What is the difference between /sbin/nologin and /bin/false?

Posted by Michael Hampton on Server Fault See other posts from Server Fault or by Michael Hampton
Published on 2013-06-28T04:58:22Z Indexed on 2013/06/28 22:23 UTC
Read the original article Hit count: 322

Filed under:
|
|

I have often heard it recommended that a user account should be disabled by setting its shell to /bin/false. But, on my existing Linux systems, I see that a great number of existing accounts (all of them service accounts) have a shell of /sbin/nologin instead.

I see from the man page that /sbin/nologin prints a message to the user saying the account is disabled, and then exits. Presumably /bin/false would not print anything.

I also see that /sbin/nologin is listed in /etc/shells, while /bin/false is not.

The man page says that FTP will disable access for users with a shell not listed in /etc/shells and implies that other programs may do the same. Does that mean that somebody could FTP in with an account that has /sbin/nologin as its shell?

What is the difference here? Which one of these should I use to disable a user account, and in what circumstances? What other effects does a listing in /etc/shells have?

© Server Fault or respective owner

Related posts about linux

Related posts about security