I have seen few system administrators using /sbin/nologin and few use /bin/false to deny shell access to a particular user in Unix machines. But I have been wondering what’s the difference between /bin/false & /sbin/nologin and what is the right way of denying a shell access to a user. Well, this tutorial will explain what is the difference between /bin/false & /sbin/nologin.
What is the Difference between /bin/false & /sbin/nologin?
First of all, i should say in terms of functionality there is no difference between /bin/false & /sbin/nologin. It means, both denies a shell access to a particular user account.
General usage of /sbin/login & /bin/false
test:x:2935:2936::/home/test:/sbin/nologin
test:x:2935:2936::/home/test:/bin/false
But there’s a slight difference –
/bin/false does nothing and it just exits with a status code indicating failure when a user attempts to login to the machine. It does not output any message indicating that the user account does not have shell access.
Whereas, /sbin/nologin politely denies a shell access for a particular user account and exists with a status code of non-zero. For example, when a user account is set to /sbin/nologin as shell, then nologin displays ‘This account is currently not available‘.
#su - test This account is currently not available.
nologin can also read a custom message from /etc/nologin.txt, if present.
#vim /etc/nologin.txt
Enter a custom message say “This is not a valid login account – Administrator“.
Both /bin/false & /sbin/nologin will log the login attempts in /var/log/secure.
Oct 26 09:43:37 test.tg.in su: pam_unix(su-l:session): session opened for user test Oct 26 09:43:37 test.tg.in su: pam_unix(su-l:session): session closed for user test
Looking at man pages of nologin and false.
# man nologin # man false
nologin or false, which is better?
false is a traditional approach, which came much before nologin. /sbin/nologin has the ability to display a custom message, so any administrator would want to use that. In functionality wise, both does the same of not allowing a shell access.
By default MySQL runs as mysql user with /bin/bash shell access. Why? Learn here
So which one are you using? Tell us in the comment section.
echo’ing back the text seems to break account for utilizing it for SFTP, so /bin/false would work better in that scenario.