL's made with setfacl. It all seems to work OK -- what kinds of problems should I be looking out for?

 

[anodos]

Yes I'm using a combination of Unix permissions and ACL's made with setfacl. It all seems to work OK -- what kinds of problems should I be looking out for?

Any unix program that chmods a file with an ACL will strip extra ACL information for non-trivial ACLs. I've noticed that this can sometimes cause samba to freak out causing "deny" ACEs to be written on files.

Users being able to bypass your information security policies is fundamentally a problem and should be fixed.