Managing idle terminal sessions is a critical component of securing Linux-based systems in both enterprise environments and managed service provider (MSP) operations. Idle sessions can introduce vulnerabilities if left unattended—potentially exposing sensitive systems to unauthorized access. Automating the configuration of idle session timeouts enhances security posture while also streamlining system administration.
This post introduces how to set terminal idle timeout with Linux Shell Script, which ensures that unattended terminal sessions are automatically closed after a specified period of inactivity.
Background
In multi-user environments, especially across production servers or endpoint fleets, idle shell sessions are a subtle but serious risk. From compliance mandates like HIPAA or PCI-DSS to internal security policies, organizations often require user sessions to automatically terminate after a defined period of inactivity.
Traditionally, this is achieved by configuring the TMOUT environment variable in login shells, typically in /etc/profile. However, doing this manually across multiple systems or as part of a remote deployment isn’t scalable. That’s where automation becomes key.
The shell script under discussion is designed to solve this problem: set the idle session timeout for the terminal in Linux with shell scripting. It’s customizable, supports parameter-driven execution, creates backups for rollback safety, and optionally reboots the system for changes to take effect system-wide.
The Script
#!/usr/bin/env bash
# Description: Set the idle session timeout for the terminal and optionally reboot to apply the change.
# By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
# Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
# Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
# Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider.
# Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
# Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
# Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
# EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
#
# Release Notes: Initial Release
#
# Usage: [--timeout <seconds>] [--help]
# <> are required
# [] are optional
#
# Example: Set the idle session timeout to 1800 seconds(30 minutes)
# --timeout 1800
#
# Parameters
_arg_timeout=
_arg_reboot=
# Help text function for when invalid input is encountered
print_help() {
printf '\n\n%s\n\n' 'Usage: [--timeout <Arg>] [--reboot] [--help]'
printf '%s\n' 'Preset Parameter: --timeout "ReplaceMeWithYourDesiredTimeout"'
printf '\t%s\n' "The idle session timeout to set for the terminal. This is in seconds."
}
# Determines whether or not help text is necessary and routes the output to stderr
die() {
local _ret="${2:-1}"
echo "$1" >&2
test "${_PRINT_HELP:-no}" = yes && print_help >&2
exit "${_ret}"
}
# Grabbing the parameters and parsing through them.
parse_commandline() {
while test $# -gt 0; do
_key="$1"
case "$_key" in
--timeout | -t)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_timeout="$2"
shift
;;
--timeout=*)
_arg_timeout="${_key##--timeout=}"
;;
--reboot)
_arg_reboot="on"
;;
--help | -h)
_PRINT_HELP=yes die 0
;;
*)
_PRINT_HELP=yes die "[Error] Got an unexpected argument '$1'" 1
;;
esac
shift
done
}
# Creates a backup of a file if it exists
# Defaults to keeping 3 backups and removes the oldest backup if there are more than 3 backups
# Parameters: <File> [Number of Backups to Keep]
# Example:
# backup_file "/tmp/test.txt" 3
# [Info] Backing up /tmp/test.txt to /tmp/test.txt_2023-04-17_23-13-58.backup
# [Info] Removing /tmp/test.txt_2023-04-10_20-10-50.backup
backup_file() {
local _file_source=$1
local -i _keep_backups="$((3 + 1))"
if [[ -n "${2}" ]]; then
_keep_backups="$(("${2}" + 1))"
fi
local _file_backup
local _file_source_dir
local _file_source_file
local _backup_files
_file_backup="${_file_source}_$(date +%Y-%m-%d_%H-%M-%S).backup"
if [[ -f "${_file_source}" ]]; then
echo "[Info] Backing up $_file_source to $_file_backup"
cp "${_file_source}" "${_file_backup}"
fi
# Remove the oldest backup file if there are more than 3 backups
# Get the list of backup files
echo "[Info] Finding backup files..."
_file_source_dir=$(dirname "${_file_source}")
_file_source_file=$(basename "${_file_source}")
_backup_files=$(find "$_file_source_dir" -name "${_file_source_file}_*.backup" -printf '%T+ %p\n' 2>/dev/null | sort -r | tail -n "+${_keep_backups}" | cut -d' ' -f2-)
# Loop through each backup file and remove it
for backup_file in $_backup_files; do
echo "[Info] Removing $backup_file"
rm -f "$backup_file"
done
}
parse_commandline "$@"
# If script form variables are used replace command line parameters
if [[ -n $setTimeoutInSeconds ]]; then
_arg_timeout="$setTimeoutInSeconds"
fi
# If reboot is set to true, set the reboot variable to on
if [[ -n $reboot ]] && [[ "$reboot" == "true" ]]; then
_arg_reboot="on"
fi
# Check if the timeout is a number
if ! [[ "$_arg_timeout" =~ ^[0-9]+$ ]]; then
die "[Error] Timeout must be a number." 1
fi
# Check if the timeout is greater than 0
if [[ "$_arg_timeout" -lt 0 ]]; then
die "[Error] Timeout must be 0 or greater." 1
fi
# Set a value in a file or append it to the end of the file if it doesn't exist
# Parameters: <Name> <Search String> <Value> <File>
# Example:
# set_value_in_file "Name To Be Printed" "Hello=" "World" "/tmp/test.txt"
# Sets the value "Hello=World" in /tmp/test.txt
# If the value "Hello=" does exist, the line will be replaced with "Hello=World"
# If the value "Hello=" does not exist, it will be appended to the end of the file
set_value_in_file() {
local _name=$1
local _search=$2
local _value=$3
local _file=$4
if [ -f "${_file}" ]; then
# Check if _search is set
if grep -q "^${_search}" "${_file}"; then
# Replace the existing _search value with the new value
echo "[Info] Setting ${_name} to ${_value} seconds"
if ! sed -i "s/^${_search}.*/${_search}${_value}/" "${_file}"; then
die "[Error] Failed to set the ${_name} to ${_value} seconds" 1
fi
echo "[Info] Set ${_name} to ${_value} seconds"
else
# Add the new value to the end of the file
echo "[Info] Setting ${_name} to ${_value} seconds"
if ! echo "${_search}${_value}" >>"${_file}"; then
die "[Error] Failed to set the ${_name} to ${_value} seconds" 1
fi
echo "[Info] Set ${_name} to ${_value} seconds"
fi
fi
}
# Backup /etc/profile
backup_file "/etc/profile"
# Set TMOUT in /etc/profile to the timeout value
set_value_in_file "timeout" "export TMOUT=" "${_arg_timeout}" "/etc/profile"
# Reboot if requested
if [[ $_arg_reboot == "on" ]]; then
# Reboot if requested
echo "[Info] Rebooting computer."
if [ "$(command -v systemctl)" ]; then
echo "[Info] Using systemctl to reboot. Reboot will start in 1 minute."
sleep 60
systemctl reboot
elif [ "$(command -v reboot)" ]; then
echo "[Info] Using reboot to reboot. Reboot will start in 1 minute."
sleep 60
reboot
else
echo "[Info] Using the shutdown command to reboot. Reboot will start in 1 minute."
shutdown -r +1 "Rebooting to apply system wide profile change(s)."
fi
fi
Detailed Breakdown
Let’s dissect how this script works:
1. Argument Parsing
bash
CopyEdit
–timeout <seconds> # Sets the timeout in seconds
–reboot # Optional reboot after change
–help # Displays usage
The script supports flags for setting the timeout (–timeout) and triggering a reboot (–reboot). It includes robust validation and help prompts for incorrect or missing arguments.
2. Backup Handling
Before making any changes, the script backs up /etc/profile:
bash
CopyEdit
backup_file “/etc/profile”
It maintains a history of up to 3 backups, automatically cleaning older versions. This ensures that changes are reversible and aligns with best practices for configuration management.
3. Setting the Timeout
The core modification is adding or updating this line in /etc/profile:
bash
CopyEdit
export TMOUT=<timeout_value>
This is accomplished by:
bash
CopyEdit
set_value_in_file “timeout” “export TMOUT=” “${_arg_timeout}” “/etc/profile”
If the line already exists, it is replaced. Otherwise, it is appended.
4. Reboot Mechanism
If –reboot is passed or the environment variable reboot=true is set, the script schedules a system reboot in 60 seconds using the appropriate command (systemctl, reboot, or shutdown) depending on system capabilities.
Potential Use Cases
Imagine an MSP managing a fleet of 500 Linux-based remote workstations across multiple clients. One client requires automatic session termination after 15 minutes (900 seconds) of inactivity to comply with ISO 27001 standards.
The MSP deploys this script using NinjaOne’s automation engine, setting:
bash
CopyEdit
–timeout 900 –reboot
In minutes, all systems are updated securely and consistently. The backup function ensures that any unexpected behavior can be reversed swiftly.
Comparisons
Manual Configuration
System administrators often manually edit /etc/profile, but this:
- Is error-prone
- Doesn’t scale
- Lacks rollback
Group Policy-Like Tools
Enterprise tools like Ansible or Puppet can achieve the same but require configuration overhead and may not be available in lightweight MSP scenarios.
This shell script offers a middle-ground—automated, parameterized, and portable.
FAQs
Q1: Will this script log out users immediately?
No, it only sets the TMOUT variable. The session times out after the configured idle time.
Q2: Is reboot necessary?
Not strictly. New terminal sessions inherit the updated TMOUT, but a reboot ensures system-wide application for all login methods.
Q3: What if /etc/profile doesn’t exist?
The script checks file existence before proceeding. You can modify it to create the file if missing.
Q4: Does this affect all users?
Yes, setting TMOUT in /etc/profile applies globally to all users unless overridden in individual profiles.
Implications
Enforcing terminal session timeouts strengthens the overall security framework. It reduces risk from unattended terminals and aligns with audit and compliance policies. However, organizations must balance usability—developers or sysadmins working with long-running terminal sessions may find it disruptive without exception policies.
Recommendations
- Use version control to track backup files for /etc/profile.
- Test on staging before deploying to production environments.
- Pair with monitoring to ensure idle timeout behaviors match expectations.
- Integrate with NinjaOne automation to schedule updates and manage reboot timing centrally.
Final Thoughts
For IT professionals and MSPs seeking a straightforward, customizable, and scalable method to enforce terminal session timeouts on Linux, this script delivers reliability and clarity. By incorporating it into your NinjaOne automation workflows, you can ensure secure, compliant configurations across distributed environments with minimal manual intervention.
Whether you’re looking to set the idle session timeout for the terminal with shell script or to align your systems with best practices, this tool exemplifies how scripting and intelligent IT management platforms can work in harmony.