Temporarily disabling terminal logins

I am responsible for a Red Hat 8 system with lots (~200) of users on
character
terminals. This system was recently moved from SCO OSR5.

One task I used to be able to do with OpenServer was to temporarily
disable logins on a terminal with the disable command. This left the
user logged in, but changed /etc/inittab so that no new getty would be
spawned when he logged off.

I have tried to reproduce this behavior with Red Hat but found that if
I change an inittab entry for a tty from "respawn" to "off" and then
do a telinit q, the user gets dumped. This is a no-no for our system.

Does anyone know how I can cause init to not respawn gettys on a tty
after the current session ends, but not to kill the current session?

TIA * 10E6.

Some Guy wrote:
> I am responsible for a Red Hat 8 system with lots (~200) of users on
> character
> terminals. This system was recently moved from SCO OSR5.
>
> One task I used to be able to do with OpenServer was to temporarily
> disable logins on a terminal with the disable command. This left the
> user logged in, but changed /etc/inittab so that no new getty would be
> spawned when he logged off.
>
> I have tried to reproduce this behavior with Red Hat but found that if
> I change an inittab entry for a tty from "respawn" to "off" and then
> do a telinit q, the user gets dumped. This is a no-no for our system.
>
> Does anyone know how I can cause init to not respawn gettys on a tty
> after the current session ends, but not to kill the current session?
>
> TIA * 10E6.

Try 'man nologin':

> If the file /etc/nologin exists, login(1) will allow access only to

> root. Other users will be shown the contents of this file and their
> logins will be refused.

--
Ben M.

----------------
What are Software Patents for?
To protect the small enterprise from bigger companies.

What do Software Patents do?
In its current form, they protect only companies with
big legal departments as they:
a.) Patent everything no matter how general
b.) Sue everybody. Even if the patent can be argued
invalid, small companies can ill-afford the
typical $500k cost of a law-suit (not to mention
years of harassment).

Don't let them take away your right to program
whatever you like. Make a stand on Software Patents
before its too late.

Read about the ongoing battle at http://swpat.ffii.org/
----------------

Someone claiming to be Ben Measures
<saint_abroadremove@removehotmail.com> allegedly wrote:
> Some Guy wrote:
> > I am responsible for a Red Hat 8 system with lots (~200) of users on
> > character
> > terminals. This system was recently moved from SCO OSR5.
> >
> > One task I used to be able to do with OpenServer was to temporarily
> > disable logins on a terminal with the disable command. This left the
> > user logged in, but changed /etc/inittab so that no new getty would be
> > spawned when he logged off.
> >
> > I have tried to reproduce this behavior with Red Hat but found that if
> > I change an inittab entry for a tty from "respawn" to "off" and then
> > do a telinit q, the user gets dumped. This is a no-no for our system.
> >
> > Does anyone know how I can cause init to not respawn gettys on a tty
> > after the current session ends, but not to kill the current session?
> >
> > TIA * 10E6.
>
> Try 'man nologin':
>
> > If the file /etc/nologin exists, login(1) will allow access only to
>
> > root. Other users will be shown the contents of this file and their
> > logins will be refused.
>
> --
> Ben M.

{ snip big .sig }

I guess my question wasn't clear.

I don't want to prevent all non-root users from logging in anywhere
(what nologin(5) does).

I don't want to prevent some particular user from logging in anywhere
(what nologin(8) does).

I want to prevent any user from logging in on some particular tty or
ttys, while allowing users to log in on other ttys. I want to do this
without sending a SIGKILL to processes that have the tty that is going
down as a controlling tty at the time I start. I have good reasons for
both of these requirements.

I did find a solution of sorts after posting the first question.

I got a copy of the sources for the SysVInit rpm, and looked at
init.c. I had some notion of hacking it to act like OSR5 init, but
that's probably insane.

I noticed that while SysVInit's init does unconditionally kill all
children of entries whose action fields have changed, it doesn't kill
children whose entries have changed command fields.

Since I'm using agetty, I can write a script that echos "this terminal
is disabled" and exits, and use it as a login program. That gets me
most of the way there, if I also track down and kill the gettys that
are using the default login program...

If anybody knows a less ugly way to do this, I'd appreciate hearing
about it.

TIA * 10E6.