summaryrefslogtreecommitdiff
path: root/purge-nobody-user
diff options
context:
space:
mode:
Diffstat (limited to 'purge-nobody-user')
-rw-r--r--purge-nobody-user101
1 files changed, 101 insertions, 0 deletions
diff --git a/purge-nobody-user b/purge-nobody-user
new file mode 100644
index 0000000..66404fe
--- /dev/null
+++ b/purge-nobody-user
@@ -0,0 +1,101 @@
+#!/bin/bash -eu
+
+if [ $UID -ne 0 ]; then
+ echo "WARNING: This script needs to run as root to be effective"
+ exit 1
+fi
+
+export SYSTEMD_NSS_BYPASS_SYNTHETIC=1
+
+if [ "${1:-}" = "--ignore-journal" ]; then
+ shift
+ ignore_journal=1
+else
+ ignore_journal=0
+fi
+
+echo "Checking processes..."
+if ps h -u 99 | grep .; then
+ echo "ERROR: ps reports processes with UID 99!"
+ exit 2
+fi
+echo "... not found"
+
+echo "Checking UTMP..."
+if w -h 199 | grep . ; then
+ echo "ERROR: w reports UID 99 as active!"
+ exit 2
+fi
+if w -h nobody | grep . ; then
+ echo "ERROR: w reports user nobody as active!"
+ exit 2
+fi
+echo "... not found"
+
+echo "Checking the journal..."
+if [ "$ignore_journal" = 0 ] && journalctl -q -b -n10 _UID=99 | grep . ; then
+ echo "ERROR: journalctl reports messages from UID 99 in current boot!"
+ exit 2
+fi
+echo "... not found"
+
+echo "Looking for files in /etc, /run, /tmp, and /var..."
+if find /etc /run /tmp /var -uid 99 -print | grep -m 10 . ; then
+ echo "ERROR: found files belonging to UID 99"
+ exit 2
+fi
+echo "... not found"
+
+echo "Checking if nobody is defined correctly..."
+if getent passwd nobody |
+ grep '^nobody:[x*]:65534:65534:.*:/:/sbin/nologin';
+then
+ echo "OK, nothing to do."
+ exit 0
+else
+ echo "NOTICE: User nobody is not defined correctly"
+fi
+
+echo "Checking if nfsnobody or something else is using the uid..."
+if getent passwd 65534 | grep . ; then
+ echo "NOTICE: will have to remove this user"
+else
+ echo "... not found"
+fi
+
+if [ "${1:-}" = "-x" ]; then
+ if getent passwd nobody >/dev/null; then
+ # this will remove both the user and the group.
+ ( set -x
+ userdel nobody
+ )
+ fi
+
+ if getent passwd 65534 >/dev/null; then
+ # Make sure the uid is unused. This should free gid too.
+ name="$(getent passwd 65534 | cut -d: -f1)"
+ ( set -x
+ userdel "$name"
+ )
+ fi
+
+ if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then
+ echo "Sleeping, so sss can catch up"
+ sleep 3
+ fi
+
+ if getent group 65534; then
+ # Make sure the gid is unused, even if uid wasn't.
+ name="$(getent group 65534 | cut -d: -f1)"
+ ( set -x
+ groupdel "$name"
+ )
+ fi
+
+ # systemd-sysusers uses the same gid and uid
+ ( set -x
+ systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin'
+ )
+else
+ echo "Pass '-x' to perform changes"
+fi
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-16 22:14:00 +0000