Actually.fyi

Dead users, living processes: Deleting users on Linux and Windows


2023-07-27, nulya


Linux

On Linux, trying to delete a user with userdel <username> fails with the message user <username> is currently used by process <pid> if there's a running process under that user. You can override that with userdel -f <username>, which will result in a deleted entry in /etc/passwd (and related files), but the process is still running with the original UID and GID and able to modify the filesystem.

A fun part here is that Linux aggressively reuses UIDs, so when another user is created, it will likely use the same UID as the already running process:

# terminal 1
root> useradd user1
root> su user1
user1> whoami
user1

# ...meanwhile in terminal 2...
root> userdel -f user1
root> useradd user2

# ...terminal 1 again
user1> whoami
user2 # identity crisis much?

Additionally, user2 inherits all files previously owned by user1, which is a more serious issue, with no warnings provided by default. If you are deleting a user on Linux, ensure that there are no sensitive leftover files in the home directory (easy) or anywhere else (hard).

Windows

On Windows, there's no warning nor error while deleting a user with running processes (which is somewhat surprising, given how Windows behaves when it comes to deleting files in use), thus you can also delete a user and leave his processes running.

However, since Windows users are identified by SIDs ("security identifiers"), which are guaranteed to never get reused for another security principal, this does not open up any security issues, other than a possible confusion of users when a leftover file or folder is owned by an unknown user (where only the raw SID is displayed instead of a username). Yet another reason for using UUIDs over sequential IDs for identification.