Send in your Unix questions today!


See additional Unix tips and tricks

It is not at all unusual for systems administrators to get a little antsy
when users' login sessions sit idle for hours or days. Not only can login
session consume resources, tie up software licenses and prevent file systems
from being unmounted but, since we generally can't see what is going on at
the user end of these sessions, we don't know whether these users could provide
opportunities for unauthorized individuals to execute commands and access data
under the guise of authorized users. A user who leaves for lunch without
logging out or securing his login sessions by locking his screen, for example,
might be giving someone else a chance to run commands using his account.



Unix systems provide a number of ways that sysadmins can log off users when
user login sessions are idle for more than a specified time. The choices
differ, however, in how they define "idle" and in how they determine the length
of time that a user has been idle.



Using TMOUT



The newer shells in the sh family (e.g., ksh and bash) provide a timeout
variable, TMOUT, that can be used to end idle sessions. If TMOUT is set to
any value greater than 0, the shell will end after a prescribed number of
seconds have passed without command activity. Two of the most popular shells,
ksh and bash, provide the TMOUT variable, but process the TMOUT limit a bit
differently. Bash counts down and exits the shell after $TMOUT seconds. Ksh,
on the other hand, counts down $TMOUT seconds, warns the user about the impending
timeout and then waits an additional 60 seconds before exiting the shell. If
you want to see this behavior in action, try this:



In one login session, type /bin/bash to enter a secondary shell and type the
command "TMOUT=5". After five seconds, your secondary shell will exit as shown
here:

bash$ TMOUT=5
bash$ timed out waiting for input: auto-logout

In a second login session, type /bin/ksh to enter a secondary shell and type the
same "TMOUT=5" command. After five seconds, you should see the second line shown
below and, after another sixty seconds, your shell with exit.

$ TMOUT=5
shell will timeout in 60 seconds due to inactivity
/bin/ksh: timed out waiting for input

You can set TMOUT in users' dot files (e.g., ~/.profile) to establish timeout
limits or in system files like /etc/profile that affect all users. If you were
to add the command "export TMOUT=900" to one of these files, you would be setting
your users' idle timer to allow 15 minutes of inactivity before a session
termination begins.



The TMOUT variable can be useful when your users simply forget to log off.
However, there are two important things to remember when considering this
technique: 1) any savvy user can easily unset the counter with an "unset TMOUT"
command or can reset it to a much more generous timeout value if he is so
inclined and 2) that some system processes, such as editing a file, constitute
activity, even if the user is far away and sound asleep at the time. While this
view of "activity"

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine