Getting Data In

/bin/false as loginshell for splunkforwarder

Path Finder


is it possible to use /bin/false as a loginshell for the user running splunkforwarder?

The splunkforwarder process seems to work with /bin/false, but running enable boot-start as root doesn't seem to work:

# /opt/splunkforwarder/bin/splunk enable boot-start -user splunk
This account is currently not available.
First-time-run has not finished.  Ignore this error when previewing migration - exiting.

Can someone confirm this behaviour?


0 Karma

Splunk Employee
Splunk Employee

There issue will be different depending on the version of Splunk

Prior to 6.1""/splunks/splunkforwarder/bin/splunk" start --no-prompt --answer-yes would create line in init.d/splunk like

/bin/su - shaky -c "\"/splunks/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"

At 6.1 things changed a lot. splunk enable boot-start -user shaky now creates a script like
"/splunks/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
Note there is no "su" here The user name is taken from SPLUNKOSUSER in launch.conf

Using the the pre 6.1 method with a user that has a /bin/false shell will be problematic as /bin/sh - shaky -c it interpretated as
$SHELL -c after "su is run and /bin/false -c will fail

0 Karma


Hi HansWurscht,

When you un the enable boot-start, splunk creates the file splunk-launch.conf in /opt/splunkforwarder/etc. The problem seems to be that splunk needs a shell to create this file, so it has the privileges of the splunk user. I can't say whether this is a bug in splunk.

Apart from temporarily enabling a login shell to the splunk user and disabling it immediately after, you can also run the enable command without the -user option and manually edit splunk-launch.conf.

  1. # /opt/splunkforwarder/bin/splunk enable boot-start
  2. edit /opt/splunkforwarder/etc/splunk-launch.conf
  3. make sure it has the line: SPLUNK_OS_USER = splunk
  4. possibly chown splunk:splunk /opt/splunkforwarder/etc/splunk-launch.conf
  5. At least, make sure the splunk user can read the file

Out of curiosity, which OS are you using? This seems to affect at least Debian-based systems.

0 Karma

Path Finder

Have you tried to enable boot start while splunk user still has a valid shell, and then changing it back to /bin/false? Does it start at reboot (or "service start splunk")?

0 Karma

Path Finder

No. For a clean install process, this should not be needed.

0 Karma