Detailed introduction to nobody user and nologin in Unix/Linux system

Detailed introduction to nobody user and nologin in Unix/Linux system

What is the nobody user in Unix/Linux systems?

1. Windows system will automatically create some user accounts after installation. In Linux system, there are also some user accounts that exist after the system is installed, just like the built-in accounts in Windows system.

2. They are used to complete specific tasks, such as nobody and ftp. When we visit the web program of LinuxSir.Org, the server of the official website allows customers to log in as 'nobody' (equivalent to the anonymous account in Windows system);

When we access ftp anonymously, we use the user ftp or nobody.

3. First of all, nobody is an ordinary user, not a privileged user. The 'purpose' of using the nobody username is to allow anyone to log in to the system, but its UID and GID do not provide any privileges, that is, the uid and gid can only access files that are readable and writable by everyone.

4. Secondly, many systems conventionally create a nobody by default, and try to "limit its permissions to the minimum". When the server provides external services, it may allow the client to log in as nobody.

5. Nobody is an ordinary account. Because the default login shell is '/sbin/nologin', this user cannot log in to the system directly, which means it is difficult for hackers to connect to your server through vulnerabilities to cause damage. In addition, the permissions of this user are also configured very low. Therefore, it has higher security. Everything is given minimum permissions. This is the meaning of nobody's existence.

What does it mean when the user shell is /sbin/nologin in Unix/Linux systems?

If a user's default shell is set to /sbin/nologin, this user is prohibited from logging into the system;

The function of nologin is to restrict certain users from logging into the shell via ssh.

For example, you can set the default shell of users of applications such as nginx, mysql, php-fpm to /sbin/nologin

Mainly to improve system security

The system account's shell uses /sbin/nologin, so you cannot log in to the system even if you give it a password.

The so-called "unable to log in" only means that the user cannot use bash or other shells to log in to the system, but it does not mean that this account cannot use system resources. For example, among the various system accounts, print jobs are managed by the account lp, and the www server is managed by the account apache. They can all perform system program work, but they cannot log in to the host.

Sometimes some services, such as mail services, are mostly used to receive mails from the host and do not require logging in. If an account tries to connect to my host to get a shell, we can reject it.

Sometimes you can use the /etc/nologin file to temporarily prohibit other users from logging in. The specific method is to create a file named nologin in the /etc/directory.

For example:

 #touch /etc/nologin

This will prevent subsequent users from logging into the system.
When a user is prohibited from logging in, the contents of the /etc/nologin file will be displayed to the user and will flash by.

For example, add the following content to the /etc/nologin file:

#vi /etc/nologin
disable login by admin temperarily!

When a user tries to log in, the message "disable login by admin temperarily!" will be displayed to the user. After the system maintenance is completed, the /etc/nologin file will be deleted and other users can log in again. This is only limited to users who can log in to the shell.

It has no effect on users whose login shell is /sbin/nologin, because they cannot log in to the shell themselves.

In addition, if I want to let a user with /sbin/nologin know that they cannot log in to the host, I can create a new file /etc/nologin.txt and write the reason why they cannot log in. When the user logs in, the contents of this file will appear on the screen.

For example:

 #vi /etc/nologin.txt
 This account is a system account or mail account.
 #su - mail

It will prompt "This account is a system account or mail account."

Replenish:

The functions of the two files /etc/nologin and /etc/nologin.txt are not the same.

When the /etc/nologin file exists, any general identity account will only obtain the content of /etc/nologin when trying to log in, and will not be able to log in to the host directly.

That is, when /etc/nologin is created and its content is set to "This Linux server is maintaining....", anyone who tries to log in will see these prompts and will not be able to log in to the system.

Only after deleting the /etc/nologin file can ordinary users log in normally.

Summarize:

Nobody is an anonymous user in Linux/Unix system and can only access public content on the server

/sbin/nologin is a shell setting item in Linux/Unix system. Users whose login shell is /sbin/nologin are not allowed to log in to the system.

/etc/nologin.txt is only for users whose shell is /sbin/nologin

/etc/nologin can be understood as targeting all ordinary users

You may also be interested in:
  • UNIX/LINUX SHELL Regular Expression Syntax Detailed Explanation and Usage
  • How to enhance Linux and Unix server security
  • Recommended collection: Useful Unix/Linux command skills
  • Detailed explanation of Supervisor installation and configuration (Linux/Unix process management tool)
  • Procedure to reload .vimrc file without restarting Vim in Linux/Unix
  • Linux Shell Introduction: Master the Shell environment of Linux, OS X, and Unix
  • Two ways to install Perl modules under Linux/Unix
  • Hidden overhead of Unix/Linux forks

<<:  How to disable foreign key constraint checking in MySQL child tables

>>:  Specific use of exception filter Exceptionfilter in nestjs

Recommend

Two box models in web pages (W3C box model, IE box model)

There are two types of web page box models: 1: Sta...

Tutorial on using $attrs and $listeners in Vue

Table of contents introduce Example Summarize int...

Use of Linux dynamic link library

Compared with ordinary programs, dynamic link lib...

Solution to the error reported by Mysql systemctl start mysqld

Error message: Job for mysqld.service failed beca...

Solution to the CSS height collapse problem

1. High degree of collapse In the document flow, ...

How to introduce Excel table plug-in into Vue

This article shares the specific code of Vue intr...

Detailed explanation of MySQL Group by optimization

Table of contents Standard execution process opti...

The button has a gray border that is ugly. How to remove it?

I used the dialog in closure and drew a dialog wit...

Usage and description of HTML tag tbody

The tbody element should be used in conjunction wi...

MySQL Server IO 100% Analysis and Optimization Solution

Preface During the stress test, if the most direc...

How to use Xtrabackup to back up and restore MySQL

Table of contents 1. Backup 1.1 Fully prepared 1....

How to start a Java program in docker

Create a simple Spring boot web project Use the i...

DOCTYPE Document Type Declaration (Must-Read for Web Page Lovers)

DOCTYPE DECLARATION At the top of every page you w...