nologin user

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/sbin:/sbin/nologin
sshd:x:74:74:Privileged-sperated SSH:/var/empty/sshd:/sbin/nologin

Q1，这里为什么会有这么多user，而且都是/sbin/nologin的？

Q2. What's the difference between /sbin/nologin and /bin/false
 

When /sbin/nologin is set as the shell, if user with that shell logs in, they'll get a polite message saying 'This account is currently not available.'. This message can be changed with the file/etc/nologin.txt.

/bin/false is just a binary that immediately exits, returning false, when its called, so when someone who has false as shell logs in, they're immediately logged out when false exits. Setting the shell to/bin/true has the same affect of not allowing someone to log in but false is probably used as a convention over true since its much better at conveying the concept that person doesn't have a shell.

Looking at nologin's man page, it says it was created in 4.4 BSD (early 1990s) so it came long afterfalse was created. The use of false as a shell is probably just a convention carried over from the early days of UNIX.

nologin is the more user friendly option, with a customizable message given to the user trying to login, so you would theoretically want to use that but both nologin and false will have the same end result of someone not having a shell and not being able to ssh in.

这里说的“ customizable message”可以通过，

$ mon nologin

知道，只要写/etc/nologin.txt文件就ok了。

Some FTP servers will allow you FTP access only if you have a valid shell. /sbin/nologin is regarded as a valid shell, whereas /bin/false is not.

(I think "valid" means its exit status is 0, but /etc/shells may also come into it, it probably depends on the system, the FTP software, and your configuration.)

/bin/false is a system command that is used anytime you need to pass a command to a program that should do nothing more than exit with an error. It's the companion to /bin/true. Both of these are very old and standard POSIX utilities and neither produce any output by definition. true is sometimes used for a shell script that should loop indefinitely, like:

while true; do
    ...
    # Waste time
    if [ $wasted_time -gt 100000 ]; then
        exit 0
    fi
    ...
done

/usr/sbin/nologin is specifically designed to replace a shell and produces output complaining you can't log-in. Before it existed, it was common to use /bin/false for dummy users, but could be confusing since the user doesn't know why they're kicked off.

On my machine, nologin displays always the same message, in English, ignoring arguments./bin/false responds to --version and --help in the language indicated by $LC_CTYPE. Other than these cosmetic differences, they have the same effect.

Usability-wise, nologin is better if it's used on the account of a real person who speaks English. Security-wise, there is no difference.

On linux,  /sbin/nologin  comes from the  util-linux  project, while  /bin/false  is part of  GNU Coreutils . They serve different roles, and nologin has the option of printing a message for people who have it as their shell who are logging in. The linux commands come from BSD, where they seem to have a long history of being different.  The FreeBSD false simply returns 1 , while the  nologin  checks to make sure it's  running on a TTY and sends a message to syslog during login attempts.  The linux versions are a bit more complicated ( false  doing all sorts of fun stuff with internationalization for the output of --help, I assume) but essentially perform the same way.

They could be the same program, but they have different meanings. The program name tells it all.

• /bin/false is intended to return a false value. It is run as progmam.
• /bin/nologin is indented to indicate that no login is permitted for an account. (It is used a login shell.)

如何切换到一个nologin账号？？

$ su -s /bin/bash nologinUSER

#One way is to launch a shell for that user (explicitly specifying the shell):
$ sudo -u www-data bash 
#This will launch a (bash) shell as the specified user. You can then execute your command(s) and logout (to return to your previous shell)

通过-s选项来指定login shell

# create a nologin user
$ useradd -M -s /sbin/nologin newUserName

By default when you add new user to system (/etc/passwd file) it grant shell access. If you are creating new users for POP3 or SMTP (mail server) or FTP then you do not need to grant shell access to a user. Remember as soon as you add a user he/she can login via telnet or ssh. The best way to put Linux shell access restriction is to use special shell called nologin, which politely refuse a login. It displays a message that an account is not available and exits non-zero. It is intended as a replacement shell field for accounts that have been disabled or have other user level access such as ftp, pop3, smtp etc. This is a very common practice followed by ISP or web hosting service provider's web, mail and FTP server(s).

/sbin/nologin Example

(a) First make sure nologin exists in /etc/shells file (else service such as ftp may not allow login)
# less /etc/shells
If nologin shell does not exist in above shell list, just add /sbin/nologin shell to it:
# echo "/sbin/nologin" >> /etc/shells
If you are using Debian then use following path:
# echo "/usr/sbin/nologin" >> /etc/shells
(b) Block shell access for user vivek (vivek user account must exits):
# usermod -s /sbin/nologin vivek
Debain Linux user modify above command as follows:
# usermod -s /usr/sbin/nologin vivek
Now user vivek's new login shell is /sbin/nologin. Vivek allowed to use other services such as ftp, pop3 but not shell access via ssh or telnet.

New user accounts

Add a new user called tony with no shell access:
# useradd -s /sbin/nologin tony
Debain / Ubuntu Linux user modify above command as follows:
# useradd -s /usr/sbin/nologin tony

Please note that above method is very easy to use but if you have a large setup. you need to take help of PAM (and may be OpenLDAP / MySQL). I will cover such setup some time later :)

原文： http://linux.vbird.org/linux_basic/0410accountmanager.php

UID：
這個就是使用者識別碼囉！通常 Linux 對於 UID 有幾個限制需要說給您瞭解一下：

id 範圍	該 ID 使用者特性
0 (系統管理員)	當 UID 是 0 時，代表這個帳號是『系統管理員』！ 所以當你要讓其他的帳號名稱也具有 root 的權限時，將該帳號的 UID 改為 0 即可。 這也就是說，一部系統上面的系統管理員不見得只有 root 喔！ 不過，很不建議有多個帳號的 UID 是 0 啦～
1~499 (系統帳號)	保留給系統使用的 ID，其實除了 0 之外，其他的 UID 權限與特性並沒有不一樣。預設 500 以下的數字讓給系統作為保留帳號只是一個習慣。 由於系統上面啟動的服務希望使用較小的權限去運作，因此不希望使用 root 的身份去執行這些服務， 所以我們就得要提供這些運作中程式的擁有者帳號才行。這些系統帳號通常是不可登入的， 所以才會有我們在第十一章提到的 /sbin/nologin 這個特殊的 shell 存在。 根據系統帳號的由來，通常系統帳號又約略被區分為兩種： 1~99：由 distributions 自行建立的系統帳號； 100~499：若使用者有系統帳號需求時，可以使用的帳號 UID。
500~65535 (可登入帳號)	給一般使用者用的。事實上，目前的 linux 核心 (2.6.x 版)已經可以支援到 4294967295 (2^32-1) 這麼大的 UID 號碼喔！

• 一般用戶的密碼忘記了：這個最容易解決，請系統管理員幫忙， 他會重新設定好你的密碼而不需要知道你的舊密碼！利用 root 的身份使用 passwd 指令來處理即可。
  
  
• root 密碼忘記了：這就麻煩了！因為你無法使用 root 的身份登入了嘛！ 但我們知道 root 的密碼在 /etc/shadow 當中，因此你可以使用各種可行的方法開機進入 Linux 再去修改。 例如重新開機進入單人維護模式(第二十章)後，系統會主動的給予 root 權限的 bash 介面， 此時再以 passwd 修改密碼即可；或以 Live CD 開機後掛載根目錄去修改 /etc/shadow，將裡面的 root 的密碼欄位清空， 再重新開機後 root 將不用密碼即可登入！登入後再趕快以 passwd 指令去設定 root 密碼即可。

下面的原文位于：http://kakajw.iteye.com/blog/1859008

一、Linux用户分类

 

Linux具有三种用户：

超级管理员root：具有最高权限，UID=0  GID=0
系统用户(System Account)：主要服务于应用，维护系统运行，不能登录。
普通用户(login-Account)：登录用户

 

root和普通用户都比较熟悉，稍微介绍下系统用户。

 

典型系统用户：
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin

 

不禁会问，为什么会有系统用户?
 Linux系统的大部分权限和安全的管理依赖于对于文件权限（读、写、执行）的管理，而用户是能够获取系统资源的权限的集合，文件权限的拥有者为用户；
 当应用需要访问/操作/拥有系统的资源时，Linux就通过用户来控制/实现，这些用户就是系统用户。
例如：
sys：The sys user owns the default mounting point for the Distributed File Service (DFS) cache, which must exist before you can install or configure DFS on a client.
     The /usr/sys directory can also store installation images.
ftp：Used for anonymous FTP access.
nobody：Owns no files and is sometimes used as a default user for unprivileged operations.

 

二、Linux组 

 

PS：此处的用户全是指普通用户，即登录用户。

 

组和用户的关系
Linux系统以组Group方式管理用户，用户和组的对应关系为多对多，即某个用户可加入/属于一个或多个组，某个组可以有0个、1个或多个用户。

组的分类

从用户的角度，分为主组和附属组。
主组：也被称为primary group、first group或initial login group，用户的默认组，用户的gid所标识的组。
附属组：也被称为Secondary group或supplementary group，用户的附加组。

 

通过id命令可查看当前用户的主组和附属组

 

[root@localhost ~]# id root
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

 

[root@localhost ~]# id gg
uid=503(gg) gid=503(gg) groups=503(gg)

[root@localhost ~]# id mm
uid=502(mm) gid=500(jww) groups=500(jww)

 

gid标识主组，groups表示用户所属的全部组（主组和附属组）

 

1. 用户必须有且只能有一个主组，可以有0个、1个或多个附属组，就如我们一定会有一个用来安家的房子（类同主组），还可以有n个用于投资或其他打算的房子（附属组）。

 

2. 主组也为默认组，当用户own某个文件或目录时，默认该文件或目录的group owner为该用户的主组（当然，可以通过chgrp修改group owner）。

 

3. 在/etc/passwd文件中，记录行第四个字段为gid，即用户的主组id。

 

4. 在/etc/group文件中，记录行第四个字段为组的成员，不显示将该组作为主组的组成员，只显示将该组作为附属组的组成员，因此，/etc/group的记录行的第四个字段没有完整地列出该组的全部成员。

 

5. 当通过useradd命令创建新用户时，可以通过-g参数指定已存在的某个组为其主组，若没有使用-g参数，
则系统自动创建名称和用户名相同的组作为该用户的主组（前提是variable in /etc/login.defs的USERGROUPS_ENAB属性值为yes），如命令手册的useradd关于-g参数的描述所示：
 -g, --gid GROUP
     The group name or number of the user′s initial login group. The
     group name must exist. A group number must refer to an already
     existing group.

     If not specified, the bahavior of useradd will depend on the
     USERGROUPS_ENAB variable in /etc/login.defs. If this variable is
     set to yes (or -U/--user-group is specified on the command line), a
     group will be created for the user, with the same name as her
     loginname. If the variable is set to no (or -N/--no-user-group is
     specified on the command line), useradd will set the primary group
     of the new user to the value specified by the GROUP variable in
     /etc/default/useradd, or 100 by default.

 

另外，可通过usermod -g 将普通用户的主组/gid设置为系统中存在的任意某个组（永久性）；
也可以通过newgrp暂时性变更当前用户的主组/gid（只对于当前login session有效，非永久性）。
通过usermod -G 设置普通用户的附属组。