238

Technically, unless pam is set up to check your shell with pam_shells neither of these can actually prevent your login, if you're not on the shell. On my system they are even different sizes, so I suspect they actually do something. So what's the difference? why do they both exist? Why would I use one over the other?

-rwxr-xr-x 1 root root  21K Feb  4 17:01 /bin/false
-rwxr-xr-x 1 root root 4.7K Mar  2 14:59 /sbin/nologin
xenoterracide
  • 57,918
  • 74
  • 184
  • 250
  • 7
    See also [Does /usr/sbin/nologin as a login shell serve a security purpose?](http://unix.stackexchange.com/questions/155139/does-usr-sbin-nologin-as-a-login-shell-serve-a-security-purpose) – Gilles 'SO- stop being evil' Sep 12 '14 at 14:23
  • The path `/bin/false` should exist everywhere but not `/sbin/nologin`: '/sbin/nologin': No such file or directory. Any idea why it is `/usr/sbin/nologin` instead of `/sbin/nologin` on Debian and Ubuntu? – baptx Nov 30 '17 at 22:19
  • 9
    I'm curious why /bin/false takes 21k of code to return a "1" return code! (and /sbin/nologin only takes 4.7k) – Mark Stewart Feb 05 '18 at 18:02
  • 2
    useful to read. [What is the difference between /sbin/nologin and /bin/false](https://serverfault.com/questions/519215/what-is-the-difference-between-sbin-nologin-and-bin-false) – Nordlys Jeger Sep 04 '18 at 08:27
  • 2
    @MarkStewart A bit too late, but you may want to read [Why are true and false so large?](https://unix.stackexchange.com/q/419697/243481) and [A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux](https://www.muppetlabs.com/~breadbox/software/tiny/teensy.html). – nxnev Apr 13 '19 at 02:08
  • 1
    @nxnev Yeah didn't think about the overhead of ELF. And from my old IBM days there was a program IEFBR14 that was a simple one op-code assembly instruction: BR 14 -- Branch to register 14, which would terminate the program with the return code set to whatever was in register 14! – Mark Stewart Apr 13 '19 at 20:45

8 Answers8

274

When /sbin/nologin is set as the shell, if user with that shell logs in, they'll get a polite message saying 'This account is currently not available.' This message can be changed with the file /etc/nologin.txt.

/bin/false is just a binary that immediately exits, returning false, when it's called, so when someone who has false as shell logs in, they're immediately logged out when false exits. Setting the shell to /bin/true has the same effect of not allowing someone to log in but false is probably used as a convention over true since it's much better at conveying the concept that person doesn't have a shell.

Looking at nologin's man page, it says it was created in 4.4 BSD (early 1990s) so it came long after false was created. The use of false as a shell is probably just a convention carried over from the early days of UNIX.

nologin is the more user-friendly option, with a customizable message given to the user trying to log in, so you would theoretically want to use that; but both nologin and false will have the same end result of someone not having a shell and not being able to ssh in.

Mark McKinstry
  • 14,943
  • 4
  • 34
  • 27
36

Some FTP servers will allow you FTP access only if you have a valid shell. /sbin/nologin is regarded as a valid shell, whereas /bin/false is not.

(I think "valid" means its exit status is 0, but /etc/shells may also come into it, it probably depends on the system, the FTP software, and your configuration.)

Mikel
  • 56,387
  • 13
  • 130
  • 149
  • 1
    yeah, that's probably part of the ftp program using pam, and pam using pam_shells which as you said, checks `/etc/shells`. Just a guess... I could be wrong. – xenoterracide Apr 07 '11 at 21:43
  • 7
    I just checked both Ubuntu 8.04 and 14.04. The nologin command exits with status 1 similar to false, and none of true, false, or nologin are included in /etc/shells. If they were, a user could use chsh to select such a shell and lock himself out of his account. – penguin359 Jul 21 '15 at 20:30
17

/bin/false is a system command that is used anytime you need to pass a command to a program that should do nothing more than exit with an error. It's the companion to /bin/true. Both of these are very old and standard POSIX utilities and neither produce any output by definition. true is sometimes used for a shell script that should loop indefinitely, like:

while true; do
    ...
    # Waste time
    if [ $wasted_time -gt 100000 ]; then
        exit 0
    fi
    ...
done

/usr/sbin/nologin is specifically designed to replace a shell and produces output complaining you can't log-in. Before it existed, it was common to use /bin/false for dummy users, but could be confusing since the user doesn't know why they're kicked off.

penguin359
  • 11,877
  • 4
  • 42
  • 45
  • 6
    worth noting that `/bin/true` and `/bin/false` are not always what you will get in a shell script. In `zsh` `true` and `false` are built-ins, where `bash` uses the `/bin/*` versions – xenoterracide Apr 08 '11 at 13:04
4

On my machine, nologin displays always the same message, in English, ignoring arguments. /bin/false responds to --version and --help in the language indicated by $LC_CTYPE. Other than these cosmetic differences, they have the same effect.

Usability-wise, nologin is better if it's used on the account of a real person who speaks English. Security-wise, there is no difference.

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
3

/bin/false only job is to exit with a non-zero exit code.

Try it at the command line:

$:> /bin/false
$:> echo $?
1
$:>

Some institutions use /bin/false in the shell field of the password file. If user tries to login, the shell is /bin/false, so they are exited right away

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
shellter
  • 702
  • 4
  • 9
3

On linux, /sbin/nologin comes from the util-linux project, while /bin/false is part of GNU Coreutils. They serve different roles, and nologin has the option of printing a message for people who have it as their shell who are logging in. The linux commands come from BSD, where they seem to have a long history of being different. The FreeBSD false simply returns 1, while the nologin checks to make sure it's running on a TTY and sends a message to syslog during login attempts. The linux versions are a bit more complicated (false doing all sorts of fun stuff with internationalization for the output of --help, I assume) but essentially perform the same way.

jsbillings
  • 24,006
  • 6
  • 56
  • 58
1

They could be the same program, but they have different meanings. The program name tells it all.

  • /bin/false is intended to return a false value. It is run as program.
  • /bin/nologin is intended to indicate to the user that no login is permitted for an account. (It is used a login shell.)
Community
  • 1
BillThor
  • 8,887
  • 22
  • 27
-5

Both does more or less the same job but /bin/false is useful for non-privileged users . On the other hand, /sbin/nologin is for privileged users.

steve
  • 21,582
  • 5
  • 48
  • 75
pythondetective
  • 101
  • 1
  • 5
    Oh, how did you come to that conclusion? – fpmurphy Dec 27 '15 at 00:11
  • 1
    Probably he has looked into `/etc/passwd`. I just had a look into `/etc/passwd` of a freshly installed Debian stretch. On this box, nearly all system accounts (user ids < 1000) have `/usr/sbin/nologin` as shell, with a few exceptions. Please note that I do not agree with @pythondetective's answer. I am just speculating what might have lead him to this conclusion. My comment is a little bit late, though. – Binarus Dec 10 '18 at 17:29
  • no! default login shell is not the same as privileges. – MUY Belgium Apr 15 '19 at 10:11