By user12625760 on Jan 07, 2009
Having installed a Sun Ray in my daughters bedroom I am now faced with the inevitable problem of her being online all night not getting any sleep and then being generally grumpy. The irony here is that I was sent an email asking how I handle access control to the DTUs and I said I just trusted the children to be sensible (what was I thinking!).
So a solution was required that gave access to the systems only between certain hours. The hours would depend on the user and would have to not loose all their “work” in case this was a late night finishing their homework session.
After asking around no one came back to me and said how it can be done so I wrote my own script. It works by having a file that contains lines with a format
The times are specified in 24 hour format and only accurate to the minute.
# cat /etc/opt/local/access_hours user1:1915:1900 user2:0630:2300 user3:0630:2230 user4:0630:2000 #
The top line is just really for testing only not allowing access from 1900 to 1915. Then you need a user who has system admin privs which does not have a crontab file. Since I already have a kroot role I'm overloading this. Running the script as with the -c flag and the name of the user will write the crontab file. Note it also writes an entry to keep the crontab file uptodate on an hourly basis.
# /usr/local/sbin/check_access_hours -c kroot # crontab -l kroot 46 \* \* \* \* /usr/local/sbin/check_access_hours -c kroot 00 19 \* \* \* /usr/local/sbin/check_access_hours user1 00 23 \* \* \* /usr/local/sbin/check_access_hours user2 30 22 \* \* \* /usr/local/sbin/check_access_hours user3 00 20 \* \* \* /usr/local/sbin/check_access_hours user4 #
Finally I added a line to the utaction script that is already run for every user when they connect to a Sun Ray DTU:
if ! /usr/local/sbin/check_access_hours -t 0 $1 then exit 1 fi
The way it disallows access is that it adds the DTU's IP address to the ipfilter, which you have to have configured, so that all traffic from the DTU is blocked. It also submits an at(1) job to run 2 minutes in the future to remove the block so that the Sun Ray can burst back into life. The effect is that the user can no longer use any Sun Ray outside of the defined hours. But after about 2 minutes the DTU is usable again by others or indeed as a photo frame.
A word of warning. Having got all this running the system has paniced twice which is disappointing on one level, that it panics, but pleasing on another, I've found a bug that can now be fixed. The bug is:
6791062: System panic in ip_tcp_input when a rule is added to ipfilter
I look forward to the fix!
The script is here but check that that bug has been fixed before you use it.