-2

UPDATE: So far no one has been able to answer the question, the responses i have gotten were what i predicted which i asked people not to reply with. When i ask them to provide support (proof) of their answer... crickets. And then i get down voted for it? Seriously? Any of you down votes care to explain why you down voted?

Before one more person tells me ALL users installed by the distro are REQUIRED please explain which services or features will break or error for removing any of the following users: adm games operator?

I want to know how to determine which users and groups can be safely removed. Is it as simple as if there are no processes running as them and no filed owned by them?

I am using CentOS8. Is there an official documentation on each user / group out of the box, what they are for and which ones are just there for the heck of it vs having a purpose?

I found one Redhat article that listed "Optional Users". I assumed that meant not required and they could be removed. One of them was user nobody. Sadly, after removing it i discovered it was actually needed by the kernel and i had to put it back. So much for optional.

There are many groups that do not have any users assigned to them out of the box like sys mem kmem wheel man. Can those simply be removed?

Some groups like disk tape floppy video cdrom are for giving a user access to hardware. If i never plan on assigning a user to any of those groups can i remove them or are they tied to hardware and would break things if removed?

I also found some groups like utmp utempter ssh_keys slocate postdrop that do not have any users but have files with those group's ownership. How is that possible for a file to be given a group that no user can use?

I have read as much as i could find online about this topic and the number one answer I've seen given is, don't worry about them and leave them alone. That is not an answer to what im asking. Im not asking people's opinions if i should remove a user or group that the system wont miss. Im asking to learn how to determine which users and groups are in use and which ones can be removed without breaking anything.

Private_Citizen
  • 104
  • 1
  • 2
  • 8
  • 1
    Perhaps you should listen to what you are being told. Whether or not a user or group is needed isn't determined by whether they have processes running or members assigned to them. You aren't going to get anything out of removing them and it's a waste of time trying to determine whether or not you can. You are trying to fix something that isn't broken. Your system functions with the users and groups there. Leave them be. – Nasir Riley Apr 11 '20 at 04:51
  • 1
    If you install a fresh system, and all of those users and groups are present, they are necessary. – cutrightjm Apr 11 '20 at 04:51
  • @cutrightjm I reject this statement. Please explain how (out of the box) users games and ftp are necessary to the system working. What services (out of the box) would fail by removing these two users? What error in what log would manifest by removing these two users? If the answer is none then your statement "they are necessary" is false. – Private_Citizen Apr 11 '20 at 20:19
  • @NasirRiley I am not interested in herd mentality. I said i didn't need opinion on if im "getting anything out of removing them" or if its a "waste of time". Im trying to learn. Yes i know its not hurting anything. I didn't ask if its hurting anything. I asked how to figure out whats safe to remove. If you don't know then just say you don't know how either. I would expect this kind of answer from those Windows users who still have every icon put on their desktop from every program ever installed on their PC. Ewww. – Private_Citizen Apr 11 '20 at 20:29
  • What do you hope to achieve by removing users from the system? – Kusalananda Apr 13 '20 at 16:18
  • @Kusalananda I hope to achieve removing users that are not used. Sorry if it was not clear in my question in asking how to remove users that are not needed. – Private_Citizen Apr 14 '20 at 00:46

1 Answers1

1

I want to know how to determine which users and groups can be safely removed. Is it as simple as if there are no processes running as them and no filed owned by them?

On a static system, pretty much — you should also check that no service or udev rule refers to them, and that no cron job or timer-based job needs them.

On Fedora-based systems, including RHEL and CentOS, you can check reserved users/groups by running

cat /usr/share/doc/setup*/uidgid

This will give you some idea of what a given user and/or group are intended for, at least in some cases. In particular, it will list many users’ and groups’ “owner” packages; if you don’t use the corresponding package, and the user and/or group is nevertheless present on your system, feel free to remove it.

There are many groups that do not have any users assigned to them out of the box like sys mem kmem wheel man. Can those simply be removed?

Some of those are used for devices, e.g. /dev/kmem, and shouldn’t be removed. Others are largely historical artifacts nowadays, and preserved in order to avoid breaking anything; if you know you don’t need them, you can remove them (but see below).

Some groups like disk tape floppy video cdrom are for giving a user access to hardware. If I never plan on assigning a user to any of those groups can I remove them or are they tied to hardware and would break things if removed?

Again, some of those are used for devices, so check that first.

I also found some groups like utmp utempter ssh_keys slocate postdrop that do not have any users but have files with those group's ownership. How is that possible for a file to be given a group that no user can use?

This is for scenarios where the system administrator may want to grant access to those files to users, with finer granularity than making them system administrators themselves, or possibly for daemons or periodically-running commands which will assume the corresponding group at runtime.

Again, on a static system, feel free to remove users and groups. After all, if it breaks your system, you know how to fix it; and since you’re not running a system with a support contract, you don’t risk affecting your supportability by doing this.

The main issue you’re liable to run into is with future installation of packages: you might install a package which assumes that a well-known user and/or group is present, and fails to install if it’s not. I’m not sure such a package would be policy-compliant, or even if there are still any such packages, but it’s a possibility, and the main reason to avoid removing users and groups.

Stephen Kitt
  • 434,908