Can I allow a non-root user to log in when /etc/nologin exists?

users login shutdown not-root-user

13,796

Solution 1

If your system uses PAM, the login denial when /etc/nologin exists is triggered by the pam_nologin module.

You can skip the pam_nologin invocation for users matching certain criteria with pam_succeed_if. For example, if you want to allow users in the adm group to log in on a text console even if /etc/nologin exists, add the following line to /etc/pam.d/login just before the line with auth requisite pam_nologin.so:

auth [default=ignore success=1] pam_succeed_if.so quiet user ingroup adm

Solution 2

Vesa K's version of Ryan Novosielski's answer works for me, but the lines are in:

/etc/pam.d/sshd

not:

/etc/pam.d/login

In my case, I just want UID 1000 under Ubuntu 14.04 LTS to be allowed to login via SSH.

# Disallow non-root logins when /etc/nologin exists.
account [success=1 default=ignore] pam_succeed_if.so quiet uid eq 1000
account    required     pam_nologin.so

Solution 3

Gilles's answer above is very good, but note you must match the "type" with pam_nologin.so's type. So for example, on my RHEL5 system:

account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup nx
account required     pam_nologin.so

...if I used auth, as the other answer requested, it wouldn't work.

Solution 4

I'm not sure if it is possible to override the /etc/nologin creation/usage without dirty tricks. But for your purpose, you can use a function like this:

off () { 
   touch /tmp/GOING-DOWN
   sudo sh -c "sleep ${1-1} && [ -f /tmp/GOING-DOWN ] && /sbin/poweroff"
}

Upon re-login, deleting the file /tmp/GOING-DOWN will prevent shutdown.

edit: Added a simple way to cancel the shutdown.

View more solutions

13,796

suszterpatt

Updated on September 18, 2022

Comments

suszterpatt over 1 year

Suppose a non-root user with sudo privileges executes a delayed shutdown (shutdown +10 or whatever) and logs out. Then, before the shutdown occurs, he wants to log back in and cancel the shutdown. The problem is that shutdown creates /etc/nologin, and login only allows root to log in when that file exists... is it possible to create an exception from this for a user?

If not, what would be the best way to let a user initiate a delayed shutdown, then logging in and cancelling it at a later point?
- Admin almost 13 years
  
  One could maybe use shutdown now with the at scheduler as a workaround.
AnfJunior almost 3 years

This answer makes sense and matches what it says in the man pages for pam.d and pam_succeed_if perfectly, but doesn't work for me on Arch Linux 5.12.
AnfJunior almost 3 years

I'm sure this is accurate for when it was written and RHEL5 and when it was written. On my Arch system, the type used for pam_nologin.so is auth. So, Gilles's answer would be more correct for me. Unfortunately, it didn't work for me on Arch Linux. I also tried changing the type for both rules to account.
AnfJunior almost 3 years

The man page for pam.d doesn't say anything about the order of the values. It does refer to default as "the last of these", but I believe that's only referring to the order in which they appear in the man page. In any case, I tried the answers from Gilles, Ryan, and you without success on Arch Linux.
dave58 about 2 years

Thanx for pointing out the separate pam.d/ssh configuration that may be needed. I edited @Giles answer above to include it. Some people don't read alt the answers before leaping into action... :-)
John Greene about 2 years

This PAM option does not work anymore under OpenSSH 8.8p1 if UsePAM no option is used. It would actually check the /etc/nologin after authenticated session has been established and TTY opened.