What is the difference between /sbin/nologin and /bin/false?
Posted
by
Michael Hampton
on Server Fault
See other posts from Server Fault
or by Michael Hampton
Published on 2013-06-28T04:58:22Z
Indexed on
2013/06/28
22:23 UTC
Read the original article
Hit count: 322
I have often heard it recommended that a user account should be disabled by setting its shell to /bin/false
. But, on my existing Linux systems, I see that a great number of existing accounts (all of them service accounts) have a shell of /sbin/nologin
instead.
I see from the man page that /sbin/nologin
prints a message to the user saying the account is disabled, and then exits. Presumably /bin/false
would not print anything.
I also see that /sbin/nologin
is listed in /etc/shells
, while /bin/false
is not.
The man page says that FTP will disable access for users with a shell not listed in /etc/shells
and implies that other programs may do the same. Does that mean that somebody could FTP in with an account that has /sbin/nologin
as its shell?
What is the difference here? Which one of these should I use to disable a user account, and in what circumstances? What other effects does a listing in /etc/shells
have?
© Server Fault or respective owner