Hi friends,

I have a server linux: Red Hat Enterprise Linux Server release 6.7 (Santiago)

I found a user who had a uid=0, like root user. I want to return its old number UID (which is 500), but I have the following error:

[root@SERVER /]# usermod -u 500 -o userav
usermod: user userav is currently used by process 1

[root@SERVER /]# cat /etc/passwd | grep userav
userav:x:0:0:userav:/home/userav:/bin/bash

I don't know what I can do.

Best regards,

Rockyx.

Hi rockyx,

I'm not aware of, nor have I been able to find, any special significance to "userav".

So it would seem most likely that the usermod command is just checking to see if the user ID is in use, which since that's also root's user ID, naturally it is.

If it were me, I'd bring the system down to the single user state, then manually edit the associated file(s) to restore the ID. Finally, reboot.

HOWEVER, PLEASE NOTE, if I were administering that system, I would want to know how the ID got changed in the first place, and what might be associated with it. Whether it's related to a so-called "root kit", or something legitimate running on the system. Naturally if it's a "root kit" I'd "lock down" the system and check it throughly. If it's something legitimate, I'd be concerned that something might need to be done before changing it back.

IF AND ONLY IF, it's just a matter of getting past the usermod command's objections, then the manual edit and reboot should do it.

I agree with @rigor not that I know anything about server side Linux. though I know if it is being used when your running. you got a get it like he said. Or me with dual boot. I just boot my other Linux and mount the one I need to do something with so whatever process will not be running so I can change it.

perhaps that is why I never really learned the single user mode operation way of doing things.

but diffidently a need to know how it got that way has raised its head. so who ever or how ever it happened can be hopefully prevented from happening again.

i suspect a tip-of-the-iceberg sort of problem.

Indeed, if that user had uid=0, that user was root!

I would therefore speculate that your system has been thoroughly compromised. I can think of no legitimate reason for any other user to have uid=0, and plenty of illegitimate ones.

1 members found this post helpful.

A shortcoming of usermod.
You can change the users uid in /etc/passwd by means of vi.
You don't need single-user mode for that.

2 members found this post helpful.

Except that, in most systems, /etc/passwd is not the actual file.

Normally, a "shadow file" in /etc/shadow is the actual file that is consulted. And you cannot touch it.

No, in most systems /etc/passwd is the actual file, and the uid is in the 3rd field.

/etc/passwd is maintained, to be a "well-known data source for compatibility purposes," but it does not contain actual authentication information.

In a "simple standard Linux" setup these days, authentication data is in /etc/shadow, which is protected. So far as I know, it is the true authority. (As it should be.)

In other possible configurations, there might well be no shadow-file: the authority could well be an LDAP (Microsoft OpenDirectory®) server, or Kerberos®, maintained by the corporate security team.

Nevertheless, /etc/passwd and /etc/group are often "maintained" for the benefit of all those existing scripts and other programs that expect to be able to pore through them.

I would agree. I've been a UNIX administrator before and any user, whatever the name, whose id is 0 has root powers. You have a MAJOR problem on your hands.

There are no numeric UIDs or GIDs in /etc/shadow. That information is in /etc/passwd only. The /etc/shadow file contains just the user names and their associated password and account expiration information.