This page will host links and descriptions of custom shell scripts that can be used as login or logout hooks. These scripts are contributed by the Mac OS X Administrator community, thus I accept no responsibility for, nor do I warrant the merchantibility or fitness of the scripts contained herein. The authors of these scripts maintain the copyrights to each respective script.

Login and logout scripts, which are run as the root user, can be very powerful -- you can do tasks as simple as cleaning up a home directory to something as complex as reimaging the system or maintaining its software. Learn more about login and logout scripts in "Running shell scripts upon login or logout". Before implementing one of these scripts, open the script in a plain text editor (such as TextEdit or BBEdit) and read the comments for usage tips and to make any required edits.

• template.sh

This login script is a template provided for people to follow if they would like to contribute to this Library. The template will insure that all scripts posted have adequate descriptions and instructions for implementation.

• refresh-default-homedir.sh

This is a very basic login script that replaces a default user's home directory with a fresh copy from a template. The resulting effect is that any changes the user makes to the home directory -- downloading files or modifying the Dock, for example -- will be reversed and the system will return to the same state it was in when you deployed it. Combined with the built-in security of Mac OS X, this is one of the easiest ways to manage a multi-user system in a lab environment. This script requires very little customization, instructions for its use and installation are included as comments in the script.

• refresh-default-homedir-savetmp.sh

This login script performs the same function as the refresh-default-homedir.sh script, but instead of simply deleting the work of the user that was just logged in, it saves that work to /tmp. To recover the work of someone that accidentally logged out, simply chooose "Go to folder" in the Finder's "Go" menu, type "/tmp", then find that user's time-stamped user directory. The /tmp directory is removed upon restart and at timed-intervals so the saved directories will not build up over time.

• login-byhostfix.sh

This script renames items in the ~/Library/Preferences/ByHost folder with the HW address of the current machine. This solves issues such as screensaver settings not "sticking" when logging in on a different computer than what the default user template was created on.

• login-diskimage.sh

This script mounts a read-only disk image with a shadow file to be used as the user's home directory. When the user logs in any previous shadow file is destroyed and the template home directory is created by mounting the disk image whose mountpoint is the location of the user's home directory.

• login-wrapper.sh

This script launches other scripts, passing the appropriate parameters. You can use this script to combine the functionality of multiple scripts without combining their contents.

• ad-bind-login.sh (Panther)
  ad-bind-login.sh (Tiger)
  ad-bind-login.sh (Leopard)

This script binds to AD and configures advanced options of the AD plugin.

• keyaccess.sh

This script starts Key Access in the name of the logging in user.

• logintrack.sh

This script collects information about the user and posts a login event to a local log and, optionally, to a database.

• logouttrack.sh

This script collects information about the user and posts a logout event to a local log and, optionally, to a database.

• 1-unlock.sh

This script is not a login or logout script, rather it augments the "refresh default home directory" scripts. This script automates the process of "unlocking" the default user's home directory so you can make changes to the default user template. All this script does is to turn off the login hook (yes, you could also do this with Loginwindow Manager). Change the "sh" suffix to "command" to make this a double-clickable script.

• 2-relock.sh

Like the previous script, this script augments the "refresh default home directory" scripts. This script automates the process of "relocking" the default user's home directory. Basically it deletes the original pristine copy, replaces it with a copy of the current "default" user's home directory, then re-implements the login hook. Change the "sh" suffix to "command" to make this a double-clickable script.

• change-permissions.sh

This script, contributed by Mark Helman, is used at logout to change permissions on the specified files back to read/write for everyone while respecting any pre-existing execute permissions. No action is taken to change ownership of the files.

"I needed to do this to accommodate some legacy software that was being used in a networked environment. As certain files would be updated by current users they would become unavailable to subsequent users as both the Group and Others settings would have been changed to "No Access". This script fixes that problem."

• Augment Records Utility

This script automates the creation of augment records for users. Augmented records were introduced in Open Directory on Leopard Server. As the name implies, augmented records are records that augment content imported from another record. Augmented records allow you to implement attributes in a user record that are not defined within the primary directory service. This is very useful if you do not have the authority to extend the schema of the primary directory service, and you desire to manage objects defined in the primary directory service.

This script will create augment records that include three augmented attributes: dsAttrTypeStandard:HomeDirectory, dsAttrTypeStandard:NFSHomeDirectory, and dsAttrTypeStandard:Keywords. When used in conjunction with the Active Directory plugin, these augmented records allow you to override the home directory settings provided in Active Directory. To learn more about how this works, read chapter 9 of my Leveraging Active Directory on Mac OS X white paper.

• Service Access Control Lists Utility

This script automates the implementation of Service Access Control Lists, or SACLs. For example, you can use this script to limit access to the loginwindow service (that is, who can login) to a specific group within your organization. This is particularly useful considering that a generic bind to your organization-wide directory service grants permission to all services on your machines, by default, to *anyone* within your organization. Use SACLs to impose fine-grained restrictions over who has access to specific services on your machines.