DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th May 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default Remove/disable a former system user

Sooner or later, one of your users will be let go, find employment elsewhere, or win the lottery. When that happens you'll need to remove her account and ensure that she doesn't continue to have access after the fact.

The purpose of this guide is to outline some simple steps to disable an account while leaving a reasonable audit trail in place. It is written specifically for FreeBSD 6.x and 7.0, but the general concepts should apply (with different command implementations, perhaps) across many *nix systems.

Please note that the steps below were inspired by advice found in two excellent books:
  1. Essential System Administration, by Æleen Frisch
  2. Linux Server Hacks, by Rob Flickenger

-----------------------------------------

[ We'll call the unwelcome user account starla for these examples. ]

Lock out future authentication attempts

First, we'll expire the account and give it a nologin shell.

Code:
# chpass -e 'Oct 01 06' starla
# chsh -s /usr/sbin/nologin starla
(For the first command, any Mmm dd yy in the past will do.)

Additional considerations:
  • Did the user have access to any other accounts? Those passwords will need to be changed as well.
  • While you're at it, it'd be a good idea to scan /etc/group and remove her account from any secondary groups.

Prevent other access methods and archive home

Next, we'll move her home directory, change its ownership, and restrict its permissions.

Code:
# mv /usr/home/starla /usr/home/starla.gone
# chown -R root /usr/home/starla.gone
# chmod -R go-rwx /usr/home/starla.gone
Keeping the home directory and its contents around may be needed as part of an audit trail. In some situations (depending on your rules and policies) it may be more appropriate to back it up and then delete it altogether.

Check for any running/automated processes

Here we'll look at any processes executing under her account.

Code:
# ps aux | grep '^starla'
Anything running? You'll need to look into it, determine what it is and why it's running, and ultimately kill it.

Next, we'll look for anything that may be scheduled to run using at or cron.

Code:
# atq
# crontab -u starla -l
Ditto here. Is anything that's automated necessary for normal business operation? If so, you'll need to get it moved to a more appropriate (service) account. If not, remove the entries.

Check for sudoer entries

If her account should not be accessed, then it most certainly should not be used to run commands via sudo. Verify and remove any entries containing the starla user account with the command:
Code:
# visudo
Check for any other files on the system owned by the account

A quick find invocation can provide us with this info.

Code:
# find / -user starla > starla-files
Anything turn up? Again, you'll need to investigate and change ownership (or remove) as needed.

If the user has a mailbox -- e.g. /var/mail/starla -- you may want to back it up and then delete it.

Check for other application-level access

What services did the user have access to? Did the user have a mail alias set up? It would be a good idea to carefully review each of these configurations for references to starla and remove them (or replace them with a new account, as appropriate).

-----------------------------------------

Hopefully this guide has provided a baseline for planning (or modifying) your user account removal procedures. Be diligent and thorough to make sure that when someone leaves, she is really gone.
__________________
Kill your t.v.

Last edited by anomie; 18th May 2008 at 04:15 AM. Reason: corrected book reference list.
Reply With Quote
  #2   (View Single Post)  
Old 18th May 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Default

Thanks for the guide! Luckily I haven't had to remove any users (yet) but this is good to know!
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
  #3   (View Single Post)  
Old 18th May 2008
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
ISO Quartermaster
 
Join Date: Apr 2008
Location: NYC
Posts: 652
Default

As far as the find goes--if it's a mixed environment, you'll have to edit that find command--for example, a user who puts files, created on her Windows machine, on the samba server.
It's been awhile since I've had to do this but it's something like
find / -u starla -print0

(Too sleepy to make sure I have the correct syntax right now. I do remember the print0 part though.)
Reply With Quote
  #4   (View Single Post)  
Old 18th May 2008
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Default

Thanks, I never actually thought about the user having running processes left behind.

Good thing I'm the only user here :\
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
  #5   (View Single Post)  
Old 18th May 2008
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
ISO Quartermaster
 
Join Date: Apr 2008
Location: NYC
Posts: 652
Default

Heh, I worked for a company where the boss of one department tended to drive people away. So, I even had a little script to run find on anyone's files and chown them to the replacement. The average time of a new employee was about 3 months.

Then, I'd get an email from that department. Such and such is leaving, please set up her computer for this person starting on Monday.
Reply With Quote
  #6   (View Single Post)  
Old 18th May 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Default

Quote:
Originally Posted by scottro View Post
Heh, I worked for a company where the boss of one department tended to drive people away. So, I even had a little script to run find on anyone's files and chown them to the replacement. The average time of a new employee was about 3 months.

Then, I'd get an email from that department. Such and such is leaving, please set up her computer for this person starting on Monday.
Now that's what I call efficiency!
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
  #7   (View Single Post)  
Old 19th May 2008
corey_james corey_james is offline
Uber Geek
 
Join Date: Apr 2008
Location: Brisbane, Australia
Posts: 238
Default

Quote:
Originally Posted by scottro View Post
Heh, I worked for a company where the boss of one department tended to drive people away. So, I even had a little script to run find on anyone's files and chown them to the replacement. The average time of a new employee was about 3 months.

Then, I'd get an email from that department. Such and such is leaving, please set up her computer for this person starting on Monday.
sounds like one of my old work places!
Humm ... i think they had an office in the US as well - who do you work for again ?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to disable FreeBSD boot loader? Turquoise88 FreeBSD General 2 17th July 2009 03:11 PM
tmux disable automatic resize Carpetsmoker General software and network 7 25th June 2009 10:54 PM
How to remove Gnome and X Malakim Solaris 2 12th April 2009 12:10 PM
Disable manual fsck on startup Malakim FreeBSD General 4 2nd September 2008 05:28 PM
Disable CTRL+ALT+DEL FreeBSD Gnome mfaridi FreeBSD Security 7 27th August 2008 07:10 PM


All times are GMT. The time now is 08:42 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick