قالب وردپرس درنا توس
Home / Tips and Tricks / Delete a user on Linux (and delete every trace)

Delete a user on Linux (and delete every trace)

  A shell prompt in a terminal window on a Linux computer.
Fatmawati Achmad Zaenuri / Shutterstock

Removing a user under Linux involves more than you think. if you are a system administrator, you want to remove all traces of the account and access from your systems. We show you the steps to take.

If you only want to delete a user account from your system and are not concerned about terminating running processes and other cleanup tasks, follow the steps in the "Deleting the user account" section. "Below. You need the deluser command for Debian-based distributions and the userdel command for other Linux distributions.

User Accounts on Linux

Since the first time sharing systems appeared in the early 1

960s and brought with it the possibility that multiple users could work on a single computer, there was a need to keep the files and data of each user to isolate and compartmentalize all other users. And so user accounts – and passwords – were born.

User accounts have administrative overhead. They must be created when the user first needs access to the computer. They must be deleted when that access is no longer required. On Linux, there is a series of steps that must be followed to correctly and methodically remove the user, their files, and their account from the computer.

If you are the system administrator, that responsibility falls under your responsibility. Here's how to do this.

Our scenario

There are a number of reasons why an account may need to be deleted. An employee may move to a different team or leave the company altogether. The account may have been set up for a short-term collaboration with a visitor from another company. Team-ups are common in academia, where research projects can include departments, different universities, and even commercial entities. At the end of the project, the system administrator must run the household and delete unnecessary accounts.

The worst case is when someone leaves under a cloud because of a crime. Such events usually happen suddenly, with little prior warning. That gives the system administrator very little time to plan and the urgency to lock, close, and delete the account – with a copy of the user's files in case they are needed for forensic post-closure.

scenario, we will pretend that a user, Eric, has done something that justifies his immediate removal from the site. He is currently unaware of this, he is still working and logging in. As soon as you get a nod to security, he is led out of the building.

Everything is ready. All eyes are on you.

Check the registration

Let's see if he is really logged in and, if he is, how many sessions he works with. The command who shows active sessions.


  who in a terminal window

Eric has logged in once. Let's see what processes he performs.

Viewing the processes of the user

We can use the command ps to display the processes that this user performs. With the option -u (user) we can let ps know to limit the output to the processes that are carried out under the ownership of that user account.


  ps-u eric in a terminal window

We can see the same processes with more information using the command top . top also has a -U (user) option to limit output to processes that are owned by a single user. Note that this time it is a capital "U".

  top -U eric 

  top -U eric in a terminal window

We can see the memory and CPU usage of each task and can quickly look for something with suspicious activity. We are about to violently kill all of its processes, so it is safest to take a moment to review and control the processes quickly and ensure that other users will not be inconvenienced when you use your user account terminates [eric & # 39; s processes.

 Output from above -U eric in a terminal window

It doesn't look like he is doing much, only less used to file a file. We are safe to continue. But before we kill his processes, we'll freeze the account by locking the password.

RELATED: How to use the ps command to control Linux processes

Locking the Account

We will lock the account before we process kill, because if we kill the processes, the user is logged off. If we have already changed his password, he cannot log in again.

The encrypted user passwords are stored in the file / etc / shadow . Normally you would not be concerned with these next steps, but so that you can see what happens in the file / etc / shadow when you lock the account, we take a little detour. We can use the following command to look at the first two fields of entry for the eric user account.

  sudo awk -F: & # 39; / eric / {print $ 1, $ 2} & # 39; / etc / shadow 

  sudo awk -F: & # 39; / eric / {print $ 1, $ 2} & # 39; / etc / shadow in a terminal window

The awk command parses fields from text files and optionally manipulates them. We use the option -F (field separator) to tell awk that the file uses a colon ": " to separate the fields. We look for a line with the "eric" pattern in it. For matching lines, we will print the first and second fields. These are the account name and the encrypted password.

The entry for user account eric is printed for us.

To lock the account, we use the command passwd . We use the option -l (lock) and pass the user account name to lock.

  sudo passwd -l eric 

  sudo passwd -l eric in a terminal window

If we re-check the file / etc / passwd we see what happened.

  sudo awk -F: & # 39; / eric / {print $ 1, $ 2} & # 39; / etc / shadow 

  sudo awk -F: & # 39; / eric / {print $ 1, $ 2} & # 39; / etc / shadow in a terminal window

An exclamation mark has been added at the beginning of the encrypted password. It does not overwrite the first character, it is only added to the beginning of the password. That is all that is needed to prevent a user from logging in to that account.

Now that we have prevented the user from logging in again, we can kill his processes and log off.

Killing the processes

There are several ways to kill a user's processes, but the command shown here is available everywhere and is a more modern implementation than some of the alternatives. The command pkill will find and kill processes. We pass on the KILL signal and use the option -u (user).

  sudo pkill -KILL -u eric 

  sudo pkill -KILL -u eric in a terminal window

You return to the command prompt in a pronounced anti-climactic manner. To make sure that something happened, we look again at who :


  who in a terminal window

His session has disappeared. He has been logged out and his processes have stopped. That has removed part of the urgency from the situation. Now we can relax a bit and continue mopping while security is taking a walk to Eric & # 39; s desk.

RELATED: Process killing from the Linux Terminal

Archiving the user's home folder

It is not excluded that in a scenario like this access in the future until the user's files are required. Either as part of an investigation or simply because their replacement may have to refer to the work of their predecessor. We use the command tar to archive their entire base folder.

The options that we use are:

  • c : create an archive file.
  • f : Use the specified file name for the name of the archive.
  • j : use bzip2 compression.
  • v : provide extensive output while the archive is being created.
  sudo tar cfjv eric- 20200820.tar.bz / home / eric 

  sudo tar cfjv eric-20200820.tar.bz / home / eric in a terminal window

Many screen outputs slide into the terminal window. Use the command ls to check whether the archive has been created. We use the options -l (long format) and -h (readable by people).

  ls -lh eric-20200802.tar.bz 

  sudo tar cfjv eric-20200820.tar.bz / home / eric in a terminal window

A 722 MB file was created. This can be safely copied somewhere for later investigation.

Deleting Cron Tasks

It is better to check if there are cron tasks scheduled for user account eric . A cron task is a command that is triggered at specific times or intervals. We can check if any cron tasks are scheduled for this user account using ls :

  sudo ls -lh / var / spool / cron / crontabs / eric 

  sudo ls -lh / var / spool / cron / crontabs / eric in a terminal window

If something exists at this location, it means that cron jobs are waiting for those user account. We can remove them with this crontab command. The -r (delete) option deletes the tasks and the -u (user) option tells crontab whose tasks are to be deleted.

  sudo crontab -r -u eric 

  sudo crontab -r -u eric in a terminal window

The tasks are silently deleted. As far as we know, if Eric had suspected he was about to be deported, he might have planned a malicious task. This step is best practice.

Delete print jobs

Perhaps the user had pending print jobs? To be sure, we can clean the print queue of jobs that belong to user account eric . The lprm command deletes jobs from the print queue. With the option -U (username) you can delete tasks that belong to the mentioned user account:

  lprm -U eric 

  lprm -U eric in a terminal window

The tasks are deleted and you return to the command line.

Delete the user account

We have already backed up the files from the / home / eric / folder so we can continue and delete the user account and delete the folder at the same time / home / eric / .

The command to use depends on the Linux distribution that you use. For Debian-based Linux distributions, the command is deluser and for the rest of the Linux world it is userdel .

In fact, both commands are available on Ubuntu. I half expected that one would be an alias of the other, but they are different binary files.

  type deluser 
  type userdel 

  type deluser in a terminal window

Although they are both available, the recommendation is to use deluser for Debian-derived distributions: [19659004] “ userdel is a low-level user removal tool. On Debian, administrators usually have to use deluser (8) instead. ”

That is clear enough, so the command to use on this Ubuntu computer is deluser . Because we also want their home folder to be deleted, we use the flag - remove-home :

  sudo deluser --remove-home eric 

  sudo deluser --remove-home eric in a terminal window

The command to use for non-Debian distributions is userdel with the - remove flag:

  sudo userdel --remove eric 

All traces of user account eric have been deleted. We can check that the / home / eric / folder has been deleted:

  ls / home 

 ls / home in a terminal window

The eric group has also been deleted because the user account eric was the only item therein. We can check this quite easily through the contents of / etc / group through grep :

: sudo less / etc / group | grep eric 

 sudo less / etc / group | grep eric in a terminal window

It's a Wrap

Eric, for his sins, has disappeared. The security still leads him out of the building and you have already secured and archived his files, deleted his account and deleted the system of remains.

Accuracy always exceeds the speed. Make sure you consider each step before you take it. You don't want anyone walking to your desk and saying, "No, the other Eric."

Source link