Like any other operating system out there, Linux systems allow you to create new users, delete, and list users. This post will focus on the latter - How to list users on Linux? As a system administrator, you need to keep track of all the users in the system for security purposes. Most blackhat hackers create random user accounts after successfully hacking and penetrating a computer system to ensure persistence. Finding random user accounts on a computer is regarded as an Indicator of Compromise (IOC).
There are several ways which you can use to list users on your Linux system. All the methods we will look at in this post are command-line (Terminal) methods. Don't panic if you are not well versed with Linux Terminal. All you need to do is copy and paste the commands and execute them on your end. That said, let's get started.
Method 1: View Contents of the /etc/passwd File
That is one of the most common ways used to view users and that you should also be familiar with. The /etc/passwd
file contains user account information necessary for login into the system. This file has general read permission by default. Therefore, anyone logged into the system can view the contents of this file. However, to write into this file requires sudo/ root privileges.
There are three main commands we can use to view the contents of this file. They are cat
, less
and more
. Run any of the commands below on your Linux Terminal.
cat /etc/passwd
less /etc/passwd
more /etc/passwd
We will use the cat
utility for this post.
You will get a long output of all users in the system listed line by line. However, this doesn't mean all these users are logged in right now. You will also notice something interesting about this output. As illustrated below, every user has several fields listed next to them, separated by colons.
root: x : 0 : 0 : root : /root : /bin/bash
daemon: x : 1 : 1 : daemon : /usr/sbin : /usr/sbin/nologin
Let's use the above image to discuss the various fields.
- root: This is the username used to log in to the system. It's always between 1-32 characters.
- x: This is the user's encrypted password and can be found in the /etc/shadow file.
- 0: This refers to the User ID (UID). 0(zero) is always reserved for root.
- 0: This is the Group ID (GID)
- root: It's commonly referred to as the Comment column. Here, you can add any additional information about the user. E.g., other names, phone numbers, etc.
- /root: The home directory
- /bin/bash: This refers to the path of the command-line shell used by the user.
If you only want to see the usernames and not the other bunch of information, you can use the awk
or cut
command as shown below.
awk -F: '{ print $1}' /etc/passwd
cut -d: -f1 /etc/passwd
Method 2: Use the getent
Command
Another easy way to list users on Linux is using the getent
utility. This command reads users from the Name Service Switch databases (NSS). The NSS allows information like hostnames, mail aliases, and user information to be resolved from different sources. To view all the sources, use the command below to display the contents of the nsswitch.conf
file.
cat /etc/nsswitch.conf
Run the command below to list all system users with the getent
utility.
getent passwd
From the image above, we are getting an output similar to the one from the /etc/passwd
file in Method 1 above. Additionally, if you use Lightweight Directory Access Protocol (LDAP) to manage user login, getent
will also list users in the LDAP database.
Similarly, we can combine the awk
and cut
command with getent to get only a list of usernames. Execute any of the commands below.
getent passwd | awk -F: '{ print $1}'
getent passwd | cut -d: -f1
Check Whether a User Exists on the System
Up to this point, you have a clear understanding of how to list users on the system and even pipe the out to commands like awk and cut to get only the usernames and omit the other fields. However, there are situations where you only need to check whether a particular user exists on the system. In such a case, you don't need to dump all the users on the Command-line then start going through line by line. Let's look at the various methods to verify whether a user exists on the system.
One method is piping the output and using the grep command to list the user, as shown below.
cat /etc/passwd | grep ubuntu-user
If the user doesn't exist on the system, the command will not output anything on the Terminal.
With getent, verifying whether a user exists on the system is even easier. Use the syntax below.
getent <username>
e.g
getent games
Verify the Number of User Accounts on a System
Another tip you need to know when working with users is knowing the number of user accounts present on the computer. That is another security measure you can use to detect any suspicious activities on your system. If you woke one day and found 53 user accounts, yet you only knew on 52, that would be a good IOC lead. We will use simple logic to get the number of user accounts on our system.
Since the users are listed line by line, we will pipe this output to the wc
command, which will count the total number of lines.
getent passwd | wc -l
cat /etc/passwd | wc -l
Summary
This post has given you a detailed guide on listing users, checking if a user exists, and even getting the number of user accounts on your system. All the methods described here should work on most Linux distributions, including Debian, Ubuntu, RHEL, CentOS, Arch Linux, and more. Do you have any questions or comments regarding this topic? If Yes, please feel free to hit the comments below.