Howto: Linux shell restricting access
By default when you add new user to system (/etc/passwd file) it grant shell access. If you are creating new users for POP3 or SMTP (mail server) or FTP then you do not need to grant shell access to a user. Remember as soon as you add a user he/she can login via telnet or ssh. The best way to put Linux shell access restriction is to use special shell called nologin, which politely refuse a login. It displays a message that an account is not available and exits non-zero. It is intended as a replacement shell field for accounts that have been disabled or have other user level access such as ftp, pop3, smtp etc. This is a very common practice followed by ISP or web hosting service provider's web, mail and FTP server(s).
/sbin/nologin Example
(a) First make sure nologin exists in /etc/shells file (else service such as ftp may not allow login)
# less /etc/shells
If nologin shell does not exist in above shell list, just add /sbin/nologin shell to it:
# echo "/sbin/nologin" >> /etc/shells
If you are using Debian then use following path:
# echo "/usr/sbin/nologin" >> /etc/shells
(b) Block shell access for user vivek (vivek user account must exits):
# usermod -s /sbin/nologin vivek
Debain Linux user modify above command as follows:
# usermod -s /usr/sbin/nologin vivek
Now user vivek's new login shell is /sbin/nologin. Vivek allowed to use other services such as ftp, pop3 but not shell access via ssh or telnet.
New user accounts
Add a new user called tony with no shell access:
# useradd -s /sbin/nologin tony
Debain / Ubuntu Linux user modify above command as follows:
# useradd -s /usr/sbin/nologin tony
Please note that above method is very easy to use but if you have a large setup. you need to take help of PAM (and may be OpenLDAP / MySQL). I will cover such setup some time later :).
You may also be interested in other helpful articles:
- Confessions of a Real-World Linux Admin: “I Always Login As Root.”
- Iptables for restricting access by time of day
- How do I secure and audit shell access with Enterprise Audit Shell?
- Ultimate Lighttpd webserver security
- Tutorial: Working with UNIX and Linux Shell
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: add_new_user, etc_passwd_file, etc_shells_file, linux_shell, login_restriction, nologin_shell, usermod_command, web_hosting_service



Recent Comments
Today ~ 14 Comments
Today ~ 8 Comments
Yesterday ~ 4 Comments
Yesterday ~ 45 Comments
08/28/2008 05:52 pm (2 days ago) ~ 5 Comments