I have often heard it recommended that a user account should be disabled by setting its shell to /bin/false. But, on my existing Linux systems, I see that a great number of existing accounts (all of them service accounts) have a shell of /sbin/nologin instead.
I see from the man page that /sbin/nologin prints a message to the user saying the account is disabled, and then exits. Presumably /bin/false would not print anything.
I also see that /sbin/nologin is listed in /etc/shells, while /bin/false is not.
The man page says that FTP will disable access for users with a shell not listed in /etc/shells and implies that other programs may do the same. Does that mean that somebody could FTP in with an account that has /sbin/nologin as its shell?
What is the difference here? Which one of these should I use to disable a user account, and in what circumstances? What other effects does a listing in /etc/shells have?
/bin/false is a utility program, companion to /bin/true, which is useful in some abstract sense to ensure that unix is feature-complete. However, apocryphal purposes for these programs have been found; consider the BASH statement /some/program || /bin/true, which will always boolean-evaluate to true ($? = 0) no matter the return of /some/program.
An apocryphal use of /bin/false, as you identified, is as a null shell for users not allowed to log in. The system in this case will behave exactly as though the shell failed to run.
POSIX (though I may be wrong and it may the the SUS) constrains both these commands to do exactly nothing other than return the appropriate boolean value.
/sbin/nologin is a BSD utility which has similar behaviour to /bin/false (returns boolean false), but prints output as well, as /bin/false is prohibited from doing. This is supposed to help the user understand what happened, though in practice many terminal emulators will simply close when the shell terminates, rendering the message all but unreadable anyway in some cases.
There is little purpose to listing /sbin/nologin in /etc/shells. The standard effect of /etc/shells is to list the programs permissible for use with chsh when users are changing their own shell (and there is no credible reason to change your own shell to /sbin/nologin). The superuser can change anyone’s shell to anything. However, you may want to list both /sbin/nologin and /bin/false in /etc/rsh, which will prohibit users with these shells from changing their shell using chsh in the unfortunate event that they get a shell.
FTP daemons may disallow access to users with a shell not in /etc/shells, or they may use any other logic they wish. Running FTP is to be avoided in any case because sftp (which provides similar functionality) is similar but secure. Some sites use /sbin/nologin to disable shell access while allowing sftp access by putting it in /etc/shells. This may open a backdoor if the user is allowed to create cronjobs.
In either case, scp will not operate with an invalid shell. scponly can be used as a shell in this instance.
Additionally, the choice of shell affects the operation of su - (AKA su -l). Particularly, the output of /sbin/nologin will be printed to stdout if it is the shell; this cannot be the case with /bin/false. In either case commands run with su -cl will fail.
Finally, the answer:
To disable an account, depend on neither of these, but set the shell to /sbin/nologin for informational purposes (unless /sbin/nologin is in /etc/shells, at which point you should use /bin/false, which shouldn’t be). Instead, set the password field in /etc/passwd to !, which is guaranteed by crypt to be valid for no passwords. Consider setting the hash in /etc/shadow the same way to avoid bugs.
Check more discussion of this question.
