John Hasler wrote: > Lisi Reisz wrote: > > The OP is trying to lock a large batch of students (I think 3 or 4 > > figures) out for the duration of the vacation. Two students have to > > be left with access. But to lock each of the others out individually > > would be a big deal, and the OP is looking for a method that would > > enable him to lock them out as a bunch. They all belong to the same > > group, including the two who still have to have access. > > Write a trivial script to use chsh to change every group member's shell > to nologin and then change the two special ones back by hand or provide > a skip file.
For example:
for account in $(cat accounts.list); do
chsh -s /usr/sbin/nologin $account
done
> A clever script would save each user's current shell to a file so that
> another similar script (or the same script called with different
> options) could read from the file and change it back.
For example:
for account in $(cat accounts.list); do
getent passwd rwp | awk -F: '{print$1,$NF}'
done > accounts.shells.list
Then later:
while read account shell; do
echo chsh -s $shell $account
done < accounts.shells.list
> You may also want to log out all of the to-be-locked-out users and kill
> all their processes. "man pkill", "apt-cache show slay".
If you worry about that then you probably want to worry about turning
off any user local crontabs that they might have too. I would just
save them off from /var/spool/cron/crontabs and restore them later.
Or since they are students the policy might be no persistent crontabs
and simply to remove them.
> A single fairly simple script can do all of this. It's the sort of
> thing that Unix admins were expected to know how to write.
Yes. But I tend to do these things on the command line since they are
simply "one-liners".
Bob
signature.asc
Description: Digital signature
