Previously I had a post talked about the login and non-login shell, please note that is a different concept with nologin user here.
Take envoy image as an example, pull it and launch the container:
1 | docker pull envoyproxy/envoy-dev:latest |
Get into the container by (note this is not a login operation! see below my question):
1 | docker exec -it test bash |
Check /etc/passwd file, the envoy is a nologin user:
1 | envoy:x:101:101::/home/envoy:/usr/sbin/nologin |
If you run su - envoy from any other users (even you enter the login password), you get error:
1 | # su - envoy |
From nologin man page, the description is clear: nologin displays a message that an account is not available and exits non-zero. It is intended as a replacement shell field to deny login access to an account. If the file /etc/nologin.txt exists, nologin displays its contents to the user instead of the default message. The exit code returned by nologin is always 1.
Sometimes you will also see /bin/false is used:
1 | syslog:x:101:104::/home/syslog:/bin/false |
They both have the same purpose, but nologin is preferred since it give you a friendly message. ssh, scp and other login services will not work if the user is nologin type on target machine.
BTW, You still can execute command as a nologin user:
1 | sudo -u <nologin user name> bash -c "ls -ltr /tmp" |
Then I have a question here: Why docker exec command can launch shell with nologin user?. It turns out docker exec is not login action! It just starts a process in that PID namespace and it’s PPID is 1.
References
Does /usr/sbin/nologin as a login shell serve a security purpose?
https://serverfault.com/questions/519215/what-is-the-difference-between-sbin-nologin-and-bin-false
https://serverfault.com/questions/333321/executing-a-command-as-a-nologin-user
Don’t sshd your container, this is a old post at early stage of docker and before docker exec, it uses nsenter to get a shell into container namespace.