I'm on Ubuntu 15.04 and today I've been reading an article about Linux security from this link.
Everything went good until the part of UID 0 Account
Only root should have the UID 0. Another account with that UID is
often synonymous to backdoor.
When running the command they gave me, I found out there were another root account. Just after that I disabled the account as the article do but I'm sort of afraid of this account, I can find him on /etc/passwd
rootk:x:0:500::/:/bin/false
And in /etc/shadow
rootk:!$6$loVamV9N$TorjQ2i4UATqZs0WUneMGRCDFGgrRA8OoJqoO3CCLzbeQm5eLx.VaJHeVXUgAV7E5hgvDTM4BAe7XonW6xmup1:16795:0:99999:7::1:
I tried to delete this account using userdel rootk but got this error ;
userdel: user rootk is currently used by process 1
The process 1 is systemd. Could anyone give me some advice please ? Should I userdel -f ? Is this account a normal root account ?
Best Answer
Processes and files are actually owned by user ID numbers, not user names.
rootkandroothave the same UID, so everything owned by one is also owned by the other. Based on your description, it sounds likeuserdelsaw every root process (UID 0) as belongingrootkuser.According to this man page,
userdelhas an option-fto force removal of the account even if it has active processes. Anduserdelwould probably just deleterootk's passwd entry and home directory, without affecting the actual root account.To be safer, I might be inclined to hand-edit the password file to remove the entry for
rootk, then hand-removerootk's home directory. You may have a command on your system namedvipw, which lets you safely edit/etc/passwdin a text editor.