Howto remove an user and improve security

by Tom Adelstein

Employee turnover in most organizations runs high. So unless you run a small shop with a stable user base, you need to learn how to clean up after an employee leaves. Too many so-called system administrators do not understand the stakes involved when they manage users. Disgruntled former employees can often cause significant trouble for a company by gaining access to the network.

To remove a user, you need to learn to manage all of his or her files, mailboxes, mail aliases, print jobs, recurring -(automatic) personal processes such as the backing up of data or remote syncing of directories, and other references to the user. It is a good idea at first to disable the account in

/etc/passwd

after which you can search for the user's files and other references. Once all traces of the user have been cleaned up, you can remove the user completely--but if you remove the entry from

/etc/passwd

while these other references exist, you have a harder time referring to them.

When you remove a user, it's a good idea to follow a pre-determined course of action so you don't forget any important steps; it may even be a good idea to make a checklist so that you have a routine. Following, you will find several items requiring attention.

The first task is to disable the user's password, effectively locking him out. For example:

#passwd -l bwilson

Sometimes it's necessary to temporarily disable an account without removing it. For example, the user might go on maternity leave or take a post for 90 days in another country. You may also discover from your system logs that someone has gained unauthorized control of an account by guessing the password.

The passwd -l command is useful for these situations.

Next, you have to decide what to do with the user's files.

Remember that users may have files outside their home directory. The find command can find them:

find / -user bwilson

You can then decided whether to delete these files or keep them. If you decide to delete them, back them up in case you need data from them later. As extra security, you can change the user's login shell to a dummy value. Simply change the last line in the passwd file to something like *.

If your organization uses Secure Shell (SSH, usually provided on Linux by OpenSSH) and you allowremote RSA or DSA key authentication, a user can get access to the system even if the password is disabled. This is because SSH uses separate keys. For instance, even after you have locked Brian Wilson out of your system using the steps shown up to now, he could get on another computer somewhere and run a commandsuch as:


bwilson:~$ ssh -f -N -L8000:intranet.yourcompany.com:80 my.domain.com

This forwards traffic to port 80 (the port on which a web server usually listens) on your internal servert.

Obviously, if your system offers SSH, you should remove authorized keys from ~bwilson/.ssh

or .~bwilson/.ssh2

directories in order to stop a user from regaining access to his account this way..

Likewise, look for shosts and rhost files in the user's home directory: ~bwilson/.shosts
and ~bwilson/.rhosts.

Also, check to see if the user still has any processes running on the system. Such processes might act as a backdoor to allow a user into a network The following command will tell you if any are running currently.

# ps aux |grep -i ^bwilson

Some other questions a system administrator might ask about a personal user who has left the company include:

Could bwilson execute Common Gate Interface (CGI) scripts from his home directory or on one of the company's web servers?

Do any email forwarding files such as ~bwilson/.forward exist? Users can utilize forwarders to send mail to their accounts and cause programs to be executed on the system where they supposedly do not have access.

Sealing the home directory

You will often find that management wants to retain the information in the directory of an employee who leaves. All the email and other documents in a personal user's account belong to the company. In the event a disgruntled former employee becomes litigious, the company's legal counsel may want these files. Many analysts consider the keeping such directories as good practice. You can save the contents of a user's home directory by renaming it. Simply execute a move command:

# mv /home/bwilson /home/bwilson.locked

In this way, the former employee cannot log in or make any use of configuration files such as the .forward file discussed in the previous section. The contents remain intact if needed later.

1 Comments

Austin
2006-05-12 20:43:16
Hi Tom ,A Nice checklist for Sysadmin's, will come in handy ,Thanks for that wonderful writeup.