2005/03/12 noshell

© March 2005 Tony Lawrence

This is designed to be a shell for users you don't want to have a shell.

It's probably unnecessary on most modern systems which have binary "shells" for this purpose (/sbin/nologin or /sbin/false). On older systems, these "no shell" shells were shell scripts, which rather obviously use a real shell and thus have at least the potential for abuse. Consequently, the old practice often was to use /dev/null as the "shell". The only problem with that is that you get no logging; "noshell" and the other modern equivalents will log the access attempt to syslog.

This stuff can get complicated though. Having a user with a nologin shell isn't just for system accounts. On many systems, we have users who we want to give mail or ftp or samba access too but just don't want them able to log in. How those other programs react depends upon them: they may just not care, or may want to see the shell at least listed in /etc/shells. How you feel about their preferences depends on what you do and do not want to allow the user to do, and it all may get nasty enough that you need to involve iptables or PAM or all three to get the control required.

Someday perhaps all of this will be in one place.

Got something to add? Send me email.

---

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us