list all system users, eg. _x11

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

list all system users, eg. _x11

Luke Small
Is there a way to determine all users on a system that the users command
doesn't seem to show? like _x11 and _ntpd
Reply | Threaded
Open this post in threaded view
|

Re: list all system users, eg. _x11

Solene Rapenne
Le 2017-05-06 20:27, Luke Small a écrit :
> Is there a way to determine all users on a system that the users
> command
> doesn't seem to show? like _x11 and _ntpd

hello
system users has an uid < 1000 you can retrieve them like by parsing
/etc/passwd like this

awk -F ':' '{ if($2 < 1000) { print $1 }}' /etc/passwd

you can replace $1 by $0 if you want the whole line instead of only the
login.

Reply | Threaded
Open this post in threaded view
|

Re: list all system users, eg. _x11

STeve Andre'
In reply to this post by Luke Small


On 05/06/17 14:27, Luke Small wrote:
> Is there a way to determine all users on a system that the users command
> doesn't seem to show? like _x11 and _ntpd

What's a user?

Maybe you want to look at /etc/passwd.  The first four lines are

root:*:0:0:Charlie &:/root:/bin/ksh
daemon:*:1:1:The devil himself:/root:/sbin/nologin
operator:*:2:5:System &:/operator:/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin

You can parse that with awk and do stuff.  Read about passwd(5) to
understand the format.  A login shell of /sbin/nologin means
it isn't interactive.  That might get you started?

--STeve Andre'

Reply | Threaded
Open this post in threaded view
|

Re: list all system users, eg. _x11

Marcus MERIGHI
[hidden email] (STeve Andre'), 2017.05.06 (Sat) 20:37 (CEST):
> On 05/06/17 14:27, Luke Small wrote:
> > Is there a way to determine all users on a system that the users command
> > doesn't seem to show? like _x11 and _ntpd

users(1) - list current users

I'd try ps(1) and get all active users from there.

If you are after *all* users (inactive ones as well) you could use
"getent(1) passwd" and parse from there.

Marcus

> What's a user?
>
> Maybe you want to look at /etc/passwd.  The first four lines are
>
> root:*:0:0:Charlie &:/root:/bin/ksh
> daemon:*:1:1:The devil himself:/root:/sbin/nologin
> operator:*:2:5:System &:/operator:/sbin/nologin
> bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
>
> You can parse that with awk and do stuff.  Read about passwd(5) to
> understand the format.  A login shell of /sbin/nologin means
> it isn't interactive.  That might get you started?
>
> --STeve Andre'
>
>
> !DSPAM:590e28ea17913841584367!
>

Reply | Threaded
Open this post in threaded view
|

Re: list all system users, eg. _x11

andrew fabbro
Listing all users is trivial - I don't think that's what he's asking.

He's asking is "how do I list all *system* users", presumably in a way that
differentiates them from user accounts in some kind of authoritative way.

I don't think there is a way.  You could:

- Assume all users < uid 1000 are system users, but that is not hard
enforced to my knowledge.  IIRC the OS will start with 1001 but an admin
could override that at user creation time.

- Use your preferred programming language or utility to parse out entries
that begin with _ in /etc/passwd.  That won't get non-service-account
entries like root, bin, etc.  Also, I don't think there's a technical
prohibition to creating a new user account that starts with an underscore.

- Differentiate by groups.  i.e., if all your users are in one group, then
you know who isn't.

I think if your admins don't do stupid things (create user accounts under
1000, create accounts starting with _, etc.) then just parsing /etc/passwd
would likely be the simplest way.

As practical experience, that's what I've done when migrating systems,
etc.  I assume that people play by the rules, so if I need to identify all
the user accounts (to recreate them on a new system or something), I
exclude uids under 1000 as a starting point.


On Mon, May 8, 2017 at 4:51 AM, Marcus MERIGHI <[hidden email]> wrote:

> [hidden email] (STeve Andre'), 2017.05.06 (Sat) 20:37 (CEST):
> > On 05/06/17 14:27, Luke Small wrote:
> > > Is there a way to determine all users on a system that the users
> command
> > > doesn't seem to show? like _x11 and _ntpd
>
> users(1) - list current users
>
> I'd try ps(1) and get all active users from there.
>
> If you are after *all* users (inactive ones as well) you could use
> "getent(1) passwd" and parse from there.
>
> Marcus
>
> > What's a user?
> >
> > Maybe you want to look at /etc/passwd.  The first four lines are
> >
> > root:*:0:0:Charlie &:/root:/bin/ksh
> > daemon:*:1:1:The devil himself:/root:/sbin/nologin
> > operator:*:2:5:System &:/operator:/sbin/nologin
> > bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
> >
> > You can parse that with awk and do stuff.  Read about passwd(5) to
> > understand the format.  A login shell of /sbin/nologin means
> > it isn't interactive.  That might get you started?
> >
> > --STeve Andre'
> >
> >
> > !DSPAM:590e28ea17913841584367!
> >
>
>


--
andrew fabbro
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: list all system users, eg. _x11

Luke Small
Well, actually I like to play with firewall configurations and I set up
unbound and dnscrypt-proxy and I wanted to limit the users that are able to
receive dns requests on localhost port 53. I was trying to figure out what
user was listening. I haven't tried it yet, but I figure it is _dhcp and
_unbound. It didn't work when I limited it to _unbound alone. Maybe I
should have said that, but I wanted to generally know where the list was.

On Tue, May 9, 2017 at 1:57 PM andrew fabbro <[hidden email]> wrote:

> Listing all users is trivial - I don't think that's what he's asking.
>
> He's asking is "how do I list all *system* users", presumably in a way
> that differentiates them from user accounts in some kind of authoritative
> way.
>
> I don't think there is a way.  You could:
>
> - Assume all users < uid 1000 are system users, but that is not hard
> enforced to my knowledge.  IIRC the OS will start with 1001 but an admin
> could override that at user creation time.
>
> - Use your preferred programming language or utility to parse out entries
> that begin with _ in /etc/passwd.  That won't get non-service-account
> entries like root, bin, etc.  Also, I don't think there's a technical
> prohibition to creating a new user account that starts with an underscore.
>
> - Differentiate by groups.  i.e., if all your users are in one group, then
> you know who isn't.
>
> I think if your admins don't do stupid things (create user accounts under
> 1000, create accounts starting with _, etc.) then just parsing /etc/passwd
> would likely be the simplest way.
>
> As practical experience, that's what I've done when migrating systems,
> etc.  I assume that people play by the rules, so if I need to identify all
> the user accounts (to recreate them on a new system or something), I
> exclude uids under 1000 as a starting point.
>
>
> On Mon, May 8, 2017 at 4:51 AM, Marcus MERIGHI <[hidden email]>
> wrote:
>
>> [hidden email] (STeve Andre'), 2017.05.06 (Sat) 20:37 (CEST):
>> > On 05/06/17 14:27, Luke Small wrote:
>> > > Is there a way to determine all users on a system that the users
>> command
>> > > doesn't seem to show? like _x11 and _ntpd
>>
>> users(1) - list current users
>>
>> I'd try ps(1) and get all active users from there.
>>
>> If you are after *all* users (inactive ones as well) you could use
>> "getent(1) passwd" and parse from there.
>>
>> Marcus
>>
>> > What's a user?
>> >
>> > Maybe you want to look at /etc/passwd.  The first four lines are
>> >
>> > root:*:0:0:Charlie &:/root:/bin/ksh
>> > daemon:*:1:1:The devil himself:/root:/sbin/nologin
>> > operator:*:2:5:System &:/operator:/sbin/nologin
>> > bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
>> >
>> > You can parse that with awk and do stuff.  Read about passwd(5) to
>> > understand the format.  A login shell of /sbin/nologin means
>> > it isn't interactive.  That might get you started?
>> >
>> > --STeve Andre'
>> >
>> >
>> > !DSPAM:590e28ea17913841584367!
>> >
>>
>>
>
>
> --
> andrew fabbro
> [hidden email]
>
>