Dead users, living processes: Deleting users on Linux and Windows
On Linux, trying to delete a user with
userdel <username> fails with the message
user <username> is currently used by process <pid> if there’s a running process under that user. You can override that with
userdel -f <username>, which will result in a deleted entry in
/etc/passwd (and related files), but the process is still running with the original UID and GID and able to modify the filesystem.
A fun part here is that Linux aggressively reuses UIDs, so when another user is created, it will likely use the same UID as the already running process:
# terminal 1 root> useradd user1 root> su user1 user1> whoami user1 # ...meanwhile in terminal 2... root> userdel -f user1 root> useradd user2 # ...terminal 1 again user1> whoami user2 # identity crisis much?
user2 inherits all files previously owned by
user1, which is a more serious issue, with no warnings provided by default. If you are deleting a user on Linux, ensure that there are no sensitive leftover files in the home directory (easy) or anywhere else (hard).
On Windows, there’s no warning nor error while deleting a user with running processes (which is somewhat surprising, given how Windows behaves when it comes to deleting files in use), thus you can also delete a user and leave his processes running.
However, since Windows users are identified by SIDs (“security identifiers”), which are guaranteed to never get reused for another security principal, this does not open up any security issues, other than a possible confusion of users when a leftover file or folder is owned by an unknown user (where only the raw SID is displayed instead of a username). Yet another reason for using UUIDs over sequential IDs for identification.