Users cleaning in debian

security user-management debian hardening

I'm running a webserver at slicehost and decided to delete unused/unnecessary users. But I really don't know which ones are necessary for the system to work

I use it as apache webserver with mysql, php, memcached, ssh and proftpd.

This is the list of users in /etc/passwd.
How can I decide which ones to delete?

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
MYUSER:x:1000:1000:,,,:/home/MYUSER:/bin/bash
mysql:x:102:105:MySQL Server,,,:/var/lib/mysql:/bin/false
Debian-exim:x:103:106::/var/spool/exim4:/bin/false
ftp:x:104:65534::/home/ftp:/bin/false
logcheck:x:105:107:logcheck system account,,,:/var/lib/logcheck:/bin/false
proftpd:x:107:65534::/var/run/proftpd:/bin/false

Here's what an older version of the debian documentation has to say about the matter: https://web.archive.org/web/20200415045431/https://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html#s12.1.12.1

That section has been removed from a newer manual. Looking at the users present in getent passwd almost all of them have /usr/sbin/nologin as the shell. Some users only exist so that files can be owned by them. I don't think you need to remove users anymore.


Manually created users end up with a uid just above 1000 (unless you specified the uid). Just don't touch any other users than those in the 1000+ range manually.

Some accounts in the 100+ range are users linked to the programs you're running (Apache, MySQL, ProFTPd). In generaly, you should let packages deal with these users and not try to manage them manually.


It's hard to say, all the users are there because daemons and cron jobs needs it.

But I can tell you which ones you can't delete.

Make a top, a ps -aux or something like that, and check the users; if there's a process started by "nobody" user you can't delete it. If you feel that those processes shouldn't be there, then stop the daemons and uninstall its packages, and then delete the users.

Also check crontab and cron.d if you delete a user needed for start a cron job, that job never will work again.

For other users used as administrative users you can set its shell to /bin/false if you are unsure about to delete it. The user will remain there but nobody will get a shell from it

Related

Postfix double relay configuration
RAID drive - Mechanical Positioning Error
Why are braid numbers of the form $Q_h^2$ or $2 \times Q_h^2$?
H0w have group theory and fractal geometry been combined?
Every Tychonoff space is an image of a Moscow space under a continuous open mapping.
Does there exists a continuous surjection from $\mathbb{R}$ to $\mathbb{R}^2$?
When does it hold that $\int_{0}^{x} fg=\left(\int_{0}^{x} f\right)\left(\int_0^x g\right)$
Coffee and regular polygons
Real points of a complex curve
Monotone convergence theorem by Fatou's lemma
A variation of the isoperimetric problem in the plane
Intuition for Exotic $\mathbb R^4$'s