What's the difference between /sbin/nologin and /bin/false

Technically, unless pam is set up to check your shell with pam_shells neither of these can actually prevent your login, if you’re not on the shell. On my system they are even different sizes, so I suspect they actually do something. So what’s the difference? why do they both exist? Why would I use one over the other?

-rwxr-xr-x 1 root root  21K Feb  4 17:01 /bin/false
-rwxr-xr-x 1 root root 4.7K Mar  2 14:59 /sbin/nologin
Asked By: xenoterracide

||

On my machine, nologin displays always the same message, in English, ignoring arguments. /bin/false responds to --version and --help in the language indicated by $LC_CTYPE. Other than these cosmetic differences, they have the same effect.

Usability-wise, nologin is better if it’s used on the account of a real person who speaks English. Security-wise, there is no difference.

/bin/false only job is to exit with a non-zero exit code.

Try it at the command line:

$:> /bin/false
$:> echo $?
1
$:>

Some institutions use /bin/false in the shell field of the password file. If user tries to login, the shell is /bin/false, so they are exited right away

Answered By: shellter

Some FTP servers will allow you FTP access only if you have a valid shell. /sbin/nologin is regarded as a valid shell, whereas /bin/false is not.

(I think “valid” means its exit status is 0, but /etc/shells may also come into it, it probably depends on the system, the FTP software, and your configuration.)

Answered By: Mikel

When /sbin/nologin is set as the shell, if user with that shell logs in, they’ll get a polite message saying ‘This account is currently not available.’ This message can be changed with the file /etc/nologin.txt.

/bin/false is just a binary that immediately exits, returning false, when it’s called, so when someone who has false as shell logs in, they’re immediately logged out when false exits. Setting the shell to /bin/true has the same effect of not allowing someone to log in but false is probably used as a convention over true since it’s much better at conveying the concept that person doesn’t have a shell.

Looking at nologin‘s man page, it says it was created in 4.4 BSD (early 1990s) so it came long after false was created. The use of false as a shell is probably just a convention carried over from the early days of UNIX.

nologin is the more user-friendly option, with a customizable message given to the user trying to log in, so you would theoretically want to use that; but both nologin and false will have the same end result of someone not having a shell and not being able to ssh in.

Answered By: Mark McKinstry

/bin/false is a system command that is used anytime you need to pass a command to a program that should do nothing more than exit with an error. It’s the companion to /bin/true. Both of these are very old and standard POSIX utilities and neither produce any output by definition. true is sometimes used for a shell script that should loop indefinitely, like:

while true; do
    ...
    # Waste time
    if [ $wasted_time -gt 100000 ]; then
        exit 0
    fi
    ...
done

/usr/sbin/nologin is specifically designed to replace a shell and produces output complaining you can’t log-in. Before it existed, it was common to use /bin/false for dummy users, but could be confusing since the user doesn’t know why they’re kicked off.

Answered By: penguin359

They could be the same program, but they have different meanings. The program name tells it all.

  • /bin/false is intended to return a false value. It is run as program.
  • /bin/nologin is intended to indicate to the user that no login is permitted for an account. (It is used a login shell.)
Answered By: BillThor

On linux, /sbin/nologin comes from the util-linux project, while /bin/false is part of GNU Coreutils. They serve different roles, and nologin has the option of printing a message for people who have it as their shell who are logging in. The linux commands come from BSD, where they seem to have a long history of being different. The FreeBSD false simply returns 1, while the nologin checks to make sure it’s running on a TTY and sends a message to syslog during login attempts. The linux versions are a bit more complicated (false doing all sorts of fun stuff with internationalization for the output of –help, I assume) but essentially perform the same way.

Answered By: jsbillings

Both does more or less the same job but /bin/false is useful for non-privileged users . On the other hand, /sbin/nologin is for privileged users.

Answered By: pythondetective
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.