Detailed introduction to nobody user and nologin in Unix/Linux system

What is the nobody user in Unix/Linux systems?

1. Windows system will automatically create some user accounts after installation. In Linux system, there are also some user accounts that exist after the system is installed, just like the built-in accounts in Windows system.

2. They are used to complete specific tasks, such as nobody and ftp. When we visit the web program of LinuxSir.Org, the server of the official website allows customers to log in as 'nobody' (equivalent to the anonymous account in Windows system);

When we access ftp anonymously, we use the user ftp or nobody.

3. First of all, nobody is an ordinary user, not a privileged user. The 'purpose' of using the nobody username is to allow anyone to log in to the system, but its UID and GID do not provide any privileges, that is, the uid and gid can only access files that are readable and writable by everyone.

4. Secondly, many systems conventionally create a nobody by default, and try to "limit its permissions to the minimum". When the server provides external services, it may allow the client to log in as nobody.

5. Nobody is an ordinary account. Because the default login shell is '/sbin/nologin', this user cannot log in to the system directly, which means it is difficult for hackers to connect to your server through vulnerabilities to cause damage. In addition, the permissions of this user are also configured very low. Therefore, it has higher security. Everything is given minimum permissions. This is the meaning of nobody's existence.

What does it mean when the user shell is /sbin/nologin in Unix/Linux systems?

If a user's default shell is set to /sbin/nologin, this user is prohibited from logging into the system;

The function of nologin is to restrict certain users from logging into the shell via ssh.

For example, you can set the default shell of users of applications such as nginx, mysql, php-fpm to /sbin/nologin

Mainly to improve system security

The system account's shell uses /sbin/nologin, so you cannot log in to the system even if you give it a password.

The so-called "unable to log in" only means that the user cannot use bash or other shells to log in to the system, but it does not mean that this account cannot use system resources. For example, among the various system accounts, print jobs are managed by the account lp, and the www server is managed by the account apache. They can all perform system program work, but they cannot log in to the host.

Sometimes some services, such as mail services, are mostly used to receive mails from the host and do not require logging in. If an account tries to connect to my host to get a shell, we can reject it.

Sometimes you can use the /etc/nologin file to temporarily prohibit other users from logging in. The specific method is to create a file named nologin in the /etc/directory.

For example:

 #touch /etc/nologin

This will prevent subsequent users from logging into the system.
When a user is prohibited from logging in, the contents of the /etc/nologin file will be displayed to the user and will flash by.

For example, add the following content to the /etc/nologin file:

#vi /etc/nologin
disable login by admin temperarily!

When a user tries to log in, the message "disable login by admin temperarily!" will be displayed to the user. After the system maintenance is completed, the /etc/nologin file will be deleted and other users can log in again. This is only limited to users who can log in to the shell.

It has no effect on users whose login shell is /sbin/nologin, because they cannot log in to the shell themselves.

In addition, if I want to let a user with /sbin/nologin know that they cannot log in to the host, I can create a new file /etc/nologin.txt and write the reason why they cannot log in. When the user logs in, the contents of this file will appear on the screen.

For example:

 #vi /etc/nologin.txt
 This account is a system account or mail account.
 #su - mail

It will prompt "This account is a system account or mail account."

Replenish:

The functions of the two files /etc/nologin and /etc/nologin.txt are not the same.

When the /etc/nologin file exists, any general identity account will only obtain the content of /etc/nologin when trying to log in, and will not be able to log in to the host directly.

That is, when /etc/nologin is created and its content is set to "This Linux server is maintaining....", anyone who tries to log in will see these prompts and will not be able to log in to the system.

Only after deleting the /etc/nologin file can ordinary users log in normally.

Summarize:

Nobody is an anonymous user in Linux/Unix system and can only access public content on the server

/sbin/nologin is a shell setting item in Linux/Unix system. Users whose login shell is /sbin/nologin are not allowed to log in to the system.

/etc/nologin.txt is only for users whose shell is /sbin/nologin

/etc/nologin can be understood as targeting all ordinary users