قالب وردپرس درنا توس
Home / Tips and Tricks / How to delete a user on Linux (and remove any trace)

How to delete a user on Linux (and remove any trace)

  A shell prompt in a terminal window on a Linux computer.
Fatmawati Achmad Zaenuri / Shutterstock

Deleting a user on Linux does more than you think. If you are a system administrator, you want to delete all traces of the account and its access from your systems. We'll show you the steps you need to take.

If you only want to delete one user account from your system and do not want to end any running processes and other cleanup tasks, follow the steps in the "Deleting the User Account" section below. You need the deluser command for Debian-based distributions and the userdel command for other Linux distributions.

Linux User Accounts

Since the first sharing systems were introduced in the early 1

960s, there was the possibility that multiple users could work on a single computer. There was a need to isolate and separate each user's files and data from all other users. And so user accounts – and passwords – were born.

User accounts have an administrative burden. They must be created when the user first needs to access the computer. They must be removed when this access is no longer required. Linux has a number of steps that should be followed to correctly and methodically remove the user, their files, and their account from the computer.

If you are the system administrator, this responsibility is yours. Here's how:

Our Scenario

There are a number of reasons why an account may need to be deleted. An employee may switch to a different team or may leave the company altogether. The account may have been set up for short-term collaboration with a visitor to another company. Team-ups are common in science, where research projects can span departments, various universities, and even commercial entities. At the end of the project, the system administrator must perform the administration and remove unnecessary accounts.

The worst scenario is when someone leaves under a cloud for an offense. Such events usually occur suddenly and without warning. This gives the system administrator very little time to plan and the urgency to lock, close and delete the account. A copy of the user files is backed up if they are required for post-close forensics.

In our scenario, we pretend that a user, Eric, has done something that justifies his immediate removal from the premises. At this moment he is not aware of it, he is still working and is logged on. As soon as you nod to security, he will be led out of the building.

Everything is done. All eyes are on you.

Check the login.

Let's see if he's really signed in and how many sessions he's working with. The command who lists active sessions.


  who in a terminal window

Eric is logged on once. Let's see what processes he does.

Checking User Processes

Use the ps command to list the processes this user is running. With the option -u (user) we can instruct ps to limit the output to the processes that are owned by this user account.

  ps -u eric 

  ps -u eric in a terminal window

With the command top we can display the same processes with further information. top also has a -U (user) option to restrict output to the processes owned by a single user. Note that this time it is a capital letter “U”.

  top -U eric 

  top -U eric in a terminal window

We can see the memory and CPU usage of each task and can quickly search for suspicious activity. We will violently end all of its processes, so it is safest to take a moment to quickly review the processes and ensure that other users will not be bothered if you terminate the user account. eric [Theprocessesof.

 Issue of top -U eric in a terminal window.

It doesn't look like he'll do much, just use less to display a file. We can safely continue. However, before we end its processes, we lock the account by locking the password.

CONNECTION: Using the ps command to monitor Linux processes

Locking the account

We lock the account before we end the processes as the user is logged off when the processes are terminated. If we have already changed his password, he cannot log in again.

The encrypted user passwords are stored in the file / etc / shadow . You wouldn't normally care about these next steps, but so that you can see what happens in the / etc / shadow file when you lock the account, we'll take a little detour. You can use the following command to display the first two fields of the entry for the user account eric .

  sudo awk -F: & # 39; / eric / {print $ 1, $ 2} & # 39; / etc / shadow 

  sudo awk -F: & # 39; / eric / {print $ 1, $ 2} & # 39; / etc / shadow in a terminal window

The command awk analyzes fields from text files and processes them optionally. We use the -F (field separator) option to notify awk that the file uses a colon ": " to separate the fields. We will look for a line with the pattern "eric". For lines that match, we print the first and second fields. These are the account name and the encrypted password.

The entry for the eric user account is printed for us.

To lock the account, we use the command passwd . We use the option -l (lock) and pass the name of the user account for locking.

  sudo passwd -l eric 

  sudo passwd -l eric in a terminal window

If we check the file / etc / passwd again, we will see what happened.

  sudo awk -F: & # 39; / eric / {print $ 1, $ 2} & # 39; / etc. / shadow 

  sudo awk -F: & # 39; / eric / {print $ 1, $ 2} & # 39; / etc / shadow in a terminal window

An exclamation point was inserted at the beginning of the encrypted password. The first character is not overwritten, but only added at the beginning of the password. This is all that is required to prevent a user from being able to log in to this account.

After preventing the user from logging on again, we can end their processes and log them off.

Ending Processes

There are several ways to end a user's processes, but the command shown here is common and a more modern implementation than some of the alternatives. The command pkill finds and ends processes. We pass the KILL signal and use the option -u (user).

  sudo pkill -KILL -u eric 

  sudo pkill -KILL -u eric in a terminal window

You return to the command prompt in a decidedly anti-climactic way. To make sure that something happened, we check who again:


 who in a terminal window

His session has ended. He was logged out and his processes were stopped. That made the situation a little more urgent. Now we can relax a little and continue with the rest of the wiping as security goes to Eric's desk.

CONNECTION: How to terminate processes from the Linux terminal

Archiving the user's home directory

There is no question that in such a scenario, in Future access to the user's files will be required. Either as part of an investigation or simply because its replacement may have to fall back on the work of the predecessor. We use the command tar to archive the entire home directory.

We use the following options:

  • c : Create an archive file.
  • f : Use the given file name for the name of the archive.
  • j : Use bzip2 compression.
  • v : Please provide detailed output when creating the archive.
  sudo tar cfjv eric- 20200820.tar.bz / home / eric 

  sudo tar cfjv eric-20200820.tar.bz / home / eric in a terminal window

Many screen outputs are scrolled in the terminal window. Use the command ls to check whether the archive has been created. We use the options -l (long format) and -h (readable).

  ls -lh eric-20200802.tar.bz 

  sudo tar cfjv eric-20200820.tar.bz / home / eric in a terminal window

A file with 722 MB was created. This can be copied to a safe place for later review.

Removing Cron Jobs

We'd better check if Cron Jobs are scheduled for the eric user account. A cron job is a command that is triggered at specific times or intervals. With ls we can check whether jobs are planned for this user account cron :

  sudo ls -lh / var / spool / cron / crontabs / eric 

  sudo ls - lh / var / spool / cron / crontabs / eric in a terminal window

If something is available here, it means that cron jobs are queued for this user account. We can delete them with this command crontab . The -r (remove) option removes the jobs, and the -u (user) option tells crontab whose jobs are to be removed.

  sudo crontab -r -u eric 

  sudo crontab -r -u eric in a terminal window

The jobs are deleted silently. From what we know, if he suspected he would be driven out, Eric might have planned a malicious job. This step is a proven method.

Removing Print Jobs

Maybe the user had pending print jobs? To be sure, we can clear the print queue from all jobs belonging to the eric user account. The lprm command removes jobs from the print queue. With the option -U (user name) you can remove jobs that belong to the named user account:

  lprm -U eric 

  lprm -U eric in a terminal window

The jobs will be removed and you will be returned to the command line.

Deleting the user account

We have already backed up the files from the directory / home / eric / so that we can continue. Delete the user account and at the same time delete the directory / home / eric / .

The command to use depends on which Linux distribution you are using. The command deluser is for Debian-based Linux distributions and userdel for the rest of the Linux world .

In fact, both commands are available on Ubuntu. I half expected one to be an alias of the other, but they are different binary files.

  Deluser type 
  Userdel type 

  Deluser type in a terminal window

Although both are available, it is recommended to use deluser for distributions derived from Debian:

userdel is a low-level user removal utility. On Debian, administrators should normally use the deluser (8). “

This is clear enough, so the command to use on this Ubuntu computer is deluser . Since we also want your home directory to be removed, we use the flag - remove-home :

  sudo deluser --remove-home eric 

  sudo deluser --remove-home eric in a terminal window

The command for non-Debian distributions is userdel with the flag - remove :

  sudo userdel --remove eric 

All Traces of the user account eric were deleted. We can check if the directory / home / eric / has been removed:

  ls / home 

 ls / home in a terminal window

Das Die Group eric was also removed because the user account eric was the only entry in it. We can easily check this by passing the contents of / etc / group to grep :

  sudo less / etc / group | grep eric 

 sudo less / etc / group | Grep eric in a terminal window

It's a wrap

Eric has disappeared because of his sins. Security is still leading him out of the building, and you've already backed up and archived his files, deleted his account, and freed the system of remnants.

Accuracy always exceeds speed. Make sure you consider each step before you do it. You don't want someone to go to your desk and say "No, the other Eric".

Source link