I have seen few system administrators using
/sbin/nologin and few use
/bin/false to deny shell access to a particular user in Unix machines. But I have been wondering what’s the difference between
/sbin/nologin and what is the right way of denying a shell access to a user. Well, this tutorial will explain what is the difference between /bin/false & /sbin/nologin.
What is the Difference between /bin/false & /sbin/nologin?
First of all, i should say in terms of functionality there is no difference between
/sbin/nologin. It means, both denies a shell access to a particular user account.
General usage of /sbin/login & /bin/false
But there’s a slight difference –
/bin/false does nothing and it just exits with a status code indicating failure when a user attempts to login to the machine. It does not output any message indicating that the user account does not have shell access.
/sbin/nologin politely denies a shell access for a particular user account and exists with a status code of non-zero. For example, when a user account is set to
/sbin/nologin as shell, then
nologin displays ‘This account is currently not available‘.
#su - test This account is currently not available.
nologin can also read a custom message from
/etc/nologin.txt, if present.
Enter a custom message say “This is not a valid login account – Administrator“.
/sbin/nologin will log the login attempts in
Oct 26 09:43:37 test.tg.in su: pam_unix(su-l:session): session opened for user test Oct 26 09:43:37 test.tg.in su: pam_unix(su-l:session): session closed for user test
Looking at man pages of nologin and false.
# man nologin # man false
nologin or false, which is better?
false is a traditional approach, which came much before
/sbin/nologin has the ability to display a custom message, so any administrator would want to use that. In functionality wise, both does the same of not allowing a shell access.
So which one are you using? Tell us in the comment section.