Thread: killed users shell, but finger says they're still logged in
View Single Post

   
  #7 (permalink)  
Old 01-05-2008, 10:49 AM
base60
 
Posts: n/a
Default Re: killed users shell, but finger says they're still logged in
Randy Styka wrote:
> dalestubblefield@gmail.com wrote:
>> I cannot figure out where I can set to have the user logged out after a
>> certain period of idle time... It's not in SMIT?
>>
> As others have mentioned, many shells have a builtin way
> to log off idle users; often an environment variable called
> TMOUT. An issue is that this will only log off idle users
> who are at a shell prompt, not users in your applications.

This, is a very bad idea and one which will invariably piss
someone off a lot... and they'll have a legitimate gripe.

>
> To do this, you need some extra program to run and log them
> off. There are some available on the internet but we ran into
> problems in how they decided if a user was idle.

Precisely.

> Commands like
> "who -u" or "w" base idle time on when the keyboard was last
> used. So if a user is running a long, cpu bound job with no
> keyboard interaction, the programs that use the output of commands
> like "finger" or "who" will think the user is idle and log the
> user off.
>
> Our company wrote (and sells ;-) a product called LOGMON that
> monitors the cpu usage for each user, and their child processes.
> Then we can be sure the user really is idle before logging them
> off.

OK, let's assume you can be "sure" that a non-shell PID is sleeping.

Does that mean it's not legitimate or unwanted?

Sorry, but this sort of thing is almost sure to get SAs in really
deep shit sooner or later without mgmt buy-in at the top-end and,
even then, they'll piss and moan about you doing a bad job
adjusting it every time someone complains.

If you want to sell this, you need to push it to the lackwits
with the CISSP etc. cabbage after their names. They'll fall
for it being a security issue

Otherwise, installing these sort of thing is just more grief.

> You can vary the inactivity time by user, time of day, etc.
> And you can control how the user is actually logged off. If
> this is of interest, send an email to logmon@computronics.com
> for details or visit http://www.logmon.com. Thanks!

By the way, this was an Ad and you're really not supposed to
post them... even under the guise of being helpful.

On the possibility that you did mean well, I didn't report it
to earthlink's abuse dept... who probably wouldn't do much about
it, anyway LOL :-)
Reply With Quote