Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Our reqt is , whenever any user logs in to the system , a script should get executed. This script will create a new file in respective Home Dir.
I tried writing such script and put it under /etc/profile.d/test { We have RHEL 4.0 }
But whenever the user logs in it gives error as
You could use "lastlog -u username" to obtain the last login of a user. To lock out an account, you can use "passwd -l username" instead of file in their home directory.
You could use "lastlog -u username" to obtain the last login of a user. To lock out an account, you can use "passwd -l username" instead of file in their home directory.
We are little reluctant to use lastlog as it does not consider YEAR . (Thats what we think) .
Another thing is that , how can we get a user's home directory in a shell.
E.g.
for i in `cat UserList`
do
HomeDir= {This variable should get the value of the respective User's
Home Directory in every iteration of "i" }
echo $HomeDir
done
Another thing is that , how can we get a user's home directory in a shell.
E.g.
for i in `cat UserList`
do
HomeDir= {This variable should get the value of the respective User's
Home Directory in every iteration of "i" }
echo $HomeDir
done
Something like this will give you the homedir of a specific user:
We are little reluctant to use lastlog as it does not consider YEAR . (Thats what we think) .
Another thing is that , how can we get a user's home directory in a shell.
E.g.
for i in `cat UserList`
do
HomeDir= {This variable should get the value of the respective User's
Home Directory in every iteration of "i" }
echo $HomeDir
done
The home directory is contained in a field of /etc/passwd. However, if you use the default setup, you probably have a directory under /home that has the same name as the user.
So you could have a loop like:
Code:
for dir in /home/*; do
....
done
Also, keep in mind that /etc/passwd has system users as well. The range of UIDs used for regular users differs for different distros. Mandriva & Fedora Core start at 500, whereas SuSE starts at 1000. Anyway, you will need to examine the UID to determine if the user in /etc/passwd is a regular user. The bottom and top range may be defined in /etc/login.defs.
Given the tests you need to perform, you may want to produce a temp file containing the usernames and then use that list as items in a loop.
Code:
passwords=$(cat /etc/passwd) # I'm always looking for excuses to use arrays in bash
for (( entry=0; entry<${#passwords[@]}; entry++ )); do
uid=$(echo ${passwords[$entry]} | cut -d':' -f1)
if [ $uid -ge 500 -a $uid -lt 2000 ]; then # regular users have uids between 500 and 2000 inclusively.
echo $(echo ${passwords[$entry]} | cut -d':' -f3) >reguserlist
fi # add user to list if in range.
done
for username in $(cat reguserlist);do
...
done
rm reguserlist
The normal lastlog entry does have the year:
Code:
Username Port From Latest
root tty1 Thu Jan 25 15:23:50 +0530 2007
daemon **Never logged in**
bin **Never logged in**
sys **Never logged in**
sync **Never logged in**
vivek tty1 Sat Jan 27 22:10:36 +0530 2007
pdnsd **Never logged in**
sshd **Never logged in**
messagebus **Never logged in**
bind **Never logged in**
I'm not at my linux machine to check the output of "lastlog -u username".
A user would be able to delete a ~/.last_date file before logging off.
Or even use the touch command using a date years in the future.
If you really don't want to use lastlog, you could list the access time for ~/.profile or ~/.bashrc, however, the user might be using another shell.
What are the permissions/owner/group of the .lastlogin_date file?
Hi Druuna,
Yes the problem with /etc/profile got resolved . How ?? Initially we thought just placing the script under /etc/profile.d would itself execute the script whenevera user logs in. But it didnt work ( Dont know whether it should be working this way ) .
So added an entry in /etc/profile file to execute the script. It worked !!
Last but not the least , we can place this script under any directory , it need not be /etc/profile.d.
Anyways ....thanks to you for showing concern!!!! Will meet sooon
[QUOTE=jschiwal]The home directory is contained in a field of /etc/passwd. However, if you use the default setup, you probably have a directory under /home that has the same name as the user.
So you could have a loop like:
Code:
for dir in /home/*; do
....
done
Yes you are correct. But we didnt want to take any chances as few of our systems are having users with non-default( other than /home) home directories. But thanks for pointing it out.
Quote:
Originally Posted by jschiwal
Also, keep in mind that /etc/passwd has system users as well. The range of UIDs used for regular users differs for different distros. Mandriva & Fedora Core start at 500, whereas SuSE starts at 1000. Anyway, you will need to examine the UID to determine if the user in /etc/passwd is a regular user. The bottom and top range may be defined in /etc/login.defs.
Given the tests you need to perform, you may want to produce a temp file containing the usernames and then use that list as items in a loop.
Code:
passwords=$(cat /etc/passwd) # I'm always looking for excuses to use arrays in bash
for (( entry=0; entry<${#passwords[@]}; entry++ )); do
uid=$(echo ${passwords[$entry]} | cut -d':' -f1)
if [ $uid -ge 500 -a $uid -lt 2000 ]; then # regular users have uids between 500 and 2000 inclusively.
echo $(echo ${passwords[$entry]} | cut -d':' -f3) >reguserlist
fi # add user to list if in range.
done
for username in $(cat reguserlist);do
...
done
rm reguserlist
We wrote a different code to find out regular user list but yes the above code is also worth.
Will definately give it a shot !!!! Thanks again
Quote:
Originally Posted by jschiwal
The normal lastlog entry does have the year:
Code:
Username Port From Latest
root tty1 Thu Jan 25 15:23:50 +0530 2007
daemon **Never logged in**
bin **Never logged in**
sys **Never logged in**
sync **Never logged in**
vivek tty1 Sat Jan 27 22:10:36 +0530 2007
pdnsd **Never logged in**
sshd **Never logged in**
messagebus **Never logged in**
bind **Never logged in**
I'm not at my linux machine to check the output of "lastlog -u username".
Yes even on Linux we get year field. But we are trying to manipulate things based on whether User has logged into the system for more than 90 Days or not. So we decided not to rely on to lastlog.
Quote:
Originally Posted by jschiwal
A user would be able to delete a ~/.last_date file before logging off.
Or even use the touch command using a date years in the future.
If you really don't want to use lastlog, you could list the access time for ~/.profile or ~/.bashrc, however, the user might be using another shell.
The above points you mentioned are really interesting and we have to give it a thought before we finalise things.
Maybe we would think of creating .last_date file for each user in a different location where regular users dont have access to. Will it help??
Listing the access time for ~/.profile is also a nice way . Will think over it and see if it fits our requirement.
Last but not the least .... Thanks a TON for your valuable advise. Its people like you and Druuna that make this Life more beautiful !!!!!!!!!!!!!
Now comes the issue of users who change their default shell. People who prefer something other than a bourne style shell are almost certain to change that as one of the first things when they get access to the system. I'll freely admit that it's something I do. So after 90 days, regardless of how often I log in, it looks like I have only been on once.
Frankly, using login scripts to monitor this is too much of a kluge to be reliable and is likely to be easily subverted by smart users who feel like it inconveniences them.
Now comes the issue of users who change their default shell. People who prefer something other than a bourne style shell are almost certain to change that as one of the first things when they get access to the system. I'll freely admit that it's something I do. So after 90 days, regardless of how often I log in, it looks like I have only been on once.
Frankly, using login scripts to monitor this is too much of a kluge to be reliable and is likely to be easily subverted by smart users who feel like it inconveniences them.
Hi ,
Listed nice points...... but then its without any suggestions ....so ..now waiting for it !!
Personally, you have some good suggestions... but let me tell you how to make them work.
Don't toss out the lastlog suggestion above... but if you feel it is not adequate then supplement it. Write a shell script which will take the output of lastlog, grab only the last day, and will parse them into a sorted file.
Have that same script produce a list of users who have not logged in for 90 days and output that list to a file somewhere.
Have this list called, daily, from cron. It will automate the whole thing... actually you can go even further... and have it email the users or deactivate their accounts automatically if they haven't been on for 90 days. Just be sure (if you automate it) to not deactivate/remove the root account.
#!/bin/sh
OLDMASK=`umask`
TIMESTAMP=`date +%s`
FILENAME=/tmp/accounting
TMPFILE=/tmp/accounting.new
EXPIRED=/tmp/expired.accounts
# This is the number of seconds until the account is out of date:
# 7776000 = 90 days
SECONDS=7776000
umask 077
if [ ! -f ${FILENAME} ]; then
touch ${FILENAME}
fi
#lastlog | awk '{print $1}' | while read LINE
lastlog | grep "`date | awk '{print $2, $3".*"$6}'`" | awk '{print $1}' | while read LINE
do
awk -v time=${TIMESTAMP} -v user="${LINE}" 'BEGIN{found=0}{if($2 == user){$1=time;found=1};print $0}END{if(found!=1){print time" "user}}' ${FILENAME} > ${TMPFILE}
mv ${TMPFILE} ${FILENAME}
done
sort -n ${FILENAME} > ${TMPFILE}
mv ${TMPFILE} ${FILENAME}
awk -v time=${TIMESTAMP} -v secs=${SECONDS} 'BEGIN{old=time-secs}{if($1<=old)print $2}' ${FILENAME} >> ${EXPIRED}
umask ${OLDMASK}
Here is something I just threw together... as an example... obviously, this is not what I would use in production. You would want those temp files somewhere else (probably under a protected directory only readable by the user running the program). This program is also simplified a lot (it could be more complex but I didn't see the need).
The people who have not logged in for 90 days would be put in /tmp/expired in this program. Also... you would need to modify this for the initial population of /tmp/accounting or else it will only catch those who don't use the system for 90 days after using it once this system is in place. It doesn't catch those who never log in... so that's another matter.
And so on. You could have the expired file mailed... oh, and one more thing... the current version doesn't remove the expired accounts from /tmp/accounts. That would require a trivial change (look at the last awk line) and is left as an exercise for the reader.
More could be done with this framework... but it gives an idea. And it also is outside the control of pesky users... and their evil ways.
#!/bin/sh
OLDMASK=`umask`
TIMESTAMP=`date +%s`
FILENAME=/tmp/accounting
TMPFILE=/tmp/accounting.new
EXPIRED=/tmp/expired.accounts
# This is the number of seconds until the account is out of date:
# 7776000 = 90 days
SECONDS=7776000
umask 077
if [ ! -f ${FILENAME} ]; then
touch ${FILENAME}
fi
#lastlog | awk '{print $1}' | while read LINE
lastlog | grep "`date | awk '{print $2, $3".*"$6}'`" | awk '{print $1}' | while read LINE
do
awk -v time=${TIMESTAMP} -v user="${LINE}" 'BEGIN{found=0}{if($2 == user){$1=time;found=1};print $0}END{if(found!=1){print time" "user}}' ${FILENAME} > ${TMPFILE}
mv ${TMPFILE} ${FILENAME}
done
sort -n ${FILENAME} > ${TMPFILE}
mv ${TMPFILE} ${FILENAME}
awk -v time=${TIMESTAMP} -v secs=${SECONDS} 'BEGIN{old=time-secs}{if($1<=old)print $2}' ${FILENAME} >> ${EXPIRED}
umask ${OLDMASK}
Here is something I just threw together... as an example... obviously, this is not what I would use in production. You would want those temp files somewhere else (probably under a protected directory only readable by the user running the program). This program is also simplified a lot (it could be more complex but I didn't see the need).
The people who have not logged in for 90 days would be put in /tmp/expired in this program. Also... you would need to modify this for the initial population of /tmp/accounting or else it will only catch those who don't use the system for 90 days after using it once this system is in place. It doesn't catch those who never log in... so that's another matter.
And so on. You could have the expired file mailed... oh, and one more thing... the current version doesn't remove the expired accounts from /tmp/accounts. That would require a trivial change (look at the last awk line) and is left as an exercise for the reader.
More could be done with this framework... but it gives an idea. And it also is outside the control of pesky users... and their evil ways.
Thanks a ton..This thread is really rising HIGH now. Cant wait to work on the above script. Wait for my feedback on above script.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.