Saltar al contenido

How to remove a user in Linux (and remove all traces)

How to move your Linux home directory to another drive

Deleting a user in Linux involves more than you think. If you are a system administrator, you will want to remove all traces of and access to your account from your systems. We show you the steps to follow.

If you just want to remove a user account from your system and are not concerned with completing running processes and other cleaning tasks, follow the steps in the «Removing the User Account» section below. You will need disappointingcommand on Debian-based distributions and userdelcommand on other Linux distributions.

User accounts in Linux

Since that the first timeshare systems appeared in the early 1960s and brought with it the possibility for multiple users to work on a single computer, there was a need to isolate and compartmentalize each user’s files and data from all other users. Therefore They were born user accounts and passwords.

User accounts have an administrative expense. These should be created when the user needs to access the computer. These should be removed when access is no longer required. On Linux, there is a sequence of steps that must be followed to correctly and methodically remove the user, files and his account from the computer.

If you are a system administrator, this is your responsibility. Here’s how to do it.

Our scene

There are several reasons why you may need to delete an account. A staff member may move to another team or leave the company altogether. The account may have been created for a short-term collaboration with a visitor from another company. Work teams are common in academia, where research projects can include different departments, universities and even commercial entities. At the end of the project, the system administrator should clean up and eliminate unnecessary accounts.

The worst case scenario is when someone goes under a cloud because of a crime. These events usually occur suddenly, with too few advance warnings. This gives the system administrator very little time for planning and an urgency to lock, close and delete the account, with a copy of the user’s files backed up if needed for any post-closure forensics.

In our scenario, we claim that a user, Eric, did something to justify his immediate removal from the premises. At this point he does not realize this, he is still working and connected. As soon as security frees you, you will be escorted out of the building.

Everything is ready. All eyes are on you.

Check the login details

Let’s see if you’re really connected and if you’re, how many sessions you work with. whocommand will list the active sessions.

OMS

Eric logged in once. Let’s see what processes you run.

Reviewing user processes

We can use psordered to lists the processes that this user is running. -orthe (user) option allows us to tell you pswhich limits its production to processes running under the ownership of that user account.

ps -u eric

ps -u eric in a terminal window

We can see the same processes with more information using topcommand. top also has a -OR(user) option to restrict output to processes owned by a single user. Note that this time it is a «U» capital.

arriba -U eric

up -U eric in a terminal window

We can see the memory and processor usage for each task and can quickly search for anything with suspicious activity. We’re about to forcibly kill all your processes, so it’s safer to take a moment to quickly review processes and check and make sure other users won’t be bothered when you cancel. ericprocesses user account .

Exit the top -U eric in a terminal window

I don’t seem to do much, just use it Lessto view a file. We are sure to continue. But before we kill his lawsuits, we’ll freeze your account by blocking your password.

Lock your account

We will lock the account before killing the processes, because when we kill the processes, it will log out of the user. If we have already changed your password, you will not be able to log in again.

Encrypted user passwords are stored in / etc / shadowfile. Normally you wouldn’t bother with these next steps, but that way you can see what’s going on / etc / shadow when you lock your account, we’ll take a short detour. We can use the following command to look at the first two fields of the entry eric user account.

sudo awk -F: '/ eric / {print $ 1, $ 2}' / etc / shadow

sudo awk -F: '/ eric / {print $ 1, $ 2}' / etc / shadow in a terminal window

Command awk parses the fields in the text files and optionally manipulates them. We use -Foption (field separator) to indicate awkthat the file uses a colon » :«To separate the fields. Let’s find a line with the «heather» pattern. For the right lines, we will print the first and second fields. These are the account name and encrypted password.

The Eric user account entry is printed for us.

To lock the account we use passwdcommand. We will use itoption (lock) and we will pass the name of the user account that we will block.

sudo passwd -l eric

sudo passwd-eric in a terminal window

If we check / etc / passwdrecord again, we’ll see what happened.

sudo awk -F: '/ eric / {print $ 1, $ 2}' / etc / shadow

sudo awk -F: '/ eric / {print $ 1, $ 2}' / etc / shadow in a terminal window

An exclamation point was added at the beginning of the encrypted password. Do not overwrite the first character, it is only added at the beginning of the password. This is all that is required to prevent a user from logging in to that account.

Now that we’ve prevented the user from logging back in, we can kill their processes and log out.

Kill the processes

There are different ways to kill a user’s processes, but the command shown here is widely available and a more modern implementation than some of the alternatives. pkillthe command will find and kill the processes. I passed the KILL sign and used it -oroption (user).

sudo pkill -KILL -u eric

sudo pkill -KILL -u eric in a terminal window

You will return to the command prompt in a decisive anticlimactic way. To make sure something happened, let’s check whoagain:

OMS

who in a terminal window

Your session is gone. He was disconnected and his trials stopped. This brought some of the urgency out of the situation. Now we can relax a bit and continue with the rest of the cleaning while security goes to Eric’s office.

Archive the user’s home directory

It is not excluded that in such a scenario, access to users’ files will be necessary in the future. Either as part of an investigation or simply because your replacement will have to refer to the work of your predecessor. We will use tarcommand to archive your entire home directory.

The options we use are:

  • c – Create an archive file.
  • F : Use the file name specified for the file name.
  • j : Use bzip2 compression.
  • V – Provides detailed output as the file is created.
sudo tar cfjv eric-20200820.tar.bz / home / eric

sudo tar cfjv eric-20200820.tar.bz / home / eric in a terminal window

A large amount of screen output will scroll in the terminal window. To check if the file was created, use the file I amcommand. We use choice it(long format) and -h(human readable).

ls -lh eric-20200802.tar.bz

sudo tar cfjv eric-20200820.tar.bz / home / eric in a terminal window

A 722 MB file has been created. This can be copied to a safe place for later review.

Delete cron jobs

We better check if it exists chronicallyscheduled jobs for the user account eric. A chronicallywork is a command that is activated at specific times or intervals. We can check if it exists chronicallyjobs scheduled for this user account using I am:

sudo ls -lh / var / spool / cron / crontabs / eric

sudo ls -lh / var / spool / cron / crontabs / eric in a terminal window

If there is something in this location, it means it exists chronicallyjobs queued for that user account. We can eliminate them with this crontabcommand. -r(delete) option will delete the works and the option -orthe (user) option indicates crontab what jobs to delete.

sudo crontab -r -u eric

sudo crontab -r -u eric in a terminal window

Jobs are quietly deleted. As far as we know, if Eric had suspected he would be evacuated, he could have scheduled a malicious job. This step is best practice.

Delete print jobs

Maybe the user had print jobs pending? Just to be safe, we can clean the print queue of any work that belongs to the user account eric. lprmcommand removes jobs from the print queue. -ORThe option (username) allows you to delete jobs belonging to the user account named:

lprm -U eric

lprm -U eric in a terminal window

The jobs are deleted and you return to the command line.

Delete user account

I have already backed up the files from / home / eric /directory so that we can continue and delete the user account and delete / home / eric /director at the same time.

The command to use depends on the Linux distribution you are using. For Debian-based Linux distributions, the command is disappointing, Y for the rest of the Linux world, It is userdel.

In fact, in Ubuntu both commands are available. I almost expected one to be an alias for the other, but they are different binaries.

tipo deluser
escriba userdel

type deluser in a terminal window

Although both are available, it is recommended that you use them disappointing on Debian-derived distributions:

» userdelIt is a low-level utility for deleting users. On Debian, administrators should use disappointing(8) instead «.

This is clear enough that the command to use on this Ubuntu computer is disappointing. Because we want your home directory to be removed, we use –move homeflag:

sudo deluser --remove-home eric

sudo deluser --remove-home eric in a terminal window

The command to use for non-Debian distributions is userdel, with –removeflag:

sudo userdel --remove eric

ericThey have been deleted all traces of the user account . We can check this / home / eric /has been removed director:

ls / home

Ls / home in a terminal window

ericthe group has also been removed since the user account ericit was the only entrance to it. We can check this quite easily by channeling the contents of a / etc / groupthrough grep:

sudo menos / etc / group | grep eric

sudo minus / etc / group |  grap eric in a terminal window

It is a foil

Eric, for his sins, is gone. Security is still taking you out of the building and they have already protected and archived your files, deleted your account and removed your system from anything else.

Accuracy always exceeds speed. Make sure you consider each step before doing so. You don’t want someone to come to your office and say, «No, the other Eric.»

.