How To Delete/Remove Users in Linux (userdel, deluser & Manually)

As a system administrator, a time will come when you’ll need to delete or remove users in your organization’s Linux system. It could be due to security reasons, routine account management, or organizational changes that require you to remove inactive accounts or offboard employees. Whatever the reason, it's important to do this properly to avoid problems like broken processes, orphaned files, and security vulnerabilities.

Understanding Linux User Accounts

User accounts on Linux fall into four categories: root, system, service, and regular. When you create users (regular and system), Linux systems usually list or store them in a system file called /etc/passwd. Password data for these users is stored in the /etc/shadow file in encrypted formats.

3 Methods To Delete/Remove Users in Linux

There are three main ways to safely remove Linux users:

1. Using the userdel Command

userdel is a standard Linux utility that lets you delete users and, if necessary, associated or related account files, such as the home directory. It does so by modifying the system account files and deleting entries associated with the username LOGIN. 

The basic syntax for this command is:

userdel <options> username

Where:

• <options>: These are additional commands that customize the deletion action. 
• username: This is the unique name of the user account. 

There are several options you can use with the userdel command, including:

• -r: This deletes the user account along with its home directory and mail spool. 
• -f: This forcefully deletes a user account even if it’s logged in. 

It’s best to first confirm the existence of the users before deleting them:

cat users_to_delete.txt | xargs -I {} id {}

• cat users_to_delete.txt: Reads the list of users.
• xargs -I {}: Passes each username to the id command, so you only act on valid accounts.

Once you’ve verified the users, you can run the userdel command. 

Note: userdel -r does not remove files outside the home directory (e.g. files owned by the user in /var or /tmp). If you need to remove such files, you can use find / -user <username> to locate them.

2. Using deluser (Debian-based Systems)

In Debian Linux-based systems, the deluser command is preferred because of its user-friendliness. It removes a user account and all its user-to-group connections. 

The basic syntax for this command is:

sudo deluser username

You can incorporate options into the deluser command, such as:

• --remove-home: This flag removes the user’s associated home directory and mail spool. 
• --remove-all-files: This deletes all files the user owns. However, this only works if you remove the user before deleting the home directory. If you remove the home directory first, this option may fail to locate orphaned files.

3. Manually Removing a User

This method gives you complete control over the deletion process, especially in cases where there are system inconsistencies or corrupted accounts. Here are the steps:

1. Terminate all user processes

Before deleting the user account you want to remove, you may need to stop all the activities or processes it may be running. Use the following command:

sudo pkill-u <username>

Where:

• pkill terminates all the processes at once.
• -u tells pkill to target all processes owned by the user.

2. Remove user from system files

First, you need to open the files. To do so for each, you can use these commands: 

• sudo nano /etc/passwd: This opens the file that contains the user’s account information, such as username, UID, GID, default shell, and home directory.
• sudo nano /etc/shadow: This opens the file containing the user account’s encrypted password data and expiration settings. 

Once the file is open, find the line containing the user and remove it. 

Note: You should replace nano with the text editor you’re using, like vim or vi.

Additionally, directly editing these files can lead to system inconsistencies. It’s recommended to use vipw and vigr instead, as they lock the files to prevent corruption.

3. Delete home directory

If you also want to delete the user’s home directory, you can use this command:

sudo rm -rf /home/<username>

Where:

• rm commands the syntax to remove the files.
• -r is the recursive deletion flag, which tells the command to delete the directory and its contents.
• f is the force deletion flag, which tells the command to skip confirmation prompts and ignore errors. 
• /home/<username> is the path of the user’s home directory. (Replace <username> with the name of the user.)

4. Check and remove user-owned files

Next, you may need to delete all files owned by the user. If you do, you can use this command:

find / -user <username> -exec rm -rf {} \;

Where:

• find / tells the command to start searching files from the root directory.
• -user <username> filters the results to only the files owned by that user.
• -exec allows the commands rm and -rf to run after each search result.
• rm is the remove flag. 
• -r is the recursive delete flag.
• f is the force delete flag. 
• {} is a placeholder that gets replaced with each found file.
• \; lets find know that the -exec command has ended.

While powerful, this command can cause inconsistencies in your system if executed incorrectly. Therefore, it’s best to run find / -user <username> first without -exec rm -rf {} \; to review what you want to delete.

How To Remove a User While Retaining Files

It’s possible to delete a user but keep the files they owned, especially if you need them for reassignment or archival purposes. To do so, you can either:

• Back Up the Files

First, ensure the backup directory exists:

sudo mkdir -p /backup

Then back up the user's files:

sudo tar -cvzf /backup/<username>_backup.tar.gz /home/<username>

• Change Ownership Before Deletion

sudo chown -R newuser:newuser /home/<username>

Checking If a User Has Been Successfully Deleted

After deleting a user, you may need to verify that you’ve done so successfully. You can either:

• Run theid <username> command.  If deleted, this command will return "no such user." However, orphaned processes may still reference the UID. In this case, you can use ps -u <username> to check for lingering processes
• Check system files by running grep <username> /etc/passwd and grep <username> /etc/shadow.

For each, replace<username> with the actual name of the user account.

If you also need to verify that you’ve deleted the user account’s home directory, you can run the following command:

ls -ld /home/<username>

Common Errors and Troubleshooting

You may experience errors while deleting users in Linux, including:

“User is Currently Logged In”

This will usually occur if you try to remove a user actively doing something in the system. You can solve this by terminating their processes using the command below:

sudo killall -u <username>

“User Still Exists”

If you get this error after you delete a user and check whether you were successful, you can force-delete the user by running this syntax:

sudo userdel -f <username>

Note: -f does not remove user-owned files; it only removes the account entry. Use find / -user <username> to locate and clean up files after deletion.

“Userdel: Cannot Remove Home Directory”

This error can occur if the home directory is immutable. If this is the case, you cannot modify or delete it. To counter this:

• First, run sudo chattr-i /home/<username> to allow for modifications and deletion on the home directory. chattr -i removes the immutable flag, allowing directory deletion.
• Next, run sudo rm -rf /home/<username> to forcefully delete it. 

Best Practices for Secure User Removal

• Confirm the user isn’t currently running any processes before deleting by using ps aux | grep <username>.
• Check what the user accessed and did using lastlog -u <username>.
• Check for any active SSH keys associated with the user to prevent disruptions to other systems: ls -la /home/<username>/.ssh/. In some cases, users may have SSH keys stored outside their home directories. To check outside of this scope you can use /etc/ssh/authorized_keys.
• Maintain logs of all user access to meet compliance requirements. For instance, logs are typically stored in /var/log/ auth.log for Ubuntu and /var/log/secure for RHEL. You can filter logs using grep <username> /var/log/auth.log
• Automate the removal process of inactive users using scripts to save time and resources. 

How StrongDM Helps With Secure User Management

User management is a time-consuming and sensitive process. One mistake can introduce vulnerabilities into your system and even impact system stability. You can avoid these risks by leveraging tools like StrongDM, which provide:

• Automated Offboarding Workflows: You can prevent lingering and inactive users by granting and revoking access automatically.
• Role-based Access Control (RBAC): You can prevent manual user deletion errors by assigning and revoking access permissions based on user roles and responsibilities. 

Ready to easily and securely manage users in Linux? Book a StrongDM demo today.