Schedule regular dismount of fileshare connections
Nov 11, '05 05:52:00AM • Contributed by: almontgomerie
Nov 11, '05 05:52:00AM • Contributed by: almontgomerie
We have found a problem on Mac OS X systems which are used for acquiring laboratory images of experimental work. The systems are run as guest and are left logged into that account most of the time. The issue arises when users connect by AppleShare to other servers or systems to transfer their images for other analysis or for long term storage. Despite printed notices, many of these sessions are not disconnected when the transfers are complete, and we have frequently found four or more open AFP AppleShare connections to various other systems.
This is obviously a security issue, since the users involved are exposing their documents on the remote machines to pilfering or corruption. It also works counterproductively, in that an open connection to one account on a server will inhibit authentication to any other account on the same server -- a point which can tend to confuse and cause even more insecure behaviour when people modify file protections on their server accounts, in order to allow writing by whatever account is connected.
In order to reduce the impact, we have devised a cron - awk command which works by deleting all AppleShare connections on the imaging systems once a day, when the system is most likely to be idle. The following line in the root crontab achieves this:
The awk utility receives this from a pipe (|), and locates the AppleShare lines (there may be several), and passes the third item (here /Volumes/pstockwell) to umount by the system call, which terminates the connection.
Installing this as a crontab entry was done using the convenient freeware CronniX utility, which provides a good GUI interface for this, including the capability to select the root crontab. It is possible to do the same thing from the command line with the following series of commands:
We've found only one issue so far: Unmounting a share when a local utility has a remote file open will generate a 'Resource busy' message. This doesn't seem to cause any other problems, though.
This is obviously a security issue, since the users involved are exposing their documents on the remote machines to pilfering or corruption. It also works counterproductively, in that an open connection to one account on a server will inhibit authentication to any other account on the same server -- a point which can tend to confuse and cause even more insecure behaviour when people modify file protections on their server accounts, in order to allow writing by whatever account is connected.
In order to reduce the impact, we have devised a cron - awk command which works by deleting all AppleShare connections on the imaging systems once a day, when the system is most likely to be idle. The following line in the root crontab achieves this:
* 4 * * * mount | awk '/^afp_/ { system("umount " $3) }'
Note that the blanks inside the {} are important. This works by running every morning at 4:00 (the * 4 * * *) and
executing a mount, which will produce a display like this:
/dev/disk2s3 on / (local, journaled)
devfs on /dev (local)
fdesc on /dev (union)
<volfs> on /.vol
automount -nsl [107] on /Network (automounted)
automount -fstab [111] on /automount/Servers (automounted)
automount -static [111] on /automount/static (automounted)
afp_0TRsNo11NoyJ0Zw3CF11Ag0t-1.2c00000c on
/Volumes/pstockwell (nodev, nosuid, mounted by pstockwell)
where the line starting afp_.... is the AppleShare connection.
The awk utility receives this from a pipe (|), and locates the AppleShare lines (there may be several), and passes the third item (here /Volumes/pstockwell) to umount by the system call, which terminates the connection.
Installing this as a crontab entry was done using the convenient freeware CronniX utility, which provides a good GUI interface for this, including the capability to select the root crontab. It is possible to do the same thing from the command line with the following series of commands:
$ export EDITOR=pico # or nano, emacs or preferred command line editor
$ su # become root
$ crontab -u root -e # start editing session
Logout as root afterwards. The $ represents the unix prompt, and shouldn't be typed. The characters after # are comments, and should all be omitted as well (including the #). The default editor is vi, which will be invoked if export EDITOR=x is not done.
We've found only one issue so far: Unmounting a share when a local utility has a remote file open will generate a 'Resource busy' message. This doesn't seem to cause any other problems, though.
•
[9,406 views]
