Does /usr/sbin/nologin as a login shell serve a security purpose?
Solution 1
If you take a look at the nologin
man page you'll see the following description.
excerpt
nologin displays a message that an account is not available and exits non-zero. It is intended as a replacement shell field to deny login access to an account.
If the file
/etc/nologin.txt
exists,nologin
displays its contents to the user instead of the default message.The exit code returned by
nologin
is always 1.
So the actual intent of nologin
is just so that when a user attempts to login with an account that makes use of it in the /etc/passwd
is so that they're presented with a user friendly message, and that any scripts/commands that attempt to make use of this login receive the exit code of 1.
Security
With respect to security, you'll typically see either /sbin/nologin
or sometimes /bin/false
, among other things in that field. They both serve the same purpose, but /sbin/nologin
is probably the preferred method. In any case they're limiting direct access to a shell as this particular user account.
Why is this considered valuable with respect to security?
The "why" is hard to fully describe, but the value in limiting a user's account in this manner, is that it thwarts direct access via the login
application when you attempt to gain access using said user account.
Using either nologin
or /bin/false
accomplishes this. Limiting your system's attack surface is a common technique in the security world, whether disabling services on specific ports, or limiting the nature of the logins on one's systems.
Still there are other rationalizations for using nologin
. For example, scp
will no longer work with a user account that does not designate an actual shell, as described in this ServerFault Q&A titled: What is the difference between /sbin/nologin and /bin/false?.
Solution 2
Definitely it serves a security purpose. For example, look at the below bug filed for a system user who had a shell.
My debian server was compromised due to the daemon account having a valid login shell and having samba open for internet access. The break in was made by setting a password remotly via samba for the daemon account and the logging in through ssh. Some local root exploit was then used to OWN my server.
I would recommend you to read this wonderful answer by Gilles where he has provided links to some of the bugs as well.
There are bugs filed over this issue in Debian (274229, 330882, 581899), currently open and classified as “wishlist”. I tend to agree that these are bugs and system users should have /bin/false as their shell unless it appears necessary to do otherwise.
Solution 3
To add to the excellent answers of @slm and @ramesh:
Yes, as you have pointed out, you can still switch to users with nologin as their default shell by running sudo
with a shell defined, but in this case, you have had to:
- Log in as another user that has a valid shell
- Have sudo permissions configured for that user to run the
su
command, and - Had your su attempt logged to the sudoers log (assuming of course that sudo logging is enabled).
The users that have nologin defined as their default shell often have higher privileges/are able to do more damage to the system than a regular user, so having them unable to log in directly attempts to limit the damage that a breach of your system could suffer.
Solution 4
Next to the great answers already given, I can think of the following scenario.
A security bug in a service running as a restricted user allows to write a file as that user. This file can be ~/.ssh/authorized_keys
.
This allows the attacker to login directly in a shell which would make it much easier to execute a privilege escalation.
Disallowing a login shell would make this option a lot more difficult.
Solution 5
In addition to the excellent answers that have been given, it serves another purpose.
If you run an FTP daemon on your server, it checks the login shell of users that attempt to login. If the shell isn't listed in /etc/shells
, it doesn't allow them to login. So giving daemon accounts a special shell prevents someone from modifying the account via FTP.
Related videos on Youtube
Mark Amery
Email address: [email protected]. No spam, please. I work for Curative Inc: https://curative.com/ I license you to use any of my Stack Overflow contributions in any way you like. If you find something wrong in one of my posts, feel free to edit it. I'm a frequent visitor and can always roll back if I think a change you've made is wrong or stupid, so you may as well be bold - it's better, here, to ask for forgiveness than permission.
Updated on September 18, 2022Comments
-
Mark Amery over 1 year
In my
/etc/passwd
file, I can see that thewww-data
user used by Apache, as well as all sorts of system users, have either/usr/sbin/nologin
or/bin/false
as their login shell. For example, here is a selection of lines:daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin games:x:5:60:games:/usr/games:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin syslog:x:101:104::/home/syslog:/bin/false whoopsie:x:109:116::/nonexistent:/bin/false mark:x:1000:1000:mark,,,:/home/mark:/bin/bash
Consequently, if I try to swap to any of these users (which I'd sometimes like to do to check my understanding of their permissions, and which there are probably other at least halfway sane reasons for), I fail:
mark@lunchbox:~$ sudo su www-data This account is currently not available. mark@lunchbox:~$ sudo su syslog mark@lunchbox:~$
Of course, it's not much of an inconvenience, because I can still launch a shell for them via a method like this:
mark@lunchbox:~$ sudo -u www-data /bin/bash www-data@lunchbox:~$
But that just leaves me wondering what purpose is served by denying these users a login shell. Looking around the internet for an explanation, many people claim that this has something to do with security, and everybody seems to agree that it would be in some way a bad idea to change the login shells of these users. Here's a collection of quotes:
Setting the Apache user's shell to something non-interactive is generally good security practice (really all service users who don't have to log in interactively should have their shell set to something that's non-interactive).
-- https://serverfault.com/a/559315/147556
the shell for the user www-data is set to /usr/sbin/nologin, and it's set for a very good reason.
-- https://askubuntu.com/a/486661/119754
[system accounts] can be security holes, especially if they have a shell enabled:
-
Bad
bin:x:1:1:bin:/bin:/bin/sh
-
Good
bin:x:1:1:bin:/bin:/sbin/nologin
-- https://unix.stackexchange.com/a/78996/29001
For security reasons I created a user account with no login shell for running the Tomcat server:
# groupadd tomcat # useradd -g tomcat -s /usr/sbin/nologin -m -d /home/tomcat tomcat
-- http://www.puschitz.com/InstallingTomcat.html
While these posts are in unanimous agreement that not giving system users real login shells is good for security, not one of them justifies this claim, and I can't find an explanation of it anywhere.
What attack are we trying to protect ourselves against by not giving these users real login shells?
-
-
Parthian Shot almost 9 years
They both serve the same purpose, but /sbin/nologin is probably the preferred method.
From a security standpoint, `/sbin/nologin`` isn't the preferred method; it wastes time and cycles providing a response. Although neither provide particularly good security; they're defense-in-depth measures, but they don't actually stop someone from running a command as a given user. -
Parthian Shot almost 9 years...I don't see how that actually depends specifically on the declared shell for the user. If the attacker only ran
ssh user@site
, and that worked, they wouldn't continue to tryingssh user@site /bin/bash
, but I'm pretty sure that'd still work regardless of declared shell. -
metavida over 8 years@ParthianShot, anecdotal evidence: on my CentOS server, when an account's shell is set to /sbin/nologin
ssh user@site /bin/bash
returns a simpleThis account is currently not available.
message. Also, this answer says nologin protects SSH access -
Franko almost 5 years@ParthianShot based on the description, that's not what's happened. What's happened is: Samba was misconfigured; the attacker configured ssh access via Samba; the attacker logged on via ssh. Although this case is obviously the sysadmin's fault, if you replace "misconfigured Samba" with "exploitable service", then preventing login access makes sense, as it reduces the surface of attack. of course, if the exploit grants local execution, having ssh access rather than not, makes little difference.