How to tell if account is used anymore for anything
First, let me apologize, as I know this is a vague question.
Looking in /etc/passwd on a vsftp server, I noticed an account toward the top of that file that doesn't have a shell listed and the home folder for it is no longer valid. I did a su to that account and there's no crontab and if i hit up/down i dont get any recent commands. What else would you suggest I check before I can feel fairly confident this account is no longer used for anything and can be deleted? |
Change the password, sure, but delete? not so much. ;)
Or give the user a false or nologin shell? Just my advice, |
probably solid advice as a first step :-)
but if the account is somehow used for some process local to the server, would doing that give me a hint in either direction? |
you could always check "last" to see if the user has logged in any time recently...
|
Code:
last username |
or grep the auth.log under /var/log
|
a last username just returns the following, so i'm guessing that means it had to have been before that timestamp.
wtmp begins Mon May 13 13:57:46 2013 I don't see an auth.log in /var/log either. |
Please check whether any process is owned by that user by 'ps aux | grep username'
|
Code:
last <user> -f /var/log/btmp |
nothing from the ps aux
that last command returns this btmp begins Fri Aug 16 06:37:30 2013 |
Same reasoning applies, change password, wait, oh say [69]0 days, delete account...
|
Yeah, I think that's about the only option right now. Thanks for the help.
|
no worries.
Glad to be of help. |
Would writing a shell that logs the event someplace handy and then exec's the real login shell work for you?
|
I don't understand what that would do in this case, can you explain?
|
All times are GMT -5. The time now is 11:23 AM. |