Running shell scripts at login and logout

* Introduction

The loginwindow process is responsible for many features besides providing a window to login, and it remains running while you use the computer. One of the most useful features of the loginwindow process to system administrators is its ability to execute shell scripts when a user logs in or logs out. This feature gives you, as a system administrator, great power in servicing the system before or after a new user uses the machine. An obvious use of this feature is to return the system to a pristine interface after the last user has mucked things up. I will describe the implementation of such a script below.

Login and logout hooks (I will refer to them as login hooks for simplicity) execute specified scripts when a user successfully logs in or out. Login hooks can be implemented by editing the loginwindow's preferences file located at /Library/Preferences/com.apple.loginwindow.plist. The instructions below will use the "defaults" command to access this preferences file (which is a little easier).

* loginwindow's preferences

The following items are configurable options of the loginwindow application:

  • HideAdminUsers (boolean)
  • HideLocalUsers (boolean)
  • PowerOffDisabled (boolean)
  • SHOWFULLNAME (boolean)
  • SHOWOTHERUSERS_MANAGED (boolean)
  • ShowPasswordHint (boolean)
  • Kiosk (boolean)
  • DiasableConsoleAccess (boolean)
  • RetriesUntilHint (CFNumber)
  • LoginHook (POSIX path)
  • LogoutHook (POSIX path)

I won't go into deep detail here about what each of these does or what the appropriate parameters are.  Essentially, though, if you want to set a value for one of these items, you use the following syntax:

sudo defaults write com.apple.loginwindow preference value

The step-by-step instructions below will take you through the process of adding a login hook to your system. Also, refer to Apple's "Creating a login hook" Knowledgebase article.

* Implementing a login hook

  1. Create a shell script to be run upon login. The name of the script is not important, as long as it is the same as what you will indicate in step 4. Note that the name of the user logging in is sent as an argument ($1) to this script. You can also download this basic script and copy it to /Library/Management (you may have to create this folder). Be sure to check out my Scripts Library for several other scripts that perform various tasks.

  2. Make sure this script is executable with a Terminal command such as:

    sudo chmod u+x /Library/Management/login.sh


  3. Test that the script will actually work. To do this, type this in the Terminal:

    sudo /Library/Management/login.sh username

    Change "username" to an actual user on the system. Check that the script did what you expected it to do and ran without errors. Errors may cause login to hang or not complete at all.


  4. Launch the Terminal application. Type:

    sudo defaults write com.apple.loginwindow LoginHook /Library/Management/login.sh


  5. Logout and log back in to make sure the script has been implemented properly.

Finally, take a look at iHook, a GUI for logout hooks. If you plan on doing some system maintenance in your logout hook, you may want a GUI to let potential users know what is going on with the machine.

footer shadow