8

I am having a problem on the server (CentOS 6, Plesk 11.5) where a particular user is using a mass mailer and is blacklisting our IP address. I have tried to delete this user using:

/usr/sbin/userdel test

but it returns a message saying that the user is currently logged in. I thought ok, kill the process. So I tried:

pkill -u test

and also locked the account using:

passwd -l test

which will hopefully stop him logging into the system in future.

Still saying user is logged in. How can I log this user out to enable me to delete him off the system?

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
user1532468
  • 215
  • 1
  • 3
  • 10

5 Answers5

8

First grep all the 'test' user's process and kill -9 all pid's then delete the user.

pgrep -u test
ps -fp $(pgrep -u test)
killall -KILL -u test
userdel -r test
msnfreaky
  • 258
  • 2
  • 3
2
passwd -l <user>

doesn't stop all possible means of logging in. For example, if they log in using ssh with public keys they can still login as they won't need a password.

To stop the user logging in again, edit the /etc/passwd file and remove the user or change the 7th column to /sbin/nologin.

Run:

ps -u <user>

to see what process the user is still using and kill them all of them. You may have to use:

kill -s 9 <pid>

to force the process to stop.

garethTheRed
  • 33,289
  • 4
  • 92
  • 101
  • ps -u returns 21398 ? 00:00:01 sshd 21408 ? 00:00:08 sshd 21412 ? 00:00:03 sshd 21416 ? 00:00:00 sshd 21418 ? 00:00:00 sshd 21422 ? 00:00:01 sshd 21424 ? 00:00:03 sshd 21426 ? 00:00:03 sshd do i just kill each process? thanks – user1532468 Jul 21 '14 at 12:02
  • Yes. Kill them all. Also ps -AF | grep may show a few more as it will show processes with the username in their arguments. – garethTheRed Jul 21 '14 at 12:27
  • For those of us scared to touch `/etc/passwd` directly, `sudo /usr/bin/chsh -s /sbin/nologin baduser` also works (`chsh`: change shell). – Ulrich Schwarz Jul 21 '14 at 13:14
2

passwd -l <user> does not disable the account.as gareth said the user may still can login using another authentication token such as SSH key. to disable this account you should use usermod --expiredate 1 this set the account expire date to 1970. Now you should kill all processes the user is started. running:

$pgrep -u Foo will print all processes that the user Foo is started. running:

$kill -9 <pid> will sent SIGKILL signal which kill that process. Now Run:

$pgrep -u Foo | xargs kill -9

this will get all process ids of user Foo and kill them all.

OR:

$kill -9 -u Foo

amir jj
  • 1,182
  • 3
  • 13
  • 19
  • The usermod worked for me. I had an account that was passwordless that I initially couldn't delete. I added a password and I still couldn't delete it. Whenever I killed the user's process, a new one showed up and it seemed endless. After using usermod and expiredate, that seemed to stop it from creating a new process and so I could delete the account. – linstar Aug 13 '16 at 03:27
1

Have you tried killing all the user's processes with the SIGKILL?

pkill -KILL -u username
numeral
  • 111
  • 1
0
userdel -rf username

An error will pop up but this will delete the user permanently. You can check it in /etc/passwd.

Eliah Kagan
  • 4,065
  • 2
  • 24
  • 38
Sonu kumar
  • 1