How to execute logout and login scripts as root
I have tried login hooks, etc with no success. System is 10.7.3
I have tried login hooks, etc with no success. System is 10.7.3
What are you trying to do? There is always a way to make something work, but there is usually an easier way to what you are really trying to accomplish.
I have a requirement to kill the network interface the instant the user logs out. The interface must remain dead until a new user logs in. I found the networksetup command that allows me to kill the interface. It will also allow me to reinstate the interface when a user logs in. The command requires root access. Thus, the need for a login and logout script running at root.
What does this accomplish?
What difference does it make if the network interface is running or not?
I assume that you forced the machine to require people to login.
What does forcing a network interface down on the router? Could you plug in an other computer into the port and that computer would be able to use the interface?
I guess with the network interface up the machine would respond to ping & other net work requests. Seems like to you could perminately disable these network requests at all times.
I'd worry about someone modifiying your root script.
Thus, the need for a login and logout script running at root.
May make you feel better, but I read that root scripts are not secure. If the user can figure out some way of suspending the script, they end up with root access. You need to write a C program & block all ways of suspending the program.
Robert
I already explained this to the customer and they have the requirement for this behavior, and do not care about the risks. In simple terms, I impliment what they want or they go somewhere else. In other words it accomplishes their requirement.
Create a script to run while logged in and copy it to each user's ~/LibraryLaunchAgents directory. I named this one com.etresoft.loggedin.plist
Here is the script:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.etresoft.loggedin</string>
<key>Program</key>
<string>/usr/local/bin/loggedin</string>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
This will run your program at login and terminate it at logout. My demo loggedin program is this:
#!/usr/bin/perl
use strict;
my $running = 1;
# Wrap up my XML document when I cancel out.
$SIG{TERM} =
sub
{
system('/bin/echo -n "logout " >> /tmp/login; /bin/echo `date` >> /tmp/login');
$running = 0;
};
system('/bin/echo -n "login " >> /tmp/login; /bin/echo `date` >> /tmp/login');
while($running)
{
sleep 1;
}
You would replace those system commands with something meaningful.
Next, put create a similar launchd config file that runs as root from /Library/LaunchDaemons. It should listen for activity on a named pipe. Your userland script will write text to that named pipe to setup or tear down the networking.
You can create login hooks and logout hooks - see this link. I'm pretty sure they run with administrator access.
That being said, it's sometimes your job to explain to clients that they don't know what they're talking about. This seems like an utterly senseless thing to do, and the fact that they place such a high priority on something that's seemingly senseless is a bad sign; people like that tend to miss real problems with their setup because they're obsessing over nonsense. You should get them to clarify just exactly what they think they are accomplishing by this. That will give you the opportunity to steer them in the right direction, which will simultaneously make their system more secure and make you look very smart. win/win.
twtwtw wrote:
You can create login hooks and logout hooks - see this link. I'm pretty sure they run with administrator access.
Login hooks are deprecated. Apple suggests avoiding them.
I don't disagree with anything anyone says about telling the customer this is a waste of time - it is. But I also know customers. Sometimes it is best to take the money and run.
etresoft wrote:
Login hooks are deprecated. Apple suggests avoiding them.
I don't disagree with anything anyone says about telling the customer this is a waste of time - it is. But I also know customers. Sometimes it is best to take the money and run.
Is that a 10.7 thing? Must have missed that memo. Deprecated is not defunct, though - they will probably still work through a couple of more revisions, and there's no way quite as easy to get that functionality.
With respect to customers, we'll have to disagree. Maybe it's just me, but I never let a customer's misunderstandings get in the way of giving them what they really ought to want. In the long run, someone too hard-nosed to listen to expert advice is going to be more of a headache than their money is worth; tighten your belt a little and save yourself the aggravation.
twtwtw wrote:
Is that a 10.7 thing? Must have missed that memo. Deprecated is not defunct, though - they will probably still work through a couple of more revisions, and there's no way quite as easy to get that functionality.
Not a 10.7 thing. Just a big old security hole. I think they have been deprecated for some time. Here is the documentation.
With respect to customers, we'll have to disagree. Maybe it's just me, but I never let a customer's misunderstandings get in the way of giving them what they really ought to want. In the long run, someone too hard-nosed to listen to expert advice is going to be more of a headache than their money is worth; tighten your belt a little and save yourself the aggravation.
No disagreement. It's just not our call.
etresoft wrote:
Not a 10.7 thing. Just a big old security hole. I think they have been deprecated for some time. Here is the documentation.
That's interesting. I've wondered for a while why apple didn't build logout and sleep triggers into launchd. It seems like such an obvious move, particularly if they are going to deprecate logout hooks, and yet...
Well, in any case I finally got the thing to work. Customer is Windows based and had a requirement that could only be accomplished by a Mac. However, they want the mac to act just like their Windows deployment. I have no maintenance responsibilities. The Windows folks get this mess. Thanks to all for the help.
twtwtw wrote:
That's interesting. I've wondered for a while why apple didn't build logout and sleep triggers into launchd. It seems like such an obvious move, particularly if they are going to deprecate logout hooks, and yet...
I think the reason is Fast User Switching and the new Screen Sharing in Lion. "Login" and "Logout" are now so much more complicated. I think Apple just punted on this one.
I'm not sure why this feature would be something they would no longer support. If you want to run login scripts from a centralized location, similar to windows login scripts, should you be able to do that in Workgroup Manager-Preferences-Login-Scripts section? I've been trying to get this to work and have had no successful results. My script will not run from the OD master, but will run on the client when initiated on the client itself.
Any help would be much appreciated.
I've been trying to get this to work and have had no successful results. My script will not run from the OD master, but will run on the client when initiated on the client itself.
You would be better to post a new thread. Don't hijack existing threads. Some times it can be hard to find how to start a thread. Look to the right for:
https://discussions.apple.com/community/mac_os/mac_os_x_technologies
-------------------------
Please explain what this in "get this to work" means?
Thanks
How to execute logout and login scripts as root