قالب وردپرس درنا توس
Home / Tips and Tricks / How to delete a user on Linux (and delete all tracks)

How to delete a user on Linux (and delete all tracks)

  A shell prompt in a terminal window on a Linux computer.
Fatmawati Achmad Zaenuri / Shutterstock

Deleting a user on Linux means more than you think. If you are a system administrator, you want to clear all traces of the account and its access from your systems. We'll show you the steps to take.

If you just want to delete a user account from your system and are not worried about terminating any running processes and other cleanup tasks, follow the steps in the "Delete User Account" section below. You need the deluser command about Debian- based distributions and the userd part command on other Linux distributions.

Linux user accounts

Ever since the first time-sharing system appeared in the early 1

960s and brought with it the opportunity for multiple users to work on a single computer, there has been a need to isolate and file the files and data for each user from all other users, and so user accounts – and passwords – were born.

User accounts have an administrative cost, they must be created when the user first need access to the computer, they must be removed when that access is no longer required. On Linux, there is a sequence of steps that should follow as to correctly and methodically delete the user, their files and their account from the computer.

If you are the system administrator, it is your responsibility. This is how it works.

Our Scenario

There are a few reasons why an account may need to be deleted. An employee may move to another team or leave the company entirely. The account may have been created for a short-term collaboration with a visitor from another company. Team-ups are common in the academy, where research projects can range from institutions, different universities and even commercial units. When the project ends, the system administrator must perform the household and remove unnecessary accounts.

The worst case is when someone leaves under a cloud due to wrongdoing. Such events usually occur suddenly, with little warning. It gives the system administrator very little time to plan, and a rush to get the account locked, closed and deleted – with a copy of the user's files backed up in case they are needed for any forensic forensics.

scenario, we pretend that a user, Eric, has done something to motivate his immediate removal from the premises. Right now he is not aware of this, he is still working and logged in. As soon as you put the nude to safety he will be escorted from the building.

Everything is set up. All eyes are on you.

Check Login

Let's see if he is actually logged in and if he is, how many sessions he is working on. which will display active sessions.


  as in a terminal window

Eric is logged in once. Let's see what processes he runs.

Review user processes

We can use the command ps to list the processes this user is running. The -u (user) option lets us say ps to limit its output to the processes running under that user account.

  ps -u eric 

  ps -u eric in a terminal window

We can see the same processes with more information with the command top . top also has a -U (user) to limit the output to the processes owned by a single user. Note that this time is a large version "U."

  top -U eric 

  top -U eric in a terminal window

We can see the memory and CPU usage of each task, and can quickly look for anything with suspicious activity. We are in the process of killing all his processes with vigor, so it is safest to take a moment to quickly review the processes and check and ensure that other users will not be cumbersome when you terminate user account eric : s processes.

 Output from top-U eric in a terminal window

It doesn't look like he does much, just use less to see a file. We are sure to continue. But before we kill his processes, we freeze the account by locking the password.

RELATED: How to use the ps command to monitor Linux processes

Locking Account

We lock the account before we kill the processes because when we kill the processes it will log out the user. If we have already changed his password, he will not be able to log in again.

The encrypted user passwords are stored in the file / etc / shadow . You wouldn't normally care about these next steps, but so that you can see what happens in the file / etc / shadow when you lock the account, we take a little detour. We can use the following command to look at the first two fields in the entry for eric user account.

  sudo awk -F: & # 39; / eric / {print $ 1, $ 2} & # 39; / etc / shadow 

  sudo awk -F: & # 39; / eric / {print $ 1, $ 2} & # 39; / etc / shadow in a terminal window

The awk command analyzes fields from text files and manipulates them optionally. We use the option -F (field separator) to tell awk that the file uses a colon ": " to separate the fields. We will search for a line with the pattern "eric" in it. For matching rows, we will print the first and second fields. These are the account name and the encrypted password.

The information for the user account eric is printed for us.

To lock the account, we use the command passwd . We use the option -l (lock) and pass in the user account to lock.

  sudo passwd -l eric 

  sudo passwd-l eric in a terminal window

If we check the file / etc / passwd again, we see what happened.

  sudo awk -F: & # 39; / eric / {print $ 1, $ 2} & # 39; / etc / shadow 

  sudo awk -F: & # 39; / eric / {print $ 1, $ 2} & # 39; / etc / shadow in a terminal window

An exclamation point has been added at the beginning of the encrypted password. It does not overwrite the first character, it has only been added at the beginning of the password. This is all that is required to prevent a user from logging in to that account.

Now that we have prevented the user from logging in again, we can kill his processes and log him out.

Killing the processes

There are different ways to kill a user's processes, but the command shown here is widely available and is a more modern implementation than some of the options. The command pkill will find and kill processes. We pass the KILL signal and use the option -u (user).

  sudo pkill -KILL -u eric 

  sudo pkill -KILL -u eric in a terminal window

You return to the command prompt in a decidedly anti-climactic manner. To make sure something happened let's check who again:


  who in a terminal window

His session is gone. He has been logged off and his processes have been stopped. This has removed some of the urgency from the situation. Now we can relax a bit and continue with the rest of the moping as security takes a walk to Eric's desk.

RELATED: How to kill processes from the Linux terminal

Archiving the user's home directory

In a scenario like this, access to the user's files will not be required in the future. Either as part of an investigation or simply because their replacement may need to refer back to his predecessor's work. We use the command takes to archive the entire home directory.

The options we use are:

  • c : Create an archive file.
  • f : Use the specified filename for the archive name.
  • j : Use bzip2 compression.
  • v : Provide proper output when the archive is created.
  sudo takes cfjv eric- 20200820.tar.bz / home / eric 

  sudo takes cfjv eric-20200820.tar.bz / home / eric in a terminal window

Much screen output will scroll through the terminal window . To verify that the archive has been created, use the command ls . We use the options -l (long format) and -h (human readable).

  ls -lh eric-20200802.tar.bz 

  sudo takes cfjv eric-20200820.tar.bz / home / eric in one terminal window

A 722 MB file has been created. This can be copied somewhere secure for later review.

Delete cron jobs

We would better check if there are any cron jobs scheduled for user account eric . A cron job is a command that is triggered at specified times or intervals. We can check if there are any cron jobs scheduled for this user account with ls :

  sudo ls -lh / var / spool / cron / crontabs / eric 

  sudo ls -lh / var / spool / cron / crontabs / eric in a terminal window

If there is something in this location, it means that there are cron jobs in the queue for that user account. We can remove them with this crontab command. The -r (delete) option will delete jobs, and -u (users) will tell crontab whose job to remove.

  sudo crontab -r -u eric 

  sudo crontab -r -u eric in a terminal window

The job is silently deleted. For all we know, if Eric had suspected he was about to be thrown out, maybe he had planned a damaging job. This step is best practice.

Delete print job

Maybe the user was expecting a print job? Just to be sure, we can clear the print queue for all jobs that belong to the user account eric . The command lprm removes jobs from the print queue. The option -U (username) lets you delete jobs owned by the named user account:

  lprm-U eric 

  lprm-U eric in a terminal window

The job is removed and you return to the command line.

Delete user account

We have already backed up the files from directory / home / eric / so we can go ahead and delete user account and delete directory / home / eric / at the same time.

The command to use depends on the distribution of Linux you are using. For Debian-based Linux distributions, the command is deluser and for the rest of the Linux world it is userd part .

In fact, both commands on Ubuntu are available. I expected one of them to be an alias for the other, but they are distinct binary.

  type deluser 
  type user part 

  type deluser in a terminal window

Although both are available, the recommendation is to use deluser on Debian-derived distributions: [19659004] “ userdel is a low-level tool for removing users. On Debian, administrators should usually use deluser (8) instead. "

It's clear enough, so the command to use on this Ubuntu computer is deluser . Since we also want their home directory removed, we use - remove-home flag:

  sudo deluser - remove-home eric 

  sudo deluser - remove-home eric in a terminal window

The command to use for distributions without Debian is userdel with - remove flag:

  sudo userdel - remove eric 

All traces of user account eric has been deleted. We can verify that the / home / eric / directory has been deleted:

  ls / home 

 ls / home in a terminal window

The eric [The group has also been deleted because the user account eric was the only record in it. We can control this quite easily by directing the contents of / etc / group to grip :

  sudo less / etc / group | grep eric 

 sudo less / etc / group | grabbed eric in a terminal window

It's a Wrap

Eric, for his sins, is gone. The security is still running out of the building and you have already secured and archived his files, deleted his account and cleaned up the system of any leftovers.

Accuracy always drums speed. Make sure you consider each step before taking it. You don't want anyone to go up to your desk and say "No, the other Eric."

Source link