A.P. Lawrence

2005/03/12 noshell

This is designed to be a shell for users you don't want to have a shell.

It's probably unnecessary on most modern systems which have binary "shells" for this purpose (/sbin/nologin or /sbin/false). On older systems, these "no shell" shells were shell scripts, which rather obviously use a real shell and thus have at least the potential for abuse. Consequently, the old practice often was to use /dev/null as the "shell". The only problem with that is that you get no logging; "noshell" and the other modern equivalents will log the access attempt to syslog.

This stuff can get complicated though. Having a user with a nologin shell isn't just for system accounts. On many systems, we have users who we want to give mail or ftp or samba access too but just don't want them able to log in. How those other programs react depends upon them: they may just not care, or may want to see the shell at least listed in /etc/shells. How you feel about their preferences depends on what you do and do not want to allow the user to do, and it all may get nasty enough that you need to involve iptables or PAM or all three to get the control required.

Someday perhaps all of this will be in one place.

Comments /Words2005/2005_03_12.html


Add your comments

Why no "Digg this!" etc.?

Lone-Tar Backup and Disaster Recovery
for Linux and Unix

Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here