Why do the system accounts shutdown, halt and sync have login shells?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) all versions

Issue

  • Why do the following system accounts have login shells?

    # awk -F: '($1!="root" && $3<500 && $7!="/sbin/nologin") {print}' /etc/passwd
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/hal

NOTE: System accounts has different UID boundaries according to the RHEL version

  • in RHEL6 and below have UID < 500
  • in RHEL7 and above have UID < 1000

Resolution

  • Instead of logging on as a regular user and then issuing the 'sudo  shutdown' command, simply log in as user "shutdown", and the login takes  care of running the shutdown command immediately.

    # grep shutdown /etc/passwd
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
# grep shutdown /etc/shadow
shutdown:*:14784:0:99999:7:::

  • If login with this shutdown user was possible (the * in the second field prevents that here), then the system would run shutdown.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

4 Comments

Log in to comment
br Newbie 5 points
7 February 2014 11:47 PM

And the sync account....?

RM Newbie 7 points
26 September 2019 8:44 PM

The Resolution doesn't really make any sense. The first bullet says that by logging in as "shutdown" the login process shuts down immediately. However, the second bullet says that login as "shutdown" is not possible (because of the asterisk). So, which is it? And regardless, why does shutdown require a user account?

RR Community Member 41 points
9 February 2021 6:09 PM

so '*' in /etc/passwd for these accounts prevents these commands to be run from login prompt?

RM Community Member 28 points
17 February 2022 9:12 PM

  • brianjbrady

    • "man sync" - it forces the OS to flush all pending writes to the hard disk.

  • Ryan Morgan The /etc/shadow file contains a hashed version of the password. If the "shutdown" user had a real password, that * would be replaced with the hashed version of the password. If the "shutdown" user had a password, there would not be an asterisk, just a long hash string. Then, the shutdown user could be used to authenticate.

  • Rakesh Ram Replacing that the second field (hash) with an asterisk (or any other character, like ! or !!) has long been used to lock people's accounts out. However, you can't rely on that trick anymore because there are ways to log in that that don't use that field to control access. (e.g. ssh keys, ldap servers). Check man usermod to be sure, but i think usermod -e 1 username should lock people out effectively regardless of how they authenticate.