Member-only story
The Hidden Danger of Old Users: Why I Regularly Audit /etc/passwd on My Linux Servers
--
1
Share
Intro: Think your server is secure because it has no root logins and a strong firewall? You might be forgetting something silent but dangerous: stale user accounts . Over time, forgotten system users, leftover developers, or unrevoked test accounts pile up — and they’re a goldmine for attackers. Here’s why I audit /etc/passwd regularly, and how you can do it too.
/etc/passwd
1. Why Old User Accounts Are a Real Risk
- Unused accounts are often ignored in patching or permission reviews.
- Some may still have sudo access or weak passwords.
- If one is compromised, it could provide lateral movement inside your environment.
2. My Quick Script to List Human Users
System accounts are usually below UID 1000. I use this to find real users:
awk -F: '$3 >= 1000 && $1 != "nobody" { print $1 }' /etc/passwd
Want more detail?
getent passwd | awk -F: '$3 >= 1000 && $7 != "/usr/sbin/nologin" && $7 != "/bin/false"' | cut -d: -f1,6,7
This lists:
- Username
- Home directory
Top comments (1)
Hi there, we encourage authors to share their entire posts here on DEV, rather than mostly pointing to an external link.
Sharing your full posts helps ensure that readers don’t have to jump around to too many different pages, and it helps focus the conversation right here in the comments section on DEV.
To be clear, the DEV Terms state:
Also, if you share your full post, you have the option to add a canonical URL directly to your post. This helps with SEO if you are reposting articles!