lockout - avoid slacking and impose productivity and discipline on yourself

       Thomer M. Gil, http://thomer.com/lockout/

lockout                                            2004-09-08                                         LOCKOUT(1)

       Arguably, a program that changes the root password to something random  with  the  possibility  of  never
       recovering the original password might be considered a bug by itself.  Other than that, no known bugs.

       /etc/cron.d/lockout must contain the following two entries:

           */1 * * * *         root    /usr/bin/lockout unlock >/dev/null 2>&1
           @reboot             root    /usr/bin/lockout unlock force >/dev/null 2>&1

       The  examples  that  follow assume you are using sudo(8) and you have a file, /etc/lockout/sudoers.normal
       which is the normal /etc/sudoers file, and /etc/lockout/sudoers.lock, which is the /etc/sudoers file when
       lockout   locks   your   computer.    This   example   also   assumes   you   are   using    iptables(8).
       /var/lib/iptables/active  should  contain  your default firewall rules, and /var/lib/iptables/work should
       contain the firewall rules that enforce discipline.  See below for an example.

       /etc/lock/lock.sh imposes discipline.  For example:

           #!/bin/sh
           /etc/init.d/iptables load work
           cp /etc/lockout/sudoers.lock /etc/sudoers/etc/lock/unlock.sh undoes these effects.  For example:

           #!/bin/sh
           /etc/init.d/iptables restart
           cp /etc/lockout/sudoers.normal /etc/sudoers

       Your /var/lib/iptables/work may look something like this:

           *filter
           :INPUT ACCEPT [1047:99548]
           :FORWARD ACCEPT [0:0]
           :OUTPUT ACCEPT [1104:120792]

           # allow incoming packets from localhost, ntp,
           # and existing connections
           -A INPUT -i lo -j ACCEPT
           -A INPUT -p udp -m udp --source-port ntp -m state --state ESTABLISHED -j ACCEPT
           -A INPUT -m state --state ESTABLISHED -j ACCEPT
           -A INPUT -p tcp -j DROP
           -A INPUT -p udp -j DROP

           # allow outgoing connections for email and DNS
           -A OUTPUT -d 127.0.0.1/8 -j ACCEPT
           -A OUTPUT -p tcp -m tcp --dport smtp -j ACCEPT
           -A OUTPUT -p tcp -m tcp --dport domain -j ACCEPT
           -A OUTPUT -p udp -m udp --dport domain -j ACCEPT
           -A OUTPUT -j DROP
           COMMIT

       Lockout is a tool that imposes discipline on you so that you get some work done.   For  example,  lockout
       can  be  used  to  install  a  firewall  that  does not let you browse the Web.  Lockout changes the root
       password for a specified duration; this prevents you from secretly ripping down  the  firewall  and  then
       browsing  the  Web  anyway.  In case of an emergency, you can reboot your computer to undo the effects of
       lockout and to restore the original root password.

       Obviously, lockoutlock and lockoutunlock can only be run by root.  lockoutstatus can  be  run  by  any
       user.

       lockout without any parameters shows a brief help message.

       lockoutlock takes one optional parameter.  If no parameter is given, you are dropped in interactive mode
       and  asked  for  the  duration  of the lock or the time at which the lock should be lifted.  You can also
       supply this as a parameter on the command line.  Lockout  understands  various  time  formats.   You  can
       specify  a  delay,  e.g., 3h (3 hours), 1h30m (1 hour and 30 minutes), or 90m (1 hour and 30 minutes), or
       you can specify absolute time, e.g., 2pm, 2:30am, 15:30, etc.  You will be asked to confirm the  time  at
       which  lockout  will  unlock  your  system.  If you type "yes", lockout executes /etc/lockout/lock.sh and
       changes the root password to something completely random.  /etc/lockout/lock.sh is a  shell  script  that
       you  write.   It takes measures to make sure you stop slacking.  For example, it could install a firewall
       that prevents outgoing connections to port 80.  See the "EXAMPLES" section below.

       lockoutunlock takes an optional force parameter.   Without  any  parameters,  lockoutlock  will  check
       whether  it  is  time  to unlock the system and, if so, executes /etc/lockout/unlock.sh, which is a shell
       script that you write.  It should undo the effects of /etc/lockout/lock.sh, executed when the system  was
       locked.   If  you  pass  the force parameter to lockoutunlock, lockout will forcibly unlock your system,
       whether it was really time for that or not.  lockoutunlock should be called every minute by  cron.   See
       "CONFIGURATION".

       lockoutstatus will print out the time at which the system is going to be unlocked.

           lockout lock 2h30m   [locks out for 2h and 30m]
           lockout lock 90m     [locks out for 1h and 30m]
           lockout lock 3pm     [locks out until 3pm]
           lockout lock 3:20am  [locks out until 3:20am]
           lockout lock 15:20   [locks out until 3:20pm]

           lockout status       [shows when the system is going to be unlocked]

/etc/lockout/lock.sh: executed when running lockoutlock/etc/lockout/unlock.sh: executed when running lockoutunlock

       lockout - avoid slacking and impose productivity and discipline on yourself

usermod(8), iptables(8), passwd(1), cron(8), crontab(1)

        lockout lock HhMm ⎪ Hh ⎪ Mm
        lockout lock HH:MM
        lockout lock HH:MMam ⎪ HH:MMpm
        lockout lock HHam ⎪ HHpm
        lockout lock

        lockout unlock [force]

        lockout status

       This  program  is  VERY DANGEROUS.  If it fails, you may end up not knowing the root password to your own
       computer (in which case you need to boot into single-user mode).  There are  no  known  reports  of  this
       actually  happening,  but  we don't know how stupid you are.  Also, you should probably not run this on a
       multi-user system.