Can I allow a non-root user to log in when /etc/nologin exists?
Solution 1
If your system uses PAM, the login denial when /etc/nologin
exists is triggered by the pam_nologin
module.
You can skip the pam_nologin
invocation for users matching certain criteria with pam_succeed_if
. For example, if you want to allow users in the adm
group to log in on a text console even if /etc/nologin
exists, add the following line to /etc/pam.d/login
just before the line with auth requisite pam_nologin.so
:
auth [default=ignore success=1] pam_succeed_if.so quiet user ingroup adm
Solution 2
Vesa K's version of Ryan Novosielski's answer works for me, but the lines are in:
/etc/pam.d/sshd
not:
/etc/pam.d/login
In my case, I just want UID 1000 under Ubuntu 14.04 LTS to be allowed to login via SSH.
# Disallow non-root logins when /etc/nologin exists.
account [success=1 default=ignore] pam_succeed_if.so quiet uid eq 1000
account required pam_nologin.so
Solution 3
Gilles's answer above is very good, but note you must match the "type" with pam_nologin.so's type. So for example, on my RHEL5 system:
account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup nx
account required pam_nologin.so
...if I used auth, as the other answer requested, it wouldn't work.
Solution 4
I'm not sure if it is possible to override the /etc/nologin
creation/usage without dirty tricks. But for your purpose, you can use a function like this:
off () {
touch /tmp/GOING-DOWN
sudo sh -c "sleep ${1-1} && [ -f /tmp/GOING-DOWN ] && /sbin/poweroff"
}
Upon re-login, deleting the file /tmp/GOING-DOWN
will prevent shutdown.
edit: Added a simple way to cancel the shutdown.
Related videos on Youtube
suszterpatt
Updated on September 18, 2022Comments
-
suszterpatt over 1 year
Suppose a non-root user with sudo privileges executes a delayed shutdown (
shutdown +10
or whatever) and logs out. Then, before the shutdown occurs, he wants to log back in and cancel the shutdown. The problem is thatshutdown
creates/etc/nologin
, andlogin
only allows root to log in when that file exists... is it possible to create an exception from this for a user?If not, what would be the best way to let a user initiate a delayed shutdown, then logging in and cancelling it at a later point?
-
Admin almost 13 yearsOne could maybe use
shutdown now
with theat
scheduler as a workaround.
-
-
AnfJunior almost 3 yearsThis answer makes sense and matches what it says in the
man
pages forpam.d
andpam_succeed_if
perfectly, but doesn't work for me on Arch Linux 5.12. -
AnfJunior almost 3 yearsI'm sure this is accurate for when it was written and RHEL5 and when it was written. On my Arch system, the type used for
pam_nologin.so
isauth
. So, Gilles's answer would be more correct for me. Unfortunately, it didn't work for me on Arch Linux. I also tried changing the type for both rules toaccount
. -
AnfJunior almost 3 yearsThe
man
page forpam.d
doesn't say anything about the order of the values. It does refer todefault
as "the last of these", but I believe that's only referring to the order in which they appear in theman
page. In any case, I tried the answers from Gilles, Ryan, and you without success on Arch Linux. -
dave58 about 2 yearsThanx for pointing out the separate pam.d/ssh configuration that may be needed. I edited @Giles answer above to include it. Some people don't read alt the answers before leaping into action... :-)
-
John Greene about 2 yearsThis PAM option does not work anymore under OpenSSH 8.8p1 if
UsePAM no
option is used. It would actually check the/etc/nologin
after authenticated session has been established and TTY opened.