The Situation

Suppose I allow "Shady Sam" admin access on my workstation to perform an important administrative task on my Mac Pro for me by giving them a temporary root login password. (Assume they were trustworthy, perhaps a systems admin for my company.)

From a remote location (e.g. home), I use my MacBook Pro laptop to observe Sam's activities and learn how to do the task myself via Remote Desktop (VNC).

Without warning, Shady Sam does something dastardly! Perhaps I see him trying to delete data from my hard drive or prying into restricted folders, etc. Whatever the dastardly deed, I want to lock Shady Sam out immediately, and secure the computer as best as possible from my remote location.

Since we share the mouse and keyboard, I couldn't reliably perform an action from within Remote Desktop (besides, they could close the connection). I'd have to write a script and run it remotely.

The Challenge

What's the best script (e.g. panicScript.sh or panicScript.py) I could run remotely to stop Shady Sam from performing his dastardly deed and prevent him from attempting it again?

I envision myself running it in the following way:

scp panicScript.sh remoteMachine:~/panicScript.sh
ssh remoteMachine . ~/panicScript.sh

Possible Features:

Other ideas are expressly encouraged!

• Change passwords of any/all accounts on remoteMachine
• Disable the keyboard or mouse
• Disable the monitor
• Reboot the machine

Assumptions

Shady Sam will not damage the Mac Pro in any way or remove any of its components (e.g. physically remove a hard drive or wired network connection), but he will attempt to re-login and continue his dastardly deed as quickly as possible. Sam has (otherwise) unrestricted physical access to the computer and a root login password.

Assume the Mac Pro has a monitor, keyboard, mouse, external hard drive, and an ethernet connection for internet. Let's suppose it can print to a network printer in a common area. For fun, let's suppose I have a standard user account on several coworker's workstations, which are identical to mine (so I can connect to their machines via ssh).

Assume there are a dozen open-air cubicles clustered together so that coworkers can stand up and talk to each other. My coworkers, however, will generally not suspect that Shady Sam is doing something dastardly if they see him at my computer because he has helped several of them in the past and didn't do dastardly things to their computers.

Constraints

The panic script is initially on my laptop at home. You can scp it to my machine and run it there, or run it directly from my laptop at home. (Specify in your response!)

All actions taken by the script must be non-damaging and/or reversible from my remote location so that I can regain access at a later point from my remote location, and must be standard features/commands on a Mac Pro.

The script may call other scripts/programs as long as they come standard with the machine. Command-line scripting tools (e.g. awk) are okay as long as their commands is contained in the main script (e.g. history | awk '{print $2}'). This admittedly limits the scripting languages that could be used.

Calling a custom script or program you wrote (e.g. . ~/myOtherScriptOfKungFoo.sh) isn't okay, unless you generate it from within your script and the generated script is under 32 characters:

echo -e "#"'!'"/bin/bash\necho \"Hello, World\"" >> test.sh
chmod +x test.sh
. test.sh 

I shouldn't have to interact with the script more than once (e.g. to type a password).

Criteria

The script should be short (cap of 30 lines), yet readable. Primary criteria is thoroughness, creative features and style, which is better than simplicity.

Ultimately, the most votes wins!