delete user on logout
 

Hello Everyone

I want a shell script that will delete a user when they logout but NOT a local admin account.

I am thinking along the lines of :-

#!/bin/sh -f

if
whoami = "admin"
then exit
else
nicl / -delete /users/$1
rm -r /Users/$1

fi

However, the test does not seem to get the name of the logged on user from the whoami command.

Any help would be appreciated.

thanks

Let's leave aside for the moment the issues of your incorrect shell syntax (but you had better be more of an expert before you go doing dangerous things like deleting user accounts!).

Tell us how these user accounts are getting created.
And note that a normal (non-admin) user cannot delete their own account - your script would need to run with 'root' privileges. How are you running the script?

The users will be students logging on with AD. The script will be run on logout with Mike Bombich's window login manager which runs as an admin user.

When they login, a fresh set of home folders are setup (copied from default.lproj). They can do what they want but when they logout, the home folders are trashed.

The script works fine but I don't want it to trash the local admin account if I have to logon to the machine for any reason.

I'm not sure, but it seems like you are confusing deletion of the account with deletion of the home folder. Deleting the home folder is merely a filesystem operation and has nothing to do with the account.

I am not confused at all. I want the accounts deleted as I don't want the machines to end up with hundreds of accounts.

Okay, so I'm assuming then that the login hook script (which you haven't shown us) is doing some 'nicl' to create the account.
And the $1 in the logout hook script is the shortname of the user who is logging out.
So what is the problem again?

There is no logon hook used to create the users. Our students will log on as AD users with home folders on the local machine and an "H" drive, sitting on a windows server, mounted for them to save work in.

When they are finished, I want their account and home folders deleted but I don't want my local admin account trashed when I log on/off the machines.

$1 is the variable for the current user. The admin username is fred.

I am trying to get this to work :-

#!/bin/sh -f

user =$(who) # returns logged on username

if $user = "fred"
then exit
else
nicl / -delete /users/$1
rm -r /Users/$1
fi

If I don't use the contition test, the account is trashed so the $1 variable does work, so why can't this work ?

tried this as well....

if $1 != "fred" # is not fred

then do.....

else exit.

As an observer, can someone tell what "AD" is?

Kaptagat--I'm confused. You say you are not creating accounts, yet you are afraid that the machine will end up with hundreds of them?

Chris

AD == Active Directory, Microsoft's authentication/etc of the future.

chabig

When an AD user logs into a mac for the first time, the account and its associated home folders are created by the system. The AD plug-in works well, users can change passwords and their "H" drive is mounted automatically.

The latter is the one big advantage this has over the LDAP method I am currently using in the labs.

That's interesting. I'm not familiar with Active Directory. But in my experience, you have always had to have an account on a machine to log into it (even a public or guest account). So when an AD user logs into a Mac server they get their own account, but with what features? Is it just network storage, or do they have some kind of access to shared resources and apps?

Chris

Chris

This nothing to do with Mac servers, the Active Directory is on windows servers.

Accounts get created "on the fly" so as to speak. In this regard, Macs behave much the same as our PCs. You don't have to have a local account to log onto a PC if it is authenticatiing to an AD, however, users must have an account on the AD itself. In our institution, these accounts are created automatically by systems during a student's registration process.

I see. As I don't want to hijack your thread, I'll now just watch. But before I do, would it be out of line to suggest that it might be simpler not to delete each during logout. It might be much easier let them accumulate and have a script that could run once per day to delete all accounts except your admin account.

Chris

example of sh syntax for testing for equality
 

This small script illustrates the recommended syntax for testing for equality of strings:
Recommended reference on Bash:
http://www.tldp.org/LDP/abs/html/

Thanks for this. I actually had managed to get this to work :-

#!/bin/sh -f

user=$(whoami)
if [ "$user" = "fred" ]
then exit
else
nicl / -delete /users/"$user"
rm -r /Users/"$user"
fi

But I found that the machine was hanging just before the login window when it was re-started, so I think the netinfo database was being corrupted somehow when the accounts got trashed so it is back to the drawing board.

Perhaps nuking the corresponding cache-files would help ?

Have you tried the nicl commands manually and then examined the netinfo database to see if they did what you wanted?
One command that is useful in looking at the database is:
nidump passwd /

I think you might do better to follow chabig's suggestion. E.g. you could keep a backup of the netinfo database with just the local users and then restore this backup with a cron job once a day or something.

See also Apple's article on restoring from backup:
http://docs.info.apple.com/article.html?artnum=107210

I decided to adopt the KISS principle (keep it simple stupid)

so used :-

#!/bin/sh -f
rm -r /Users/$1

which works fine, all home folders are trashed on logout and new ones are made, on login, from customized ones in the english.lproj folder.

So I got brave (silly me) and tried a conditional test again :-

#!/bin/sh -f
username=$(whoami)
if [ "$username" = "fred" ]; then
echo "bye"
else
rm -r /Users/$1
fi

Testing this within scriptgui as "fred" returns "bye".
Testing it from Mike Bombich's loginwindowmanager, as "fred", returned
"the script appears to have executed successfully" whilst it happily trashed "fred's" home folders !
Testing it during actual logouts showed that the home folders were being deleted irrespective of the logged on user. Could it be that the loginwindowmanager application cannot handle conditional testing within scripts ? Or might it be the case it doesn't know how to handle an "echo" command ?

I am not infront of my Mac to test this, but try this snippet instead (just removing the double quotes around the $username)...
EDIT:
OP found the error and posted, also my above code is wrong anyway, the double quotes are needed around $username in the comparison.

Or could it be that logout-hook scripts run as 'root' and hence 'whoami' gives 'root' instead of the user who is logging out ?
That is the reason why you should be using the argument ($1) to the script instead of using 'whoami'.

Thanks, it was running as root and using $1 fixed it.

The working script now looks like :-

#!/bin/sh -f

username=$1
if [ "$username" = "fred" ]; then
echo "bye"
elif [ "$username" = "root" ]; then
echo "bye"
else
rm -r /Users/$1
fi
------------------------------------------

One last question, the echo command seems "messy", is there another way to say if ... then do nothing ?

The ! operator in unix makes checks for NOT, and the && operator is a logical AND. Therefore,

Should be all you need.
Of course, given the extreme nature of what you are doing, you should test this script first.

Chris

Hayne, in the preceding reply, is correct. Login/logout hooks run as root. That's why you must use the $1 argument.

Anyways, just to provide some verification, I believe you're finally doing it right. When you log into a network user (i.e. a user from an Active Directory or an LDAP/Open Directory), the NetInfo database on the local machine isn't modified at all. All you need to do is delete the user's home directory from the file system.

In my setup, all the students use the same login. However, just in case someone logs out accidentally or has a crash, I don't want to erase their data right away. My version of your script movies their home directory to a folder in /Library. I use a single 'rm' command via cron every night to clean the folder out.

Thanks weltonch 777

Works a treat and is short and elegant. Yours is the one I'm going with.

I will also use a version on login which "blows away" all the rubbish folders such as movies and sites.

Thanks to everyone for their help.

this is just what i was looking for, thnx to all the people that shared their knowledge

X@vier