[Discuss] redhat user question

[invalid at pizzashack.org (Derek Martin)]

On Tue, Aug 06, 2013 at 03:35:03PM -0400, Eric Chadbourne wrote:
> I'm updating a couple of RedHat boxes for a client and see some most
> likely legacy users.  My first thoughts are, who are these users, do
> they still need access, and what do they have access to?

You can ask the client...  If they don't know who the users are,
disable the accounts and see who complains.

> How do you check for users in such a situation?  I like to do:

You can use tools like last, who, and w to see who's logged in
recently or right now...  For example, 

  last $username

will tell you about the recent logins of $username, assuming that the
user actually logs in via something that updates the utmp/wtmp database,
going as far back as the last time your wtmp was rotated.

> cat /etc/passwd |grep "/home" |cut -d: -f1
> 
> But I know this doesn't show everybody.  I've created users with no
> home before.  

Or users who have a home, but it's not in /home.

> Also how can I tell if a user has root permissions or
> able to access other stuff such as /var/www?

Heavy handed, but something like:

find / -uid $USERS_UID -o -gid $USERS_GID

You probably really would want something that considers perms on the
file, as just because it has group ownership for the user's group
doesn't mean it is group readable/writable... but I leave that as an
exercise for you.

This will also search pseudo file systems like /proc, which you may
want to avoid (as it's basically useless but potentially
time-consuming).

Note also that the user has group associations BOTH in /etc/passwd AND
in /etc/group.  You'd need to check them all.

This is time-consuming work, if you want to be thorough...

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.