Access hours for Sun Ray users

Having installed a Sun Ray in my daughters bedroom I am now faced with the inevitable problem of her being online all night not getting any sleep and then being generally grumpy. The irony here is that I was sent an email asking how I handle access control to the DTUs and I said I just trusted the children to be sensible (what was I thinking!).

So a solution was required that gave access to the systems only between certain hours. The hours would depend on the user and would have to not loose all their “work” in case this was a late night finishing their homework session.

After asking around no one came back to me and said how it can be done so I wrote my own script. It works by having a file that contains lines with a format

user:starttime:endtime

The times are specified in 24 hour format and only accurate to the minute.

# cat /etc/opt/local/access_hours             
user1:1915:1900
user2:0630:2300
user3:0630:2230
user4:0630:2000
# 

The top line is just really for testing only not allowing access from 1900 to 1915. Then you need a user who has system admin privs which does not have a crontab file. Since I already have a kroot role I'm overloading this. Running the script as with the -c flag and the name of the user will write the crontab file. Note it also writes an entry to keep the crontab file uptodate on an hourly basis.


# /usr/local/sbin/check_access_hours -c kroot
# crontab -l kroot
46 \* \* \* \* /usr/local/sbin/check_access_hours -c kroot
00 19 \* \* \* /usr/local/sbin/check_access_hours user1
00 23 \* \* \* /usr/local/sbin/check_access_hours user2
30 22 \* \* \* /usr/local/sbin/check_access_hours user3
00 20 \* \* \* /usr/local/sbin/check_access_hours user4
#  

Finally I added a line to the utaction script that is already run for every user when they connect to a Sun Ray DTU:

if ! /usr/local/sbin/check_access_hours -t 0 $1
then
        exit 1
fi

The way it disallows access is that it adds the DTU's IP address to the ipfilter, which you have to have configured, so that all traffic from the DTU is blocked. It also submits an at(1) job to run 2 minutes in the future to remove the block so that the Sun Ray can burst back into life. The effect is that the user can no longer use any Sun Ray outside of the defined hours. But after about 2 minutes the DTU is usable again by others or indeed as a photo frame.


A word of warning. Having got all this running the system has paniced twice which is disappointing on one level, that it panics, but pleasing on another, I've found a bug that can now be fixed. The bug is:

6791062: System panic in ip_tcp_input when a rule is added to ipfilter

I look forward to the fix!


The script is here but check that that bug has been fixed before you use it.

Comments:

[Trackback] I have just uploaded and update to my script that controls the access hours of users to Sun Ray DTUs. The change is to not block the DTU if the user accepts the warning and disconnects voluntarily. With that test in place the number of forced disc...

Posted by The dot in ... --- ... on January 23, 2009 at 01:04 AM GMT #

Post a Comment:
Comments are closed for this entry.
About

This is the old blog of Chris Gerhard. It has mostly moved to http://chrisgerhard.wordpress.com

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today