How to Delete a User and Avoiding Residual Security Implications of Doing So.

Welcome to WordPress. This is your first post. Edit or delete it, then start writing!

When running a Linux system it is always best practice to delete unnecessary users. If you have a user that no longer requires access to the system, they should be removed or disabled promptly. Deleting a user from the command line is a task every sysadmin will have to do eventually. In this Linux quick-tip we will demonstrate how to delete a user with the userdel command and show you some of it’s options. We will also cover some security implications of deleting users and how to secure the system.

The basic syntax of the userdel command:

userdel [options] [username]

Before you start deleting a user, it is always a good idea to note the users UID and GID. You can do this by using the id command.

$ id david
uid=1001(david) gid=1001(david) groups=1001(david)

Later in this article we will explain why this is important.

Delete a User and Preserve Files

To delete a user from the command line and preserve their files, simply run userdel without any options. For example, let’s say you wanted to delete David’s account.

sudo userdel david

This will delete the account named david, but leave the users home directory intact. The home directory will now show a user and group of the UID / GID of the old user.

 drwxr-xr-x  2   1001   1001 4096 Mar 16 10:04 david

It is not a good idea to leave the system in this state. You should set the permissions to that directory to a known user. More on this later.

Delete a User and Delete the Home Directory

You can use the -r (–remove) option to delete the users home directory and all the files it contains. This will also remove the users mail spool files.

sudo userdel -r david

This is a much cleaner way to leave the system. You might also consider backing up the data in the home directory before deleting it. You can use the tar command to create a compressed archive of the users home directory and securely store it in root.

sudo tar cvzf /root/david-home.tar.gz /home/david/*

Now you will have preserved the users data just in case it is needed in the future. You can now safely remove their home directory.

Force Delete a User

If you try to delete a user that is currently logged into the system you will receive the following error:

$ sudo userdel -r david
userdel: user david is currently used by process 8391

You can force delete a user even if they are still logged in by used the -f (–force) option.

$ sudo userdel -fr david
userdel: user david is currently used by process 8391
userdel: david mail spool (/var/mail/david) not found

Force deleting a user while they still have access to the system is a bad idea.

This option is dangerous and may leave your system in an inconsistent state.– userdel man page

It would be much cleaner to temporarily disable loginskick (disconnect) the user, then delete their account.

Remove SELinux User Assignments

If you want to remove the SELinux user assignment, you can use the (-Z) option.

userdel -Zr david

Find Files Left by the User After Deletion

When you delete a user, even if using the -r option, there may be left over files in the file system that now do not have an owner. If that user had elevated privileges, they could have created a file anywhere. It is a best practice to not leave files on the file system without a defined owner or group.

To find files owned by the user, you will need their UID and GID. If you did not gather the UID and GID before deleting the user, this would be a guessing game.

Since we did collect the users UID & GID we can use the find command to see if he left any files on the file system.

$ sudo find / -uid 1001
find: ‘/run/user/1000/gvfs’: Permission denied
/var/tmp/davesstuff
/mnt/daves-drive

find: ‘/proc/8806/task/8806/fd/5’: No such file or directory
find: ‘/proc/8806/task/8806/fdinfo/5’: No such file or directory
find: ‘/proc/8806/fd/6’: No such file or directory
find: ‘/proc/8806/fdinfo/6’: No such file or directory

There you have it, we found two files that David created on the file system. Since we deleted David’s account, these files are left with no owner or group assigned to them. Even worse, if we add a new user, the system would reuse the UID and assign these files to the new user.

$ ls -l /var/tmp/davesstuff 
-rw-rw-r-- 1 1001 1001 1510 Mar 16 10:40 /var/tmp/davesstuff

$ sudo useradd Stacy -m

$ id Stacy
uid=1001(Stacy) gid=1001(Stacy) groups=1001(Stacy)

$ ls -l /var/tmp/davesstuff
-rw-rw-r-- 1 Stacy Stacy 1510 Mar 16 10:40 /var/tmp/davesstuff

As you can see above, the system recycled the 1001 UID and GID and assigned it to our new user “Stacy”. This gave Stacy access to all of David’s left over files. You can see how this would be a security issue.

NOTE: You can use the same method above to find files group owned by a GID.

sudo find / -gid 1001

Conclusion

Deleting unnecessary users from a system is always best practice. But as we learned, it is not always as cut and dry as just deleting the user account. You must ensure you clean up their files or you will be creating more of a security headache for yourself.

Leave a Reply

Your email address will not be published. Required fields are marked *