Managing user accounts is a crucial aspect of system administration, especially when ensuring the security and integrity of a Linux environment. Disabling user accounts that are no longer in use or potentially compromised is a standard practice among IT professionals and managed service providers (MSPs).
This blog post explores a comprehensive script designed to disable user accounts in Linux, providing an in-depth understanding of its functionality, use cases, and best practices.
Understanding the Importance of User Account Management
In any IT infrastructure, user account management is paramount for maintaining security and operational efficiency. Unauthorized access or misuse of user accounts can lead to data breaches, loss of sensitive information, and potential system downtime. Hence, disabling inactive or compromised user accounts is a proactive measure to safeguard the system.
Background of the Script
The script we’re examining is designed to disable a specified user account by changing its login shell to /sbin/nologinand locking the account. This process prevents the user from logging in while preserving the account for potential reactivation or audit purposes. This approach is favored over outright deletion as it maintains the account’s history and related files intact.
The Script:
#!/usr/bin/env bash
# Description: Disables a user account by changing its shell to /sbin/nologin and locking the account.
#
# Release Notes: Initial Release
# By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
# Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
# Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
# Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider.
# Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
# Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
# Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
# EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
#
# Below are all the valid parameters for this script.
#
# Preset Parameter: "ReplaceMeWithUsernameToDisable"
# Username of the user you would like to disable.
#
# Help text function for when invalid input is encountered
print_help() {
printf '\n### Below are all the valid parameters for this script. ###\n'
printf '\nPreset Parameter: "ReplaceMeWithUsernameToDisable" \n'
printf '\t%s\n' "Username of the user you would like to disable."
}
# Determines whether or not help text is nessessary and routes the output to stderr
die() {
local _ret="${2:-1}"
echo "$1" >&2
test "${_PRINT_HELP:-no}" = yes && print_help >&2
exit "${_ret}"
}
_arg_userToDisable=
# Grabbing the parameters and parsing through them.
parse_commandline() {
while test $# -gt 0; do
_key="$1"
case "$_key" in
--help | -h)
_PRINT_HELP=yes die 0
;;
--*)
_PRINT_HELP=yes die "FATAL ERROR: Got an unexpected argument '$1'" 1
;;
*)
if [[ -z $_arg_userToDisable ]]; then
_arg_userToDisable=$1
else
_PRINT_HELP=yes die "FATAL ERROR: Got an unexpected argument '$1' but user '$_arg_userToDisable' was already specified!" 1
fi
;;
esac
shift
done
}
# Parse the command-line arguments passed to the script.
parse_commandline "$@"
if [[ -n $usernameToDisable ]]; then
_arg_userToDisable="$usernameToDisable"
fi
# Check if the username to disable is empty and display an error if it is.
if [[ -z $_arg_userToDisable ]]; then
_PRINT_HELP=yes die "[Error] The username of the user you would like to disable is required!'" 1
fi
# Validate the username to ensure it only contains lowercase letters, digits, hyphens, and underscores.
if [[ ! $_arg_userToDisable =~ ^[a-z0-9_-]+$ ]]; then
_PRINT_HELP=no die "[Error] Invalid characters detected in '$_arg_userToDisable' usernames can only have a-z, 0-9 or -, _ characters!" 1
fi
# Search for the user in the /etc/passwd file and ensure the user account is not already set to 'nologin'.
passwdEntry=$(grep -w "$_arg_userToDisable" /etc/passwd)
if [[ -z $passwdEntry ]]; then
_PRINT_HELP=no die "[Error] User '$_arg_userToDisable' does not exist." 1
fi
unlockedaccount=$(passwd -S "$_arg_userToDisable" | cut -f2 -d " " | grep -v "L")
nologin=$(grep -w "$_arg_userToDisable" /etc/passwd | cut -d ":" -f7 | grep "nologin")
if [[ -z $unlockedaccount && -n $nologin ]]; then
_PRINT_HELP=no die "[Error] User '$_arg_userToDisable' is already disabled. $nologin" 1
fi
# Check if the 'sudo' command is available on the system.
sudoAvailable=$(command -v sudo)
# If 'sudo' is available, check if the specified user has sudo privileges and is not explicitly forbidden from using sudo.
if [[ -n $sudoAvailable ]]; then
sudoAccess=$(sudo -l -U "$_arg_userToDisable" | grep -v "is not allowed to run sudo")
fi
# Initialize a flag to check for the availability of another administrative user.
anotherAdminAvaliable=false
# If the user to disable is 'root' or if they have sudo access, proceed to check for other admin users.
if [[ "$_arg_userToDisable" == "root" || -n $sudoAccess ]]; then
# Fetch all user accounts with UID >= 1000 (typically regular users) and exclude the specified user and 'nobody'.
allAccounts=$(cut -d ":" -f1,3 /etc/passwd | grep -v -w "$_arg_userToDisable" | grep -v "nobody" | awk -F ':' '$2 >= 1000 {print $1}')
# If the user to disable is not 'root', add 'root' to the list of all accounts if it is enabled and not set to 'nologin'.
if [[ ! "$_arg_userToDisable" == "root" ]]; then
enabled=$(grep -w "root" /etc/passwd | grep -v "nologin")
if [[ -n $enabled ]]; then
allAccounts=$(echo "$allAccounts"; echo "root")
fi
fi
# Iterate over each account to check if there are other admin users available.
for account in $allAccounts; do
# Skip checking accounts if 'sudo' is not available.
if [[ -z $sudoAvailable ]]; then
continue
fi
# Check if the current account has sudo access.
sudoAccess=$(sudo -l -U "$account" | grep -v "is not allowed to run sudo")
if [[ -z $sudoAccess ]]; then
continue
fi
# Check if the current account is enabled (i.e., not set to 'nologin').
accountEnabled=$(grep -w "$account" /etc/passwd | grep -v "nologin")
if [[ -z $accountEnabled ]]; then
continue
fi
# If an admin account is available and enabled, set the flag to true.
anotherAdminAvaliable="true"
done
# If no other admin users are available, output an error and suggest creating another admin account.
if [[ $anotherAdminAvaliable == "false" ]]; then
_PRINT_HELP=no die "[Error] No other admins available. Please create another account to administer the system." 1
fi
fi
# Attempt to change the shell of the user to /sbin/nologin to disable login capabilities.
if ! usermod "$_arg_userToDisable" -s /sbin/nologin; then
_PRINT_HELP=no die "[Error] Failed to change the shell for '$_arg_userToDisable' to /sbin/nologin." 1
fi
# Attempt to lock the user account using usermod.
if ! usermod -L "$_arg_userToDisable"; then
_PRINT_HELP=no die "[Error] Failed to lock '$_arg_userToDisable' using usermod." 1
fi
# Check if the user has been successfully disabled by confirming 'nologin' is set.
disabledUser=$(grep -w "$_arg_userToDisable" /etc/passwd | grep "nologin")
if [[ -n $disabledUser ]]; then
echo "Successfully disabled '$_arg_userToDisable'."
else
_PRINT_HELP=no die "[Error] Failed to disable '$_arg_userToDisable'." 1
fi
Access over 300+ scripts in the NinjaOne Dojo
Detailed Breakdown
Initial Setup and Parameter Parsing
The script begins with defining a help text function (print_help) and a die function (die) to handle errors and display relevant messages. The parse_commandline function processes command-line arguments to identify the username of the account to be disabled.
Validating the User Account
The script then checks if the specified username is valid and exists in the system. It ensures the username contains only allowed characters (lowercase letters, digits, hyphens, and underscores) and verifies its existence in the /etc/passwd file.
Ensuring No Conflicts with Admin Accounts
The script further checks if the user to be disabled has administrative privileges. It verifies if there are other available admin accounts to prevent locking out essential administrative access.
Disabling the User Account
Finally, the script disables the user account by changing the shell to /sbin/nologin and locking the account. It verifies the success of these operations and provides feedback.
Potential Use Cases
Consider a scenario where an IT professional needs to disable an account for an employee who has left the company. The script provides a streamlined and efficient method to ensure the account is disabled without deleting it. This allows the IT team to retain the user’s data and account history for compliance and audit purposes.
Comparisons to Other Methods
The traditional approach to disabling a user account might involve manually editing the /etc/passwd file or running multiple commands. This script automates the process, reducing the risk of human error and ensuring consistency across different systems.
FAQs
Q: Can this script delete a user account?
A: No, the script only disables the account by changing the shell and locking it. Deleting an account would require additional commands.
Q: Is it safe to disable the root account?
A: Disabling the root account can render the system unmanageable. The script includes checks to ensure another admin account is available before proceeding.
Q: What if the user account is already disabled?
A: The script checks the account status and notifies if the account is already disabled, avoiding redundant operations.
Implications for IT Security
Disabling inactive or compromised user accounts is a critical security measure. It reduces the attack surface and prevents unauthorized access, thereby enhancing the overall security posture of the organization.
Recommendations
When using this script, ensure:
- You have another administrative account available.
- Regularly review and update your user account management policies.
- Test the script in a non-production environment before deploying it in a live setting.
Final Thoughts
User account management is a fundamental aspect of system administration. This script simplifies the process of disabling user accounts in Linux, offering a robust and automated solution. Tools like NinjaOne can further streamline IT operations, providing comprehensive management and monitoring capabilities to ensure your systems remain secure and efficient.
By following best practices and leveraging automated scripts, IT professionals can maintain a secure and well-managed Linux environment, safeguarding their infrastructure against potential threats and ensuring smooth operational continuity.
