{ 9 comments… read them below or add one }

1 webjuan September 23, 2009 at 3:57 pm

If possible, I would also consider changing the ownerships of all the files owned by the old employee to another valid system user.

You can use find while logged in as the root user:

# find /home/fireduser -user fireduser -exec chown newuser.newgroup {} \;

Your mileage will vary depending on OS.

Reply

2 @OlhoNaTV September 23, 2009 at 5:39 pm

It’s so Linux!

Reply

3 Reck September 23, 2009 at 11:58 pm

Just change the start up shell from /bin/sh to /bin/false in the /etc/passwd file for those specific accounts. There shell won’t start.

Reply

4 athmoss September 24, 2009 at 10:29 pm

Nice article. I have one question: why use passwd -l (in the case mentioned in the article) instead of passwd -d?

Reply

5 CM September 29, 2009 at 5:20 pm

passwd -d just deletes the user password. This means that no password is required for that account.

password -l acts on the /etc/shadow by adding a ! to the users password. Since encryption methods in use never produce a ! , this password will never be matched!

Reply

6 Jonas Björklund October 2, 2009 at 2:50 pm

I personally would recommend not to delete a user’s account using userdel, since it is possible that the same UID may be used again for a newly added employee. Even if you have searched and changed ownership of all files owned by the user, there still could be files you have missed, leaving a potential security risk.

Reply

7 prr.suresh May 18, 2013 at 4:51 am

@Jonas Björklund
Then how can i overcome the problem ?
By explicitly setting uid or anything else ?

Reply

8 Colin October 3, 2014 at 11:50 am

Deleting a users account is asking for problems.

What of reporting and legacy programs that look for that UID. Or any daemon starting itself as that user, especially if that person is a DBA you can suddenely discover Cron jobs stop running because user does not exist.

Honestly I would change their password and set their shell to /bin/false. From there interrogate any web service and look for old accounts.

Reply

9 Pandu POLUAN October 3, 2014 at 12:56 am

If you redirect the stdout of find to a file, you really shouldn’t use -print0, so that the resulting file would be easily parseable by a shellscript. And easier to parse by humans.

The -print0 switch is useful mostly only for feeding to xargs, which will ‘ flatten ‘ the list into one line to feed to commands that accept multiple files as parameters.

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , ,

Previous Faq:

Next Faq: