How to delete a user on Linux (and remove any trace)

There is more to deleting a user on Linux than you think. If you are a system administrator, you should remove all traces of the account and its access from your systems. We’ll show you the steps.

If you only want to delete one user account from your system and are not concerned about ending running processes and other cleanup tasks, follow the steps in the “Deleting the User Account” section below. You will need it deluser Command on Debian-based distributions and the userdel Command on other Linux distributions.

Linux user accounts

Since the first time-sharing systems appeared in the early 1960s and introduced the ability for multiple users to work on a single computer, there was a need to isolate and divide each user’s files and data from all other users. So user accounts—and passwords-was born.

User accounts have an administrative burden. They must be created the first time the user needs access to the computer. They must be removed when this access is no longer required. In Linux, there are a number of steps that should be followed in order to correctly and methodically remove the user, their files, and their account from the computer.

If you are the system administrator, that responsibility is yours. So go ahead.

Our scenario

There are a number of reasons an account might need to be deleted. An employee can move to another team or leave the company entirely. The account may have been set up for a short-term collaboration with a visitor from another company. Team-ups are common in the academic world, where research projects can involve departments, various universities, and even commercial institutions. At the end of the project, the system administrator needs to do housekeeping and remove unnecessary accounts.


The worst-case scenario is when someone disappears under a cloud because of an offense. Such events usually happen suddenly and without warning. This gives the system administrator very little time to plan, and there is an urgent need to lock, close and delete the account – with a copy of the user’s files in case they are needed for forensics after the closure. secured.

In our scenario, let’s assume that a user, Eric, did something that justified his immediate removal from the premises. At the moment he doesn’t know about it, he is still working and has logged in. As soon as you nod to the security, he will be escorted out of the building.

Everything is set. All eyes are on you.

Check the login

Let’s see if he’s really logged in and if so, how many sessions he’s working with. the who command lists active sessions.

who

Eric is logged in once. Let’s see what processes he’s doing.

Review of the user’s processes

We can use that ps Command to lists the processes this user is running. the -u (User) option let’s say ps limit its output to the processes executing under the ownership of that user account.

ps -u eric


We can see the same processes with more information by looking at the top Command. top also has one -U (User) Option to limit the output to the processes owned by a single user. Notice that this time it’s a capital “U”.

top -U eric

We can see the memory and CPU usage of each task and quickly check for any suspicious activity. We are in the process of forcibly killing all of its processes, so it is safest to take a moment to quickly review the processes and ensure that other users will not be harassed if you terminate the user account eric‘s processes.

It doesn’t look like he’s doing much, just with less to view a file. We can safely proceed. But before we terminate its processes, we will freeze the account by locking the password.

How to Use the ps Command to Monitor Linux Processes

Lock the account

We lock the account before we kill the processes because if we kill the processes the user will be logged out. If we have already changed his password, he will not be able to log in again.

The encrypted user passwords are saved in /etc/shadow File. You wouldn’t normally bother with these next few steps, but so that you can see what’s in the /etc/shadow If you block the account, we will make a small detour. With the following command we can look at the first two fields of the entry for the eric User account.

sudo awk -F: '/eric/ {print $1,$2}' /etc/shadow

The awk command parses fields from text files and optionally manipulates them. We use that -F (Field separator) option to say awk that the file uses a colon ” : “To separate the fields. We’re looking for a line with the pattern “eric”. For matching lines, we print the first and second fields. These are the account name and the encrypted password.


The entry for the user account eric will be printed for us.

To block the account we use the passwd Command. We’ll use that -l (Lock) option and Enter the name of the user account to be blocked.

sudo passwd -l eric

When we check /etc/passwd File one more time, we’ll see what happened.

sudo awk -F: '/eric/ {print $1,$2}' /etc/shadow

An exclamation mark has been added to the beginning of the encrypted password. It does not overwrite the first character, it is only added at the beginning of the password. That is all that is required to prevent a user from logging into this account.

After preventing the user from logging back in, we can kill their processes and log them off.

Killing the processes

There are several ways to kill a user’s processes, but the command shown here is widely used and a more modern implementation than some of the alternatives. the pkill Command finds and terminates processes. We give the KILL-Signal continue and use that -u (User) option.

sudo pkill -KILL -u eric


You return to the command prompt in a decidedly anti-climatic fashion. To make sure something happened, let’s take a look who again:

who

His session is gone. He has been logged off and his processes have stopped. That made the situation less urgent. Now we can relax a little and continue with the rest of the tidying up while security goes to Eric’s desk.

How to end processes from the Linux terminal

Archive the user’s home directory

It cannot be ruled out that such a scenario may require future access to the user’s files. Either as part of an investigation or simply because your successor may have to fall back on the work of your predecessor. We’ll use that tar command to archive your entire home directory.

The options we use are:

  • C.: Create an archive file.
  • F.: Use the specified file name for the name of the archive.
  • J: Use bzip2 compression.
  • v: Provides verbose output when the archive is being built.
sudo tar cfjv eric-20200820.tar.bz /home/eric

Many screen outputs are scrolled in the terminal window. To check that the archive was created, use the ls Command. We use that -l (long format) and -h (human readable) options.

ls -lh eric-20200802.tar.bz

A file of 722 MB was created. This can be copied to a safe place for later review.

Remove cron jobs

We’d better look if there are any cron Jobs scheduled for user account eric. A cron job is a command that is triggered at specific times or intervals. We can check if there are any cron jobs scheduled for this user account with ls:

sudo ls -lh /var/spool/cron/crontabs/eric


If something exists in that place, it means that it is there cron Jobs queued for this user account. With that we can delete them crontab Command. the -r (Remove) option removes the jobs and the -u (User) option says crontab whose jobs should be removed.

sudo crontab -r -u eric

The jobs are silently deleted. As far as we know, if Eric suspected he was about to be evicted, Eric would have planned a malicious job. This step is best practice.

Remove print jobs

Maybe the user had pending print jobs? To be on the safe side, we can delete the print queue from all jobs belonging to the user account eric. the lprm command removes jobs from the print queue. the -U The (Username) option allows you to remove jobs owned by the named user account:

lprm -U eric

The jobs are removed and you are returned to the command line.

Delete the user account

We already have the files from /home/eric/ Directory so we can go ahead and delete the user account and delete the /home/eric/ Directory at the same time.

The command to use depends on which Linux distribution you are using. To the Debian-based Linux distributions, the command is deluser, and for the rest of the Linux world, it is userdel.


In fact, both commands are available on Ubuntu. I half expected one to be an alias of the other, but they are different binaries.

type deluser
type userdel

Although both are available, it is recommended that you use deluser on Debian-derived distributions:

userdel is a low-level user removal utility. Under Debian, administrators should normally use deluser(8) instead. “

That’s clear enough so is the command to use on this Ubuntu computer deluser. Since we also want your home directory removed, we’ll use the --remove-home Flag:

sudo deluser --remove-home eric

The command to use for non-Debian distributions is userdel, with the --remove Flag:

sudo userdel --remove eric

All traces of the user account eric were deleted. We can check if the /home/eric/Directory was removed:

ls /home


the eric Group was also removed because the user account eric was the only entry in it. We can easily check this by looking at the contents of the /etc/group by grep:

sudo less /etc/group | grep eric

It’s a wrap

Eric is gone for his sins. The security guards are still leading him out of the building and you’ve already backed up and archived his files, deleted his account and cleared the system of any remains.

Accuracy always comes before speed. Make sure you consider each step before doing it. You don’t want anyone to go to your desk and say, “No, the other Eric”.

Related Posts