Re: [rhelv5-list] readonly variable

Tue, 16 Nov 2010 03:06:11 -0800 


On 11/15/2010 12:27 PM, John Haxby wrote:



On 15 November 2010 12:36, Richard W Jerrido <[email protected]
<mailto:[email protected]>> wrote:




    On 12 November 2010 22:46, Srija <[email protected]
    <mailto:[email protected]>

        <mailto:[email protected] <mailto:[email protected]>>>
        wrote:

            The problem is, if an user  login , as himself , he can't
        change TMOUT
            parameter until he changes the shell. If the user changes
        the shell , it
            can be modified.




    You can declare readonly variables bash using the following:


    [u...@somehost ~]$ TMOUT=900
    [u...@somehost ~]$ readonly TMOUT
    [u...@somehost ~]$ export TMOUT

    or

    [u...@somehost ~]$ declare -rx TMOUT=900

    Then trying to change the value of TMOUT gives the following:

    [u...@somehost ~]$ export TMOUT=150
    -bash: TMOUT: readonly variable

    For system-wide effect, it would be advisable to set the above in a
    file in /etc/profile.d/ such as /etc/profile.d/auto_logout.sh. Note,
    that this would only apply to Bourne-compatible shells, so you'd
    also need to do something similar if you have any csh users.


It doesn't solve the problem:

      $ declare -tx TMOUT=900
      $ TMOUT=1000
      bash: TMOUT: readonly variable
      $ exec bash
      $ TMOUT=1000
      $ printenv TMOUT
      1000

You can't make the read-only status of a variable persist across an
exec.   As I said before, you could make it harder to circumvent by
putting the command in /etc/bashrc, but unless I'm mistaken that doesn't
get called used a user's ~/.bashrc specifically sources it.

jch




You are correct. You cannot (AFAIK) make the read-only status persist 
across an exec. But you can ensure (to a certain extent) that the TMOUT 
variable gets defined again. That is why I suggested placing the 
commands in an /etc/profile.d/ file as this gets sourced by both 
/etc/profile and /etc/bashrc. Granted, this method isn't perfect as it 
doesn't stop an enterprising user from running exec bash --noprofile 
--norc and blowing this whole theory out of the water. But as long as 
one understands its limitations, it works fairly well.


_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list






















					Reply via email to