|
|
#1 |
|
Prospect
Join Date: Mar 2004
Location: New York
Posts: 18
|
How do I run a script at user login?
Prior to Tiger, OSX had a LoginHook/LogoutHook feature that allowed you to run an arbitrary shell script whenever a user logged in or out. In Tiger, this feature has been abruptly removed (thanks for the advance warning, Apple) supposedly replaced by something else, but I can't find any coherent information on how to duplicate the functionality of LoginHook/LogoutHook under Tiger. Can anyone enlighten me?
|
|
|
|
|
|
#2 |
|
Triple-A Player
Join Date: Nov 2002
Location: Frankfurt, Germany
Posts: 167
|
Unbelievable! You're absolutely right, this doesn't work anymore. And the information that Apple provides reads like a parody. Here's what the document "System Startup Programming Topics" has to say about the topic:
Code:
The -LoginHook and -LogoutHook parameters were particularly useful because they permit custom administrative, accounting, or security programs to run as part of the login and logout procedures. |
|
|
|
|
|
#3 |
|
Moderator
Join Date: May 2003
Posts: 4,272
|
It's second-hand info, but I have it on reasonably good authority that the documentation is going to be changed. The capability is not meant to be deprecated, even though they did get rid of one way of doing it. Previously, you could either modify your ttys file to add the parameters to the command that launches loginwindow, or you could put the parameters in loginwindows' plist file. You can no longer use the plist. Use the example in Apple's documentation here to see how to modify your /etc/ttys file to make it work again.
|
|
|
|
|
|
#4 |
|
Prospect
Join Date: Mar 2004
Location: New York
Posts: 18
|
LoginHook option not working
I've tried the -LoginHook options but they don't seem to be working. Here's the console line from my /etc/ttys:
console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow -LoginHook /local/lib/login/LoginHook.osx -LogoutHook /local/lib/login/LogoutHook.osx" vt100 on secure onoption="/usr/libexec/getty std.9600" What am I doing wrong? |
|
|
|
|
|
#5 | |||||||||||||||||||||||
|
Triple-A Player
Join Date: Nov 2002
Location: Frankfurt, Germany
Posts: 167
|
Your "reasonably good authority" is wrong, modifying the /etc/ttys doesn't work either. Which is what the document I linke to says: Code:
To use the loginwindow hooks on versions of Mac OS X prior to 10.4, you must modify the code for launching loginwindow found in /etc/ttys. |
|||||||||||||||||||||||
|
|
|
|
|
#6 |
|
Site Admin
Join Date: Jan 2002
Location: Montreal
Posts: 32,473
|
A file named "TODO" in the 'launchd' source code (available as part of Darwin) shows "per user support" as one of the items that presumably will get implemented as time is available.
No further details, but I might guess that login/logout hooks would be part of this. |
|
|
|
|
|
#7 |
|
Prospect
Join Date: Mar 2004
Location: New York
Posts: 18
|
So because they plan on implementing a replacement for LoginHooks, they disable the old feature before the replacement is available? Unbelievable!
|
|
|
|
|
|
#8 |
|
Moderator
Join Date: May 2003
Posts: 4,272
|
There's quite a storm on Apple's Client Management mailing list about this very issue. It appears that if you use the 'defaults' command in the Terminal and 'sudo' it, this works.
Code:
sudo defaults com.apple.loginwindow LoginHook /path/to/script I'm trying to understand how the defaults system works in 10.4. When you use the 'defaults read' command, you never ever get keys from any of the files in /Library/Preferences. Only the stuff in ~/Library shows up. And after doing the command above, if you do Code:
defaults read com.apple.loginwindow I think it makes no sense that items in /Library are ignored but items in the root user's home directory take effect for all users. Is that how things normally work? |
|
|
|
|
|
#9 |
|
All Star
Join Date: May 2004
Location: london on ca
Posts: 930
|
I'm glad that 'sudo defaults write...' for login hooks works. Thanks for the update. As for writing the preference to root's "Library", I suppose that sort of makes sense if "loginwindow" is running as "root"... I know that the language used in the main login window is determined by the language set in the "root" user's ".GlobalPreferences.plist" file. Ok so maybe that doesn't make sense either, but it is a precedent.
But as long as it works, the new way should be considered an improvenet since it would mean it is no longer possible for someone logged in to an "admin" account to add a "login hook" (intentionally or via trojan) without supplying a password. Given that scripts launched by "login hook" run as root, the issue of "/Library" and "/Library/Preferences" being writable by "admin" group users being a problem has come up before. There was a bug in earlier "Panther" versions (I haven't checked lately to see if it's still there) in which a non-admin could acquire write privileges to "admin" writable directories which made "login hooks" a huge security hole. |
|
|
|
|
|
#10 |
|
Moderator
Join Date: May 2003
Posts: 4,272
|
They fixed the pref file issue anyway. If you look in /Library/Preferences, all those files are owned by root and writeable only by owner. If you change one (like add g+w to com.apple.loginwindow.plist) and reboot, you'll see it's been changed back. Given that it requires an admin password to do the 'chmod' in that case, they could have left the LoginHook capability there and still had it protected.
What cracks me up about the whole thing is that Mike Bombich just released a revision of his LoginWindow Manager that works in 10.4. And even he didn't know you had to write those keys to a different location; it still writes them in /Library/Preferences/com.apple.loginwindow.plist. |
|
|
|
|
|
#11 |
|
MVP
Join Date: Apr 2004
Location: Hello London Calling
Posts: 1,787
|
|
|
|
|
|
|
#12 |
|
Moderator
Join Date: May 2003
Posts: 4,272
|
Yeah, I thought that was pretty funny. Clearly there are some Apple employees on the mailing lists. I don't think there's a single Mac forum I visit that hasn't had discussions on this topic.
Apparently though, 10.4 Server adds Login and Logout Hooks to its managed preferences. I won't get my copy for a couple months, but hopefully this whole discussion will be moot for me. :-) |
|
|
|
|
|
#13 |
|
Triple-A Player
Join Date: Nov 2002
Location: Frankfurt, Germany
Posts: 167
|
giskard22, you're the man! I just came home to my Tiger box, and with "sudo defaults write ..." my logouthook is working again. Thanks for pointing that out. And shame on Apple for their abysmal system of not informing customers about these changes.
|
|
|
|
|
|
#14 |
|
Triple-A Player
Join Date: Mar 2004
Posts: 81
|
What if BOTH of us want to create a login hook
a) Product A (myProg) changes LoginHook on installation via the postinstall script.
b) Product B (yourProg) changes LoginHook on installation via the postinstall script. Guess what? myProg doesn't launch anymore. I'm staying with /Library/Preferences/loginwindow.plist. It works uniformly on 10.2.x, 10.3.x, 10.4. That allows multiple entries in the array AutoLaunchedApplicationDictionary. Symantec uses it. |
|
|
|
|
|
#15 |
|
Moderator
Join Date: May 2003
Posts: 4,272
|
I'm fairly sure Apple would say that loginhooks aren't a "proper" way to make your program function. It may just be the circles I run in ;-), but every use I've heard of for them has been people doing client management, like a bunch of systems in a computer lab. And let me tell you: Symantec is generally a great example of how not to do things. Their products have been causing havoc under OS X since day 1. Every time there's an OS update, something breaks.
And I'm not sure you're talking about the same capability. Login and Logout Hooks are generally used by people who want to make changes to the file system before or after a user session. They aren't designed to be a launching mechanism for processes that are going to be running during the user session. I use them to automatically refresh certain home directories so our lab computers always appear fresh to the next user. For stuff that's going to happen once the GUI loads, I use regular login items. |
|
|
|
|
|
#16 |
|
Triple-A Player
Join Date: Mar 2004
Posts: 81
|
What IS recommended?
What I need is the ability to launch the application everytime any user logs in. I have a daemon. Each user on a machine has to have the ability to uniquely configure the daemon via an LSUIElement application (a Apple Menu Bar item like sound volume). If the user logs out and a new one logs in, the daemon must be configured to that user's specification. Currently I do this by relaunching the app and reading that user's preferences. Any ideas?
|
|
|
|
|
|
#17 | |||||||||||||||||||||||
|
Site Admin
Join Date: Jan 2002
Location: Montreal
Posts: 32,473
|
Umm, why aren't you just adding your app to each user's Login Items? |
|||||||||||||||||||||||
|
|
|
|
|
#18 |
|
Triple-A Player
Join Date: Mar 2004
Posts: 81
|
That is the long way
Yep - I can go through the users and add the app to each ~/Library/Preferences/loginwindow.plist. One problem with that is any new user added after the installation would not get the app launched. About a year ago, I discovered an undocumented feature that the file /Library/Preferences/loginwindow.plist is used by every user.
So my issue is still that it is easy to add an entry into AutoLaunchedApplicationDictionary via "defaults add" when using the command line (or the postinstall/postupgrade script). But the problem is that it is not easy to delete one item from the array via the command line. I writing a Bash script to edit the file. If there is another way to get this all done, I'd like to see a link to the process. |
|
|
|
|
|
#19 | |||||||||||||||||||||||
|
Site Admin
Join Date: Jan 2002
Location: Montreal
Posts: 32,473
|
I would consider that a feature - each user (or administrator who controls that user's account) can decide whether or not your app is desired. Don't underestimate the usefulness of having "vanilla" user accounts for troubleshooting. |
|||||||||||||||||||||||
|
|
|
|
|
#20 |
|
Triple-A Player
Join Date: Mar 2004
Posts: 81
|
Not that easy...
My daemon takes over certain I/O features. One of the UI options is to bypass. A vanilla user would not work without the app running.
|
|
|
|
![]() |
|
|