/usr/bin/false vs /sbin/nologin

[EverydayDiesel]

Is there a difference bebetween these users? Apparently smb needs system accounts in addition to smb accounts and I need a no access.

Can someone please explain the difference or is there something even better?

[jggimi]

The man pages for each of these describe their uses. From false(1):

Code:

The false utility always exits with a non-zero exit code.

On OpenBSD /usr/bin/false is this shell executable:

Code:

#! /bin/sh
#    $OpenBSD: false.sh,v 1.2 1996/06/26 05:32:50 deraadt Exp $

exit 1

From nologin(1):

Code:

     nologin displays a message that an account is not available and exits
     non-zero.    It is intended as a replacement shell field for accounts that
     have been disabled.

     If the file /etc/nologin.txt exists, nologin displays its contents to the
     user instead of the default message.

And /sbin/nologin is a static binary. It's source code is attached below, in the event you wish to review it.

Code:

/*    $OpenBSD: nologin.c,v 1.5 2003/07/10 00:00:58 david Exp $    */

/*
 * Copyright (c) 1997, Jason Downs.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS
 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT,
 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include <sys/types.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

/* Distinctly different from _PATH_NOLOGIN. */
#define _PATH_NOLOGIN_TXT    "/etc/nologin.txt"

#define DEFAULT_MESG    "This account is currently not available.\n"

/*ARGSUSED*/
int main(int argc, char *argv[])
{
    int nfd;
    ssize_t nrd;
    char nbuf[BUFSIZ];

    nfd = open(_PATH_NOLOGIN_TXT, O_RDONLY);
    if (nfd < 0) {
        write(STDOUT_FILENO, DEFAULT_MESG, strlen(DEFAULT_MESG));
        exit (1);
    }

    while ((nrd = read(nfd, nbuf, sizeof(nbuf))) != -1 && nrd != 0)
        write(STDOUT_FILENO, nbuf, nrd);
    close (nfd);

    exit (1);
}

[EverydayDiesel]

Thanks! So when I create these system accounts for samba would you recommend that I create them with the false shell? Currently I do not see that as an option on adduser. Do I have to edit the /etc/passed?

[jggimi]

No, the script should never be used as a user's shell. It is only a script, and would need an operating shell to run.

Instead, use nologin, as that is what it is for. Review your /etc/passwd and see how frequently it is used.

[EverydayDiesel]

Thanks again. You really help me a lot on this forum!!