There are different ways to disable a system user account on Linux:
- lock/disable the user
- expire the user
- assign an invalid shell
Lock user
The most straight forward way is to explicitly disable or lock the user using the
usermod -L
command.
Example:
usermod -L someuser
Disabling the user this way will cause the user to be unable to authenticate.
Note, it will not prevent root from using su
to change to this user.
In practice, what this means is that a
!
is added to the beginning of the password column in
/etc/shadow
.
To enable or unlock the user, use the usermod -U
command.
Example:
usermod -U someuser
Alternatively, the
passwd
command may be used to lock/unlock the user.
This has the same effect.
To lock a user, run:
passwd -l someuser
To unlock the user, run:
passwd -u someuser
Expire user
Another option is to expire the user account.
This is done using the chage
command.
To expire a user, run:
chage -E 0 someuser
This will set the account to expire at the Unix epoch – Jan 1, 1970.
Alternatively, the account can be set to expire at a specific date like this:
chage -E YYYY-MM-DD someuser
When the account is expired, it cannot authenticate.
Additionally, it is not possible to change to the user using su
.
If root
tries to su
to the expired account, they will get this error:
Your account has expired; please contact your system administrator.
su: Authentication failure
Set shell to nologin
Another option is change the user shell to nologin
.
This is done using either:
usermod -s /usr/sbin/nologin someuser
or
chsh /usr/sbin/nologin someuser
Attempting to login as a user with nologin
shell produces this error:
This account is currently not available.
If root tries to su
to the user, a message is logged to syslog:
Attempted login by root (UID: NNNNN) on /dev/pts/0