When managing Linux systems, particularly those with security-hardening measures, it’s common to encounter errors like:

-bash: TMOUT: readonly variable

This error typically appears when you’re logging into a system via sudo, su, or an SSH session. Below, we’ll explain the cause and guide you through clear, practical steps to resolve it.

---

What Causes the “bash: TMOUT: readonly variable” Error?

The TMOUT variable is an environmental parameter commonly used in Linux to automatically log out shell sessions after a period of inactivity, enhancing security. In environments hardened according to guidelines like the Security Technical Implementation Guide (STIG), the TMOUT variable is often explicitly set as a readonly variable, preventing users from modifying or unsetting it.

If multiple shell configuration scripts (.sh files) attempt to define this readonly variable, you’ll see the error message because TMOUT cannot be set more than once.

---

How to Diagnose the Issue

First, determine if multiple scripts are setting the TMOUT variable. You can quickly check this by running:

grep -r -w TMOUT= /etc/profile /etc/bashrc /etc/profile.d

A typical problematic output might look like:

/etc/profile.d/tmout.sh:TMOUT=6000
/etc/profile.d/z_yxw.sh:readonly TMOUT=900 ; export TMOUT

In this example, the TMOUT variable is defined in two different files, causing the conflict.

---

How to Fix the “TMOUT: readonly variable” Error

The exact resolution depends on the order in which the custom scripts are executed relative to the standard security-hardening script (commonly named something like /etc/profile.d/tmout.sh).

You have two scenarios to consider:

Scenario 1: Custom Script Loads Before the Standard Script

If your custom script (e.g., /etc/profile.d/a_yxw.sh) runs before the standard STIG-hardening script, the solution is straightforward:

• Remove or comment out the conflicting definition in the custom script.

For example, change this:

readonly TMOUT=900 ; export TMOUT

To this (commented out):

# readonly TMOUT=900 ; export TMOUT

Now, the standard script can set TMOUT correctly without conflict.

---

Scenario 2: Custom Script Loads After the Standard Script

If your custom script runs after the standard STIG-hardening script (such as /etc/profile.d/z_custom.sh), modify the custom script to conditionally set TMOUT only if it isn’t already defined. Here’s how:

• Original Script:

readonly TMOUT=900 ; export TMOUT

• Modified (Corrected) Script:

[ -n "${TMOUT+x}" ] || { readonly TMOUT=900; export TMOUT; }

This conditional syntax checks if TMOUT is already set (-n checks if the variable is set). If not, it defines the variable safely, avoiding conflicts.

---

Best Practices to Avoid Future Issues

• Regularly review and maintain shell profile scripts under /etc/profile.d/.
• Ensure consistent definitions of environment variables across your system.
• Clearly document any modifications or custom scripts to ensure seamless system administration.

---

Thoughts

The "bash: TMOUT: readonly variable" error arises from conflicting or redundant definitions of a readonly variable designed to enhance security. By systematically identifying and adjusting these scripts as explained, you can easily resolve and prevent future occurrences of this issue. Following the steps outlined above ensures a smooth and secure Linux environment for system administrators and users alike.