45 Suspending a User Account
#45 Suspending a User Account
Whether a user is being escorted off the premises by security for industrial espionage, a student is taking the summer off, or a contractor is going on hiatus, there are many times when it's useful to disable an account without actually deleting it from the system.
This can be done simply by changing the user's password to a new value that he or she isn't told, but if the user is logged in at the time, it's also important to log him or her out and shut off access to that home directory from other accounts on the system. When an account is suspended , odds are very good that the user needs to be off the system now, not when he or she feels like it.
Much of this script revolves around ascertaining whether the user is logged in, notifying the user that he or she is being logged off, and kicking the user off the system.
The Code
#!/bin/sh ## suspenduser - Suspends a user account for the indefinite future. homedir="/home" # home directory for users secs=10 # seconds before user is logged out if [ -z ] ; then echo "Usage: #!/bin/sh ## suspenduser - Suspends a user account for the indefinite future. homedir="/home" # home directory for users secs=10 # seconds before user is logged out if [ -z $1 ] ; then echo "Usage: $0 account" >&2 ; exit 1 elif [ "$(whoami)" != "root" ] ; then echo "Error. You must be 'root' to run this command." >&2; exit 1 fi echo "Please change account $1 password to something new." passwd $1 # Now let's see if they're logged in and, if so, boot 'em if whogrep "$1" > /dev/null ; then tty="$(who grep $1 tail -1 awk '{print $2}')" cat << "EOF" > /dev/$tty ************************************************************* URGENT NOTICE FROM THE ADMINISTRATOR: This account is being suspended at the request of management. You are going to be logged out in $secs seconds. Please immediately shut down any processes you have running and log out. If you have any questions, please contact your supervisor or John Doe, Director of Information Technology. ************************************************************* EOF echo "(Warned $1, now sleeping $secs seconds)" sleep $secs jobs=$(ps -u $1 cut -d\ -f1) kill -s HUP $jobs # send hangup sig to their processes sleep 1 # give it a second... kill -s KILL $jobs > /dev/null 2>1 # and kill anything left echo "$1 was logged in. Just logged them out." fi # Finally, let's close off their home directory from prying eyes: chmod 000 $homedir/$1 echo "Account $1 has been suspended." exit 0 account" >&2 ; exit 1 elif [ "$(whoami)" != "root" ] ; then echo "Error. You must be 'root' to run this command." >&2; exit 1 fi echo "Please change account password to something new." passwd # Now let's see if they're logged in and, if so, boot 'em if whogrep "" > /dev/null ; then tty="$(who grep tail -1 awk '{print }')" cat << "EOF" > /dev/$tty ************************************************************* URGENT NOTICE FROM THE ADMINISTRATOR: This account is being suspended at the request of management. You are going to be logged out in $secs seconds. Please immediately shut down any processes you have running and log out. If you have any questions, please contact your supervisor or John Doe, Director of Information Technology. ************************************************************* EOF echo "(Warned , now sleeping $secs seconds)" sleep $secs jobs=$(ps -u cut -d\ -f1) kill -s HUP $jobs # send hangup sig to their processes sleep 1 # give it a second... kill -s KILL $jobs > /dev/null 2>1 # and kill anything left echo " was logged in. Just logged them out." fi # Finally, let's close off their home directory from prying eyes: chmod 000 $homedir/ echo "Account has been suspended." exit 0 How It Works
This script is straightforward, changing the user's password to an unknown (to the user) value and then shutting off the user's home directory. If he or she is logged in, we give a few seconds' warning and then log the user out by killing all of his or her running processes.
Notice the sequence of sending a SIGHUP ( HUP ) to each running process, a hang-up signal, and then after a second sending the more aggressive SIGKILL (KILL) . The SIGHUP signal often, but not always, quits running applications, but it won't kill a login shell. SIGKILL , however, cannot be ignored or blocked by any running Unix program, so it's guaranteed 100 percent effective, though it doesn't give the application any time to clean up temp files, flush file buffers to ensure that changes are written to disk, and so forth.
Unsuspending a user is a simple two-step process of opening his or her home directory back up (with chmod 700 ) and resetting the password to a known value (with passwd ).
Running the Script
This script must be run as root , and it has one argument: the name of the account to suspend.
The Results
It turns out that Snowy has already been abusing his account. Let's suspend him:
$ sudo suspenduser snowy Please change account snowy password to something new. Changing password for user snowy. New password: Retype new password: passwd: all authentication tokens updated successfully. (Warned snowy, now sleeping 10 seconds) snowy was logged in. Just logged them out. Account snowy has been suspended.
Snowy was logged in at the time, and here's what he saw on his screen just seconds before he was kicked off the system:
************************************************************* URGENT NOTICE FROM THE ADMINISTRATOR: This account is being suspended at the request of management. You are going to be logged out in 10 seconds. Please immediately shut down any processes you have running and log out. If you have any questions, please contact your supervisor or John Doe, Director of Information Technology. *************************************************************
