Difference between /bin/false & /sbin/nologin

I have seen few system administrators using /sbin/nologin and few use /bin/false to deny shell access to a particular user in Unix machines. But I have been wondering what’s the difference between /bin/false & /sbin/nologin and what is the right way of denying a shell access to a user. Well, this tutorial will explain what is the difference between /bin/false & /sbin/nologin.

What is the Difference between /bin/false & /sbin/nologin?

First of all, i should say in terms of functionality there is no difference between /bin/false & /sbin/nologin. It means, both denies a shell access to a particular user account.

General usage of /sbin/login & /bin/false

test:x:2935:2936::/home/test:/sbin/nologin
test:x:2935:2936::/home/test:/bin/false

But there’s a slight difference

/bin/false does nothing and it just exits with a status code indicating failure when a user attempts to login to the machine. It does not output any message indicating that the user account does not have shell access.

Whereas, /sbin/nologin politely denies a shell access for a particular user account and exists with a status code of non-zero. For example, when a user account is set to /sbin/nologin as shell, then nologin displays ‘This account is currently not available‘.

#su - test
This account is currently not available.

nologin can also read a custom message from /etc/nologin.txt, if present.

#vim /etc/nologin.txt

Enter a custom message say “This is not a valid login account – Administrator“.

Both /bin/false & /sbin/nologin will log the login attempts in /var/log/secure.

Oct 26 09:43:37 test.tg.in su: pam_unix(su-l:session): session opened for user test
Oct 26 09:43:37 test.tg.in su: pam_unix(su-l:session): session closed for user test

Looking at man pages of nologin and false.

# man nologin

# man false

nologin or false, which is better?

false is a traditional approach, which came much before nologin. /sbin/nologin has the ability to display a custom message, so any administrator would want to use that. In functionality wise, both does the same of not allowing a shell access.

Do you run MySQL as bash user or nologin?

By default MySQL runs as mysql user with /bin/bash shell access. Why? Learn here

So which one are you using? Tell us in the comment section.

Updated on October 26, 2017

Was this article helpful?

Related Articles

Leave a Comment