On Thu, Jun 2, 2016 at 7:14 AM, Björn Persson <Bjorn@rombobjörn.se> wrote: > Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: > >> And even more: after you disabled his >> user account and logged him out, he really should be gone. > > After you disabled his user account, he really should be gone. If he's > just logged out, he will be back tomorrow. Logging out is one thing. > Disabling a user account is another. Kill any lingering processes when > disabling the account, not every time the user logs out. > > A single command that both disables a user account and kills any > processes running as that user might be handy. Anyone who thinks it's > needed can write such a tool. I looked and so far there does not seem to be a one-command solution. But 3 steps suffice: 1. Disable the account so that they cannot make new sessions: usermod -L --expiredate 1 <user> 2. Set the pid limit of the user's cgroup to 0, so that they cannot fork new processes: systemctl set-property user-<uid>.slice TasksMax=0 3. Kill the user's processes: loginctl kill-user --signal=SIGKILL <user> This could be wrapped up in a single command like "loginctl kickban <user-or-uid>". I'm guessing a lot of sysadmins would appreciate it. There's some trickiness involved, in that usermod does not handle networked setups like sssd, but perfect is the enemy of good. -- Allan Gardner -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
