Very Computer

Is there an easy way to either script this function or use existing
Solaris methods to block logins at these times?

How would _you_ do it??  I'm pondering these ideas:
  -Use a script to dynamically change user shells to /bin/false in
/etc/passwd?
  -Modify the Solaris login binaries?  Is this feasible?
  -Restrict by location - not possible as it would restrict admins
too.

-Steve in Phx.

Quote:> I have several Solaris 7 and Solaris 8 production servers that turn
> into number-crunchers several times a month during heavy production
> processing.  I need to devise a way to selectively deny [most] users
> from logging into these systems at these times, yet still allow other
> critical support personnel to logon.  The problem I have now is that
> some users log on during heavy processing to do compiles or run test
> jobs, which slows down our production processes.
> Is there an easy way to either script this function or use existing
> Solaris methods to block logins at these times?
> How would _you_ do it??  I'm pondering these ideas:
>   -Use a script to dynamically change user shells to /bin/false in
> /etc/passwd?
>   -Modify the Solaris login binaries?  Is this feasible?
>   -Restrict by location - not possible as it would restrict admins
> too.

- You could reduce their quota to a number lower then current
  benefit, easily scriptable

- have a script that changes this users shell to /bin/nologin
-  if their shell respects a globel /etc/rc / /etc/login put the logic here
  won't work if the users are knowledhebal

- use NIS for userid/passwd, set up a speciasl NIS server for thses machines
  ( more easy to manipulate the passwd map then to manipulate the /etc/passwd)

- i do not know the state of PAM in solaris, but you might find a hook there,
  especially if all the affected users belong to one group.

But i would try the person-to-person convincing way, maybe to the
price of allocation another machine for these persons ( the might
have the opinion that _they also_ has an importent job.

Quote:>I have several Solaris 7 and Solaris 8 production servers that turn
>into number-crunchers several times a month during heavy production
>processing.  I need to devise a way to selectively deny [most] users
>from logging into these systems at these times, yet still allow other
>critical support personnel to logon.  The problem I have now is that
>some users log on during heavy processing to do compiles or run test
>jobs, which slows down our production processes.

>Is there an easy way to either script this function or use existing
>Solaris methods to block logins at these times?

>How would _you_ do it??  I'm pondering these ideas:

+:x:::::/opt/bin/nothere

/opt/bin/nothere politely suggests other machines to use and exits.
People in sysadmin get their usual shell, everyone else gets the not-here
shell. Deleting `/opt/bin/nothere' allows everyone back on.

nsswitch has to be changed to
passwd: compat
for this to work.
--
http://www.math.fsu.edu/~bellenot
bellenot <At/> math.fsu.edu
+1.850.644.7189 (4053fax)

                Hope this helps,
                        Don

--
***********************      You a bounty hunter?
* Rev. Don McDonald   *      Man's gotta earn a living.
* Baltimore, MD       *      Dying ain't much of a living, boy.
***********************             "Outlaw Josey Wales"

Quote:

>   Is there an easy way to either script this function or use
>   existing Solaris methods to block logins at these times?

>   How would _you_ do it??

  # cat /etc/passwd
  root:x:0:1:Super-User:/:/sbin/sh
  uucp:x:5:8:uucp Admin:/usr/lib/uucp:
  nobody:x:60001:60001::/:/bin/sync


  +:*:::::/local/etc/shells/nologin

--
Kjetil T.      /XXX\   /XXX\   /XXX\   /XXX\ /XX\  /XX\  /XX\  /XX\  ///
              ///X\\\ ///X\\\ ///X\\\ ///X\\///\\\///\\\///\\\///\\\///
             //// \\\X/// \\\X/// \\\X/// \XX/  \XX/  \XX/  \XX/  \XX/
            ////   \XXX/   \XXX/   \XXX/     http://folding.stanford.edu

/bin/ksh #or whatever shell

when they aren't supposed to login:
#!/bin/sh

echo "Hey, hey, go away!" #or something polite :-)

If you wanted to get fancy, do something like:
#!/bin/sh

if [ -e /etc/nologins ]
then
echo "Hey, hey, go away!"
else /bin/ksh

And if you wanted to impress people at parties, make a cron job that
makes or removes /etc/nologins based on the system load.

Creating a script and editing it is safer then editing your passwd file
every time you want to allow or disallow logins, as messing up the
passwd file can be very bad, but not letting lusers login until you fix
a script isn't so horrible ;-).

Be sure you write a man page (use the manedit, Luke) or something to
ensure that future SysAdmins know what's going on.  Or don't, and call
it job security (but maybe I'm just bitter over that happening to me).

--
+ http://www.not-real.org/~nick                                   +
+ How valuable is my contribution? Share your feedback at Affero: +
+ http://svcs.affero.net/rm.php?r=nick                            +

If there's a budget to solve these problems, you might look at:
        http://wwws.sun.com/software/resourcemgr/index.html

Otherwise, I'd go with the passwd file solutions mentioned earlier.

--
________________________________________________________________________


  Working for, but definitely not speaking for, Sun Microsystems, Inc.

Andreas.

--
Andreas Borchert, Universitaet Ulm, SAI, Helmholtzstr. 18, 89069 Ulm,  Germany

WWW:    http://www.mathematik.uni-ulm.de/sai/borchert/
PGP:    http://www.mathematik.uni-ulm.de/sai/borchert/pgp.html

<snip>

Quote:> Is there an easy way to either script this function or use existing
> Solaris methods to block logins at these times?

> How would _you_ do it??  I'm pondering these ideas:
>   -Use a script to dynamically change user shells to /bin/false in
> /etc/passwd?

Quote:>   -Modify the Solaris login binaries?  Is this feasible?

Quote:>   -Restrict by location - not possible as it would restrict admins
> too.

My choice would be to put each machine/group-of-machines in one of
three categories: production; prototype; and sandbox. Production for
the stable, needs-to-work, stuff. Prototype for testing, compiling
and config-bashing. Sandbox for the deliberate, 'what-happens-when-
I-do-this-thing-the-vendor-said-not-to-do' type of thing.  Then,
allow access to production for admins only, etc...

'Course, I don't know enough about the situation to say if this is
feasible for you...

Peace,

Petr

    Alan> comp.unix.solaris: |I have several Solaris 7 and Solaris 8
    Alan> production servers that turn |into number-crunchers several
    Alan> times a month during heavy production |processing.  I need
    Alan> to devise a way to selectively deny [most] users |from
    Alan> logging into these systems at these times, yet still allow
    Alan> other |critical support personnel to logon.  The problem I
    Alan> have now is that |some users log on during heavy processing
    Alan> to do compiles or run test |jobs, which slows down our
    Alan> production processes.

    Alan> If there's a budget to solve these problems, you might look
    Alan> at: http://wwws.sun.com/software/resourcemgr/index.html

Or, as an alternative solution, have a look at

http://www.aurema.com/products/products.htm

for the Aurema ARMTech resource manager. A further development of the
product used by Sun.

//Johan

--

Lysator ACS, Linkoping University, Sweden    Work:   +46-(0)8-5888 8315

Have a look here:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xbdb879bffde7d4118fef...

...there's a snippet of shell code suitable for your purposes. Search
down the page for "/etc/not_loginable"

Put the code in /etc/profile, customise it to your liking and manage
access via /etc/not_loginable.

I use this in a production environment to deny access to generic
accounts (forcing app administrators to su to the app account.) I think
it would be ideal for your purposes too.

HTH

The manual solution would be to do a who

NAME    LINE   TIME         IDLE   PID  COMMENTS
     martha  ttyp3  Apr 16 08:14 16:25  2240
     george  ttyp0  Apr 17 07:33   .   15182

and then phone george and martha...

A scripted solution would extract the login names and send mails to
george and martha (assuming that peolple login using their
personal accounts rather than some generic compile-account) or even kill
evrything which is attached to either ttyp3 or
ttyp0 (definitely a not-so-polite solution)

cheers
Robert

David