APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

2005/03/12 noshell

This is designed to be a shell for users you don't want to have a shell.

It's probably unnecessary on most modern systems which have binary "shells" for this purpose (/sbin/nologin or /sbin/false). On older systems, these "no shell" shells were shell scripts, which rather obviously use a real shell and thus have at least the potential for abuse. Consequently, the old practice often was to use /dev/null as the "shell". The only problem with that is that you get no logging; "noshell" and the other modern equivalents will log the access attempt to syslog.

This stuff can get complicated though. Having a user with a nologin shell isn't just for system accounts. On many systems, we have users who we want to give mail or ftp or samba access too but just don't want them able to log in. How those other programs react depends upon them: they may just not care, or may want to see the shell at least listed in /etc/shells. How you feel about their preferences depends on what you do and do not want to allow the user to do, and it all may get nasty enough that you need to involve iptables or PAM or all three to get the control required.

Someday perhaps all of this will be in one place.

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> noshell -'no login' shell

Increase ad revenue 50-250% with Ezoic

More Articles by

Find me on Google+

© Tony Lawrence

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

I am not the only person who uses his computer mainly for the purpose of diddling with his computer. (Dave Barry)

This post tagged: