3

I'm running a webserver at slicehost and decided to delete unused/unnecessary users. But I really don't know which ones are necessary for the system to work

I use it as apache webserver with mysql, php, memcached, ssh and proftpd.

This is the list of users in /etc/passwd.
How can I decide which ones to delete?

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
MYUSER:x:1000:1000:,,,:/home/MYUSER:/bin/bash
mysql:x:102:105:MySQL Server,,,:/var/lib/mysql:/bin/false
Debian-exim:x:103:106::/var/spool/exim4:/bin/false
ftp:x:104:65534::/home/ftp:/bin/false
logcheck:x:105:107:logcheck system account,,,:/var/lib/logcheck:/bin/false
proftpd:x:107:65534::/var/run/proftpd:/bin/false
The Disintegrator
  • 585
  • 2
  • 6
  • 20

3 Answers3

5

Here's what an older version of the debian documentation has to say about the matter: https://web.archive.org/web/20200415045431/https://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html#s12.1.12.1

That section has been removed from a newer manual. Looking at the users present in getent passwd almost all of them have /usr/sbin/nologin as the shell. Some users only exist so that files can be owned by them. I don't think you need to remove users anymore.

ptman
  • 28,394
  • 2
  • 30
  • 45
2

Manually created users end up with a uid just above 1000 (unless you specified the uid). Just don't touch any other users than those in the 1000+ range manually.

Some accounts in the 100+ range are users linked to the programs you're running (Apache, MySQL, ProFTPd). In generaly, you should let packages deal with these users and not try to manage them manually.

raphink
  • 11,987
  • 6
  • 37
  • 48
1

It's hard to say, all the users are there because daemons and cron jobs needs it.

But I can tell you which ones you can't delete.

Make a top, a ps -aux or something like that, and check the users; if there's a process started by "nobody" user you can't delete it. If you feel that those processes shouldn't be there, then stop the daemons and uninstall its packages, and then delete the users.

Also check crontab and cron.d if you delete a user needed for start a cron job, that job never will work again.

For other users used as administrative users you can set its shell to /bin/false if you are unsure about to delete it. The user will remain there but nobody will get a shell from it

theist
  • 1,229
  • 2
  • 10
  • 24
  • Let's say I set the shell to /bin/false to every user BUT the one I actually use. Will I break everything? – The Disintegrator Aug 28 '10 at 09:25
  • Always leave shell for your user and root user. for other users, again, depends on your configuration. There's no rule of thumb.The other users may need it or not. For example www-data on most cases, does not need a shell, but some cgi could need it. Historically all users under id 99 had a /bin/sh as login shells, these are historic or legacy users, all "modern" linux services already come configured to "/bin/false" (mysql, ftpd ... ) In general as pointed by Raphink, it's safe trust the package mantainers, if you can't you should dig in your sistem to know what each user does there. – theist Aug 30 '10 at 06:21