I have installed this version of Ubuntu on my laptop. └─ $ ▶ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.3 LTS Release: 16.04 Codename: xenial Because of my limited knowledge regarding Linux, I have added a line manually to /etc/passwd My user which I login to the laptop is gofoboso with a password. This user has sudo rights. After adding the second line into the contents following, I do not have sudo rights. root:x:0:0:root:/root:/usr/bin/zsh gofoboso:x:0:0:gofoboso:/gofoboso:/usr/bin/zsh daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin I understand that the passwords are encrypted on the /etc/shadow file, and now this has the exact attributes as the root user has (??) ─ $ ▶ sudo cat /etc/shadow [sudo] password for gofoboso: Sorry, try again. [sudo] password for gofoboso: sudo: account validation failure, is your account locked This is the company's laptop and I do not have the root password. I've tried some commands I found online but all of them required sudo. Anyone knows how can I revert this ? Most importantly I cannot restart the laptop or shut it down, because it will ask the password of the user gofoboso, which probably it's the same as root's now ?? If it cannot be fixed without becoming root, If someone knows the root password, and deletes that line the gofoboso user will be enabled again? Thanks.

I would like to mount an encrypted image file using cryptsetup inside a systemd-nspawn container. However, I get this error message: [root@container ~]# echo $key | cryptsetup -d - open luks.img luks Cannot initialize device-mapper. Is dm_mod kernel module loaded? Cannot use device luks, name is invalid or still in use. The dm_mod kernel module is loaded on the host system, although things look a bit weird inside the container: [root@host ~]# grep dm_mod /proc/modules dm_mod 159744 2 dm_crypt, Live 0xffffffffc12c6000 [root@container ~]# grep dm_mod /proc/modules dm_mod 159744 2 dm_crypt, Live 0x0000000000000000 strace indicates that cryptsetup is unable to create /dev/mapper/control: [root@etrial ~]# echo $key | strace cryptsetup -d - open luks.img luks 2>&1 | grep mknod mknod("/dev/mapper/control", S_IFCHR|0600, makedev(0xa, 0xec)) = -1 EPERM (Operation not permitted) I am not too sure why this is happening. I am starting the container with the systemd-nspawn@.service template unit , which seems like it should allow access to the device mapper: # nspawn can set up LUKS encrypted loopback files, in which case it needs # access to /dev/mapper/control and the block devices /dev/mapper/*. DeviceAllow=/dev/mapper/control rw DeviceAllow=block-device-mapper rw Reading this comment on a related question about USB devices , I wondered whether the solution was to add a bind mount for /dev/mapper. However, cryptsetup gives me the same error message inside the container. When I strace it, it looks like there's still a permissions issue: # echo $key | strace cryptsetup open luks.img luks --key-file - 2>&1 | grep "/dev/mapper" stat("/dev/mapper/control", {st_mode=S_IFCHR|0600, st_rdev=makedev(0xa, 0xec), ...}) = 0 openat(AT_FDCWD, "/dev/mapper/control", O_RDWR) = -1 EACCES (Permission denied) # ls -la /dev/mapper total 0 drwxr-xr-x 2 nobody nobody 60 Dec 13 14:33 . drwxr-xr-x 8 root root 460 Dec 15 14:54 .. crw------- 1 nobody nobody 10, 236 Dec 13 14:33 control Apparently, this is happening because the template unit enables user namespacing, which I want anyway for security reasons. As explained in the documentation : >In most cases, using --private-users=pick is the recommended option as it enhances container security massively and operates fully automatically in most cases ... [this] is the default if the systemd-nspawn@.service template unit file is used ... > >Note that when [the --bind option] is used in combination with --private-users, the resulting mount points will be owned by the nobody user. That's because the mount and its files and directories continue to be owned by the relevant host users and groups, which do not exist in the container, and thus show up under the wildcard UID 65534 (nobody). If such bind mounts are created, it is recommended to make them read-only, using --bind-ro=. Presumably I won't be able to do anything with read-only permissions to /dev/mapper. So, is there any way I can get cryptsetup to work inside the container, so that my application can create and mount arbitrary encrypted volumes at runtime, without disabling user namespacing? ## Related questions * systemd-nspawn: file-system permissions for a bound folder relates to files rather than devices, and the only answer just says that "-U is mostly incompatible with rw --bind." * systemd-nspawn: how to allow access to all devices doesn't deal with user namespacing and there are no answers.

There is a proprietary document about system hardening/security standard stating that group users, nogroup, other, and some other groups should not contain any user except system administrators. I've found an explanation about nogroup group [here](https://unix.stackexchange.com/questions/22520/what-is-nogroup-groups-purpose) . What about the users and other groups and what are they for? Why regular (non-administrator) users should not be member of these groups? Distro is, RHEL (Red Hat Enterprise Linux)

I didn't create this user - I think it was added by installing the "Virtual Machine manager" (virt-manager) on Debian10/KDE. grep -E 'libvirt|qemu' /etc/passwd returns libvirt-qemu:x:6xxxx:1xx:Libvirt Qemu,,,:/var/lib/libvirt:/usr/sbin/nologin KDE's User Manager doesn't show the account but it's displayed on the login screen on the left of the actual user account. I don't have a file /var/lib/AccountsService/users/libvirt-qemu like described in a solution to the 2017 question here and could not find a bug report if it's due to a bug in accountsservice (why does the bug occur / why hasn't it been fixed since?). **Why is this user created and how to remove it but still be able to use virt-manager?** If the solution is to not remove the user but to hide it by creating the /users/libvirt-qemu file why isn't that done when the user is set up already? If the user is necessary I'd find it strange that iirc it was only added after installing virt-manager but not after installing and using aqemu.

Here is my situation: I have two (sudo) users on a machine: 1. userA (created first on the machine. This is also where display :0 is attached) 2. userB (created later) Being on userA I do:

export DISPLAY=:0.0
xclock

And the clock opens on DISPLAY:0 as intended. Now, I want the same steps to work on userB. But unfortunately, it shows:

No protocol specified
xhost:  unable to open display ":0.0"

What I tried: 1. Creating a trusted xauth key using: xauth generate :0.0 . trusted which again shows unable to open display ":0.0" 2. Copying the /home/userA/.Xauthority to /home/userB/.Xauthority. (Note: I did not see any key pertaining to display :0 in the userA xauth list, even though it works.) 3. Creating trusted xauth key for :0 on userA and copying that key to userB. None of these worked. **What worked:** 1. I log-in to userA. I export DISPLAY=:0.0 and then xhost + to enable access from all clients. 2. I log back in to userB. I export DISPLAY=:0.0 and then xclock. I want to eliminate Step 1. I do NOT want to log-in to userA each time. And I did try to xhost + from userB, which shows error already shown above. How can I run xhost + from userB, while also making it think it has the DISPLAY:0 access? **Edit**: As mentioned by @user414777, I was able to:

# On userA
$ xhost +si:localuser:userB

# On userB
$ export DISPLAY=:0.0 ; xclock

And make it work. But these changes don't stay post-reboot.

# After rebooting, on userB
$ export DISPLAY=:0.0 ; xclock
Invalid MIT-MAGIC-COOKIE-1 keyError: Can't open display: :0.0

I'm running Ubuntu 18.04 LTS, 4.18.0-15-generic **SOLVED** I eventually went with a slightly insecure and modified suggestion by @user414777. Instead of adding the change in ~/.xsession or Xsession.d, I added that line in /etc/profile, which applies the change for all users.

I'm new with lxde, I installed it on ubuntu 14.04 using sudo apt-get install lxde. But the problem I have is that I want to logout without a prompt. I've read some articles about this and they suggested one of these: lxsession-logout or lxde-logout. But they cannot be used to logout without a prompt. The question is what are the main differences between them? Is it possible to logout without a prompt on lxde? thanks.

With Xorg, I could just do

xhost +si:localuser:foxy

to run GUI app as foxy user. But can I do this on Wayland ? I tried following:-

chmod o+rw /run/user/1000/wayland-0

but It still gives Permission denied [foxy@titan levi]$ QT_QPA_PLATFORM=wayland XDG_RUNTIME_DIR=/run/user/1000 konsole Failed to create wl_display (Permission denied) qt.qpa.plugin: Could not load the Qt platform plugin "wayland" in "" even though it was found. This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem. Available platform plugins are: wayland-org.kde.kwin.qpa, eglfs, linuxfb, minimal, minimalegl, offscreen, vnc, wayland-egl, wayland, wayland-xcomposite-egl, wayland-xcomposite-glx, webgl, xcb. Aborted (core dumped) I'm using kwin_wayland 5.20.2 EDIT: I dont want to use root

I am trying to set up a Linux machine with LDAP authentication and root account enabled. There is no issue with the LDAP server and everything works fine. I wanted to disable local users, so I tried editing PAM. I tried using pam-auth-update and unticking the "Unix authentication". Local users are successfully denied, but so is the root account. I am now trying different things at the pam.d files, but it seems I screwed up multiple times and don't know what am I doing. Editing the /etc/pam.d/common-auth file:

auth		sufficient	pam_rootok.so

After I added this line, there is no password prompt and it logs in directly.

auth     pam_succeed_if.so    uid = 0 quiet

I added this line and it does nothing. I am now reading the PAM configuration.  Could anyone help me understand and solve my problem?

I have a single linux desktop at home, with every member of the family having their own user name / login combo (shared external drive for sharing pics, docs etc). I have realised that the GDM login screen shows the username for some and the 'full name' for others. e.g. for me it shows 'David Myers' (my full name, obviously), for my wife it shows helenm (her log in). In the most part this is not a problem, but I would like for it to be consistent between all users. I've clearly done something different when creating the users (which I did via the command line). Using sudo users-admin the application refuses to open up , but on the basic version (non root) all the details seem the same (obviously I can't view the advanced details). What I would like, is for it to display the login name in a larger bold font, followed by the full name in a smaller font in parenthesis. Is this possible (I'm sure it is)? Pertinent details: - OS : Debian - jessy. - desktop : XFCE - login screen : GDM (to allow user switching, and I can confirm that the system takes much longer to boot up to GDM rather than the native XFCE version).

Essentially, I noticed I am unable to write to my user who is using gnome-terminal. tty returns /dev/pts/1, but I am unable to write there as root. Instead, it returns as follows:

myuser@pegasus:/$ tty
/dev/pts/1
root@pegasus:/# write myuser pts/1
write: myuser is not logged in on pts/1

I have also tried write myuser tty2, and tried not specifying the terminal, but nothing happens. How can I write to my session? The inverse works fine:

myuser@pegasus:/$ write root pts/0
hi!
please respond
root@pegasus:/# 
Message from myuser@pegasus on pts/1 at 22:05 ...
hi!
please respond
EOF

Here is what the logins look like.

root@pegasus:/# who -aT
           system boot  2025-06-19 21:34
           run-level 5  2025-06-19 21:34
myuser ? seat0        2025-06-19 21:34   ?          2982 (login screen)
myuser + tty2         2025-06-19 21:34 00:37        2982 (tty2)
           pts/1        2025-06-19 21:41             25698 id=ts/1  term=0 exit=0

myuser@pegasus:/$ loginctl
SESSION  UID USER      SEAT  LEADER CLASS         TTY   IDLE SINCE
     11    0 root      -     79869  manager-early -     no   -    
      2 1000 myuser seat0 2891   user          tty2  no   -    
      3 1000 myuser -     2911   manager       -     no   -    
    c11    0 root      -     79732  user-early    pts/0 no   -    

4 sessions listed.

Summary: I need to automatically backup files on a hidden hard disk whenever the user copy files on a specific hard disk. Long explanation: Context: My father (70 years old) is very bad at computers. He barely knows how to copy and paste with a graphical interface, nothing more. I have installed him a linux mint distro which I have tailored so he doesn't crash it and understand easily. He use his computer mostly to save his photographies: around 2TB now... I plan to install him an extra hard disk called "photos" so he can discharge his photos on it. I also plan to put another disk ("photocopie") as a backup so in case the first hard disk crash, he will not lost his photographies. I will make this second hard disk hidden so my dad doesn't fuss with it. I would like to know how to automatically copy the new photos he adds on the hard disk "photos" to the second one "photocopies"; he only do how to do this using caja (Mate file manager). I had first read about using raid 1 but it doesn't seems to be the proper solution. Some suggested using rsync with cron, however cron work at specific times, and since my dad doesn't use his computer often, it may not work properly. I was trying to find an app that would start at a specific event such as "if files are written on hard disk photos, then run rsync as incremental on the hard disk photocopie", but I couldn't find an app detecting events. I have read about inotifywait, could it be the solution? How to implement that? PS: the photo sources could be anything than can be plugged by USB: a camera, an smartphone (Apple). My dad usually run caja and copy past from the phone to the proper directory/hard disk.

I am the root user and I am setting up a menu for another user to use. This other user will only get this menu. There are two options that are interlinked: the first option is to search users. The code I got is: last | awk '{print $1,$4,$5,$6,$7} ' I have checked this code and it works, it shows me the usernames and the day they last logged on. For the second option: I want to be able to set a date, and them delete users who haven't been active since that date, using the output of the above command. I am using Linux Mint and Vim text editor.

We are in a process of Disabling local accounts SSH completely in our environment for all linux servers, We are able to disable this in combination of DSC & Azure policy which all working fine. Now the problem is we are disabling UID from 1000 and above, assuming the below 1000 will be used for system accounts (Ex : Apache,Nginx,Postgres) also users can create the useraccounts with lessthan UID 1000 and bypass our policy, now please suggest any workarounds here to target all local accounts with out disturbing any running services, we asked teams to replace local accounts with service principles if any legitimate requirement with the use of local users. There are multiple ways to deny local users access. I’d like to understand which is the most effective or recommended approach among the following options 1) Add denyusers list on /etc/ssh/sshd_config 2) Add denyusers list on Access.conf 3) Set /Nologin for all local accounts in /etc/passwd we are disabling local account by adding below lines and users will login via Azure RBAC with entra using extension "AADSSHLoginForLinux"

#added by guestconfiguration
Match User *
DenyUsers user1 user2 ...
#end of match by guestconfiguration

i am not a great expertise in linux environment, so any suggestions here will be much appreciated. Thanks Kal

My system has many users, I've never created, like mysql or tomcat. These users have no home directories inside /home Obviously, a daemon program runs under these users. What is the term for such users? How to create such a user of my own? For example, I wish to create a user for deluged, but I don't want to create and remember a password for it and also don't want to allow somebody to login with this user from console. How to accomplish this?

I have been trying to load apparmor profile for a service that runs in systemd's user instance. I have two service files sample.service, for the process and another sample-profile-loader.service which loads its app armor profile usr.bin.Sample. The apparmor profile is placed in /lib/systemd/system and the process's service file is placed in /usr/lib/systemd/user. Both services are enabled. [Unit] # sample-profile-loader.service Before=sample.service [Service] Type=oneshot ExecStart=/use/bin/apparmor-loader.sh /etc/apparmor.d/usr.bin.sample [Install] Wanted by=multi-user.target [Unit] # sample.service Requires=sample-profile-loader.service After=sample-profile-loader.service [Service] Type=simple ExecStart=/usr/bin/sample [Install] WantedBy=multi-user.target After first boot, when I check aa-status the profile is loaded. But when I do a systemctl restart sample.service --user, I get an error message. "Failed to start sample.service. Unit sample-profile-loader.service failed to load. No such file or directory" I have been going through Google for a solution to this. But haven't found one yet. It would be really good if you can give me any suggestion.

I would like to see how many users are on my system. How could I view a list of all the users on the system?

Host machine: SunOS 5.11 11.3 sun4v sparc sun4v As an Informix DBA monitoring a system I am trying to see the top users of CPU. In an Informix environment, that slot is hogged by a gazillion instances of and the engine, being run as user informix. I have seen a few suggestions of excluding a given user but none of them work. Examples: - Press the "o" key exclude the user by entering !USER=informix. No, when I press the o key it prompts me for a sort column. - On the command line: top -u='!informix' (or something similar). It ignores that, though it does not complain about the command line option. Or maybe it does but that flashes by too quickly as the interactive screen comes on. Hey, I'm open to suggestions here. Ideas? A fool's quest? Thanks for help here. -- JS

We have one CentOS 8 server where it's integrated with Windows AD so users access it with their Windows credentials. I have a request and need to check out which users and groups are allowed to access it (not all the AD users were authorized). I can check on sudoers file to see who has the rights to run commands, but is there any other place we can check who can ssh to the server? /etc/passwd seems not storing the AD user info. Many thanks.

I am using php-fpm on debian with nginx for php5 support. I would like to have php-fpm to be under the user&group php-user instead of www-data. I thought the init.d script would have the user mentioned or uses a file which has www-data written in it. Yet I don't see it. How do I spawn this process to be under user php-user:php-user? Here is the php5-fpm init.d script on my server. I tried looking at start-stop-daemon man pages but didn't see it. I'm sure this is simple but I don't know how to do it. #!/bin/sh ### BEGIN INIT INFO # Provides: php-fpm php5-fpm # Required-Start: $remote_fs $network # Required-Stop: $remote_fs $network # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: starts php5-fpm # Description: Starts PHP5 FastCGI Process Manager Daemon ### END INIT INFO # Author: Ondrej Sury PATH=/sbin:/usr/sbin:/bin:/usr/bin DESC="PHP5 FastCGI Process Manager" NAME=php5-fpm DAEMON=/usr/sbin/$NAME DAEMON_ARGS="--fpm-config /etc/php5/fpm/php-fpm.conf" PIDFILE=/var/run/php5-fpm.pid TIMEOUT=30 SCRIPTNAME=/etc/init.d/$NAME # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 # Read configuration variable file if it is present [ -r /etc/default/$NAME ] && . /etc/default/$NAME # Load the VERBOSE setting and other rcS variables . /lib/init/vars.sh # Define LSB log_* functions. # Depend on lsb-base (>= 3.0-6) to ensure that this file is present. . /lib/lsb/init-functions # # Function to check the correctness of the config file # do_check() { [ "$1" != "no" ] && $DAEMON $DAEMON_ARGS -t 2>&1 | grep -v "\[ERROR\]" FPM_ERROR=$($DAEMON $DAEMON_ARGS -t 2>&1 | grep "\[ERROR\]") if [ -n "${FPM_ERROR}" ]; then echo "Please fix your configuration file..." $DAEMON $DAEMON_ARGS -t 2>&1 | grep "\[ERROR\]" return 1 fi return 0 } # # Function that starts the daemon/service # do_start() { # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ || return 1 start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ $DAEMON_ARGS 2>/dev/null \ || return 2 # Add code here, if necessary, that waits for the process to be ready # to handle requests from services started subsequently which depend # on this one. As a last resort, sleep for some time. } # # Function that stops the daemon/service # do_stop() { # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred start-stop-daemon --stop --quiet --retry=TERM/$TIMEOUT/KILL/5 --pidfile $PIDFILE --name $NAME RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 # Wait for children to finish too if this is a daemon that forks # and if the daemon is only ever run from this initscript. # If the above conditions are not satisfied then add some other code # that waits for the process to drop all resources that could be # needed by services started subsequently. A last resort is to # sleep for some time. start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON [ "$?" = 2 ] && return 2 # Many daemons don't delete their pidfiles when they exit. rm -f $PIDFILE return "$RETVAL" } # # Function that sends a SIGHUP to the daemon/service # do_reload() { # # If the daemon can reload its configuration without # restarting (for example, when it is sent a SIGHUP), # then implement that here. # start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME return 0 } case "$1" in start) [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" do_check $VERBOSE case "$?" in 0) do_start case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; 1) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; stop) [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" do_stop case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; check) do_check yes ;; reload|force-reload) log_daemon_msg "Reloading $DESC" "$NAME" do_reload log_end_msg $? ;; restart) log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in 0|1) do_start case "$?" in 0) log_end_msg 0 ;; 1) log_end_msg 1 ;; # Old process is still running *) log_end_msg 1 ;; # Failed to start esac ;; *) # Failed to stop log_end_msg 1 ;; esac ;; *) echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload|force-reload}" >&2 exit 1 ;; esac :

I have a system I'm managing (running RHEL 8) that has multiple users in our small office, who log into it in various ways -- locally at the console, remotely via SSH and NoMachine Workstation. When I do updates that include a new kernel, or for some other reason I need to reboot the machine, I'd like to make sure there are no currently logged-in users, so I'm not interrupting users who are running software on the machine. So what I'd like to have is a command that lists all currently logged in users. I've done quite a bit of searching on this topic, and the methods I've found in response to this question are simply wrong, in the sense that they provably do not work. The commands who, w, and users do **NOT** list **all logged-in users**. As I'm writing this there are three users currently logged in to the computer in question, including myself. These commands list only one of these three (incidentally, I'm not one of them). The one user who is listed by these commands is logged in via SSH and has an open terminal. Another user who has no TTY but has several GUI applications open with their X displays piped to his laptop through SSH does not appear, and neither do I (I have a graphical login via NoMachine). In fact, who -m returns no output when I run it. I can use ps -ef to list all processes and find processes currently running for all these users. The command last | grep 'still logged in' (suggested here ) results in the same incomplete list as above (it's getting its information from the same source). So, repeating the question -- what is the definitive method to get a list of all logged in users (users who have authenticated via the normal mechanisms, and have interactive processes currently running under their user IDs) ? I'd like to do this without searching through the output of ps. EDIT -- The users on this workstation are all authenticating via LDAP, however I've verified that this is not related to the question. I have created a local user account, which also does not show up in response to who or users when logged in by the same means as described above.