1) /sbin/nologin does display a nice message upon login, while /bin/false
does not.
2) /sbin/nologin displays the message upon login regardless of whether it
is in /etc/shells or not.
These two sentences ^^ describe two independent properties. Nobody loses
the "message upon login" feature of nologin by nologin being removed from

Let's look at the history of /sbin/nologin. According to the OpenBSD man
pages nologin was introduced in 4.4BSD.

4.4BSD has both /sbin/nologin [1] and /etc/shells [2]. /sbin/nologin is not
in /etc/shells. (I tried to search for the string "nologin" to see whether
there is a setup script that adds /sbin/nologin to /etc/shells and found
nothing [6].) So, we might think the makers of nologin either didn't want
to include it or made a mistake. Since the current OpenBSD still doesn't
include /sbin/nologin in /etc/shells, I'd guess it has been intentional all

The behavior of su in 4.4BSD is to disallow a change to a shell not listed
in /etc/shells. su in 4.4BSD doesn't have the -s switch but does have the
-m switch and it uses getusershell() [3]. getusershell() reads /etc/shells
[4]. Internally, su has a function that changes the user shell (with -m) if
it is in /etc/shells [5].

The original source code of su [5] is short and quite readable. It's clear
that adding /sbin/nologin to /etc/shells in 4.4BSD would break the
assumptions laid down by the man pages, the source code, and by the
apparent meaning of nologin's name. The current man pages in Fedora do not
suggest a change in the philosophy of /etc/shells, su, or nologin.

[1] https://github.com/sergev/4.4BSD-Lite2/tree/master/usr/src/sbin/nologin
[2] https://github.com/sergev/4.4BSD-Lite2/blob/master/etc/shells
[3] http://man.openbsd.org/4.4BSD-Lite2/man1/su.1
[4] http://man.openbsd.org/4.4BSD-Lite2/getusershell.3

Jakub Svoboda / Red Hat Product Security
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Reply via email to