|
|
Deleting an account is a bit more tricky than suspending it, because the script needs to check the entire file system for files owned by the user, and this must be done before the account information is removed from /etc/passwd and /etc/shadow.
#!/bin/sh ## deleteuser - Deletes a user account without a trace... # Not for use with Mac OS X homedir="/home" pwfile="/etc/passwd" shadow="/etc/shadow" newpwfile="/etc/passwd.new" newshadow="/etc/shadow.new" suspend="/usr/local/bin/suspenduser" locker="/etc/passwd.lock" if [ -z $1 ] ; then echo "Usage: $0 account" >&2; exit 1 elif [ "$(whoami)" != "root" ] ; then echo "Error: you must be 'root' to run this command.">&2; exit 1 fi $suspend $1 # suspend their account while we do the dirty work uid="$(grep -E "^${1}:" $pwfile | cut -d: -f3)" if [ -z $uid ] ; then echo "Error: no account $1 found in $pwfile" >&2; exit 1 fi # Remove from the password and shadow files grep -vE "^${1}:" $pwfile > $newpwfile grep -vE "^${1}:" $shadow > $newshadow lockcmd="$(which lockfile)" # find lockfile app in the path if [ ! -z $lockcmd ] ; then # let's use the system lockfile eval $lockcmd -r 15 $locker else # ulp, let's do it ourselves while [ -e $locker ] ; do echo "waiting for the password file" ; sleep 1 done touch $locker # created a file-based lock fi mv $newpwfile $pwfile mv $newshadow $shadow rm -f $locker # click! unlocked again chmod 644 $pwfile chmod 400 $shadow # Now remove home directory and list anything left... rm -rf $homedir/$1 echo "Files still left to remove (if any):" find / -uid $uid -print 2>/dev/null | sed 's/^/ /' echo "" echo "Account $1 (uid $uid) has been deleted, and their home directory " echo "($homedir/$1) has been removed." exit 0
To avoid any problems with things changing underfoot, notice that the very first task that deleteuser performs is to suspend the user account by calling suspenduser.
Before modifying the password file, this script locks it using the lockfile program, if it's available. If not, it drops back to a relatively primitive locking mechanism through the creation of the file /etc/passwd.lock. If the lock file already exists, this script will sit and wait for it to be deleted by another program; once it's gone, deleteuser immediately creates it and proceeds.
This script must be run as root (use sudo) and needs the name of the account to delete specified as the command argument.
| Danger! |
Notice that this script is irreversible and causes lots of files to vanish, so do be careful if you want to experiment with it! |
$ sudo deleteuser snowy Please change account snowy password to something new. Changing password for user snowy. New password: Retype new password: passwd: all authentication tokens updated successfully. Account snowy has been suspended. Files still left to remove (if any): /var/log/dogbone.avi Account snowy (uid 502) has been deleted, and their home directory (/home/snowy) has been removed.
That sneaky Snowy had hidden an AVI file (dogbone.avi) in /var/log. Lucky we noticed that — who knows what it could be?
This deleteuser script is deliberately not complete. Sysadmins will decide what additional steps to take, whether it is compressing and archiving a final copy of the account files, writing them to tape, burning them on a CD-ROM, or even mailing them directly to the FBI (hopefully I'm just kidding on that last one). In addition, the account needs to be removed from the /etc/group files. If there are stray files outside of the user's home directory, the find command identifies them, but it's still up to the admin to examine and delete each one, as appropriate.
|
|
| This HTML Help has been published using the chm2web software. |