We have found a problem on Mac OS X systems which are used for acquiring laboratory images of experimental work. The systems are run as guest and are left logged into that account most of the time. The issue arises when users connect by AppleShare to other servers or systems to transfer their images for other analysis or for long term storage. Despite printed notices, many of these sessions are not disconnected when the transfers are complete, and we have frequently found four or more open AFP AppleShare connections to various other systems.
This is obviously a security issue, since the users involved are exposing their documents on the remote machines to pilfering or corruption. It also works counterproductively, in that an open connection to one account on a server will inhibit authentication to any other account on the same server -- a point which can tend to confuse and cause even more insecure behaviour when people modify file protections on their server accounts, in order to allow writing by whatever account is connected.
In order to reduce the impact, we have devised a cron - awk command which works by deleting all AppleShare connections on the imaging systems once a day, when the system is most likely to be idle. The following line in the root crontab achieves this:
* 4 * * * mount | awk '/^afp_/ { system("umount " $3) }'
Note that the blanks inside the {} are important. This works by running every morning at 4:00 (the * 4 * * *) and
executing a mount, which will produce a display like this:
/dev/disk2s3 on / (local, journaled)
devfs on /dev (local)
fdesc on /dev (union)
<volfs> on /.vol
automount -nsl [107] on /Network (automounted)
automount -fstab [111] on /automount/Servers (automounted)
automount -static [111] on /automount/static (automounted)
afp_0TRsNo11NoyJ0Zw3CF11Ag0t-1.2c00000c on
/Volumes/pstockwell (nodev, nosuid, mounted by pstockwell)
where the line starting afp_.... is the AppleShare connection.
$ export EDITOR=pico # or nano, emacs or preferred command line editor
$ su # become root
$ crontab -u root -e # start editing session
Logout as root afterwards. The $ represents the unix prompt, and shouldn't be typed. The characters after # are comments, and should all be omitted as well (including the #). The default editor is vi, which will be invoked if export EDITOR=x is not done.
Mac OS X Hints
http://hints.macworld.com/article.php?story=20051107175256782