9 comment

  1. If possible, I would also consider changing the ownerships of all the files owned by the old employee to another valid system user.

    You can use find while logged in as the root user:

    # find /home/fireduser -user fireduser -exec chown newuser.newgroup {} \;

    Your mileage will vary depending on OS.

  2. Just change the start up shell from /bin/sh to /bin/false in the /etc/passwd file for those specific accounts. There shell won’t start.

  3. passwd -d just deletes the user password. This means that no password is required for that account.

    password -l acts on the /etc/shadow by adding a ! to the users password. Since encryption methods in use never produce a ! , this password will never be matched!

  4. I personally would recommend not to delete a user’s account using userdel, since it is possible that the same UID may be used again for a newly added employee. Even if you have searched and changed ownership of all files owned by the user, there still could be files you have missed, leaving a potential security risk.

      1. Deleting a users account is asking for problems.

        What of reporting and legacy programs that look for that UID. Or any daemon starting itself as that user, especially if that person is a DBA you can suddenely discover Cron jobs stop running because user does not exist.

        Honestly I would change their password and set their shell to /bin/false. From there interrogate any web service and look for old accounts.

  5. If you redirect the stdout of find to a file, you really shouldn’t use -print0, so that the resulting file would be easily parseable by a shellscript. And easier to parse by humans.

    The -print0 switch is useful mostly only for feeding to xargs, which will ‘ flatten ‘ the list into one line to feed to commands that accept multiple files as parameters.

Leave a Comment