Shulou(Shulou.com)06/02 Report--

What is the nobody user under Unix/Linux system?

1. After the Windows system is installed, some user accounts will be established automatically, and there are also some user accounts in the Linux system.

It is available after the system is installed, just like the built-in account in the Windows system.

2. They are used to accomplish specific tasks, such as nobody and ftp. When we visit the web program of LinuxSir.Org, the server on the official website allows customers to log in as' nobody''(equivalent to an anonymous account in the Windows system).

When we visit ftp anonymously, we use the user ftp or nobody.

3. First of all, nobody is an ordinary user, not a privileged user. The "purpose" of using the nobody user name is to enable anyone to log in to the system, but its UID and GID do not provide any privileges, that is, the uid and gid can only access files that everyone can read and write.

4. Second, many systems routinely create a nobody by default, trying to "limit its permissions to a minimum". When the server is serving outward, it is possible to let client log in as nobody.

5. Nobody is an ordinary account, because the default login shell is'/ sbin/nologin', so this user cannot log in directly to the system, that is, it is difficult for hackers to connect to your server through vulnerabilities to do damage. In addition, the permissions of this user are also very low. Therefore, it has relatively high security. Everything is given minimum access. That's what nobody is all about.

What does it mean that the user shell is / sbin/nologin under the Unix/Linux system?

If a user's default shell is set to / sbin/nologin, the user is prohibited from logging in to the system.

The purpose of this nologin is to restrict certain users from logging in to shell through ssh.

For example, the default shell for users of nginx mysql php-fpm applications can be set to / sbin/nologin.

Mainly to improve the security of the system.

The shell of the system account uses / sbin/nologin, so you can't log in to the system at this time, even if you give a password.

The so-called "unable to log in" means that the user is unable to log in to the system using bash or other shell. It does not mean that the account cannot use the system resources. For example, in each system account, the print job is managed by lp, and the www server is managed by apache. They can all work as system programs, but they just can't log in to the host.

Sometimes some services, such as mail services, are mostly used to receive mail from the host and do not need to log in. If an account tries to connect to my host to get shell, we can refuse.

Sometimes you can temporarily disable other users from logging in using the / etc/nologin file by creating a file called nologin in the / etc/ directory.

For example:

# touch / etc/nologin

This will prevent subsequent users from logging in to the system.

When a user is prohibited from logging in, the contents of the / etc/nologin file will be displayed to the user and will flash by.

For example, add the following to the / etc/nologin file:

# vi / etc/nologindisable login by admin temperarily!

When the user tries to log in, "disable login by admin temperarily!" will be displayed to the user. When the maintenance of the system is over, delete the / etc/nologin file, and other users will be able to log in again. This is only for users who can log in to shell.

It doesn't matter for those users who log in to shell / sbin/nologin, because they can't log in to shell themselves.

In addition, if I want a user with / sbin/nologin to know that when they can't log in to the host, they can create a new / etc/nologin.txt file and write down the reason why they can't log in. When the user logs in, the contents of this file will appear on the screen.

For example:

# vi / etc/nologin.txt This account is system account or mail account. # su-mail

Will prompt "This account is system account or mail account."

Add:

The functions of / etc/nologin and / etc/nologin.txt are not the same.

When the / etc/nologin file exists, any general identity account will only get the contents of / etc/nologin when trying to log in, but cannot log in directly to the host.

That is, when / etc/nologin is created and the content is set to "This Linux server is maintaining....", anyone who tries to log in will see these prompts and cannot log in to the system.

Normal users will not be able to log in normally until the / etc/nologin file is deleted.

Summary:

Nobody is an anonymous user under the linux/unix system and can only access public content on the server.

/ sbin/nologin is a shell setting item in the linux/unix system. Users who log in with shell / sbin/nologin are not allowed to log in to the system.

/ etc/nologin.txt is only for users whose shell is / sbin/nologin

/ etc/nologin can be understood as aimed at all ordinary users

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.