A strange user appears in my quotas and I can't find it in my system

lzcool · January 27, 2009, 1:25pm

Hello, I am running a Solaris 8 system.
I Have encountered that each time I ask the system to report to me the users who have or are about to exceed their quota limit for disk usage, a strange number appears in a user name, it does not appear in my /etc/group or in my /etc/passwd files

The user appears as #833 and as you can see in the report, the number appears as a user, with the # symbol before it
I use: repquota -a | grep EXPIRED

juanma +- 225378 200000 250000 EXPIRED 0 0 0
#883 +- 365479 10000 15000 EXPIRED 11 0 0
felila +- 15007 15000 17000 EXPIRED 0 0 0
aidadia +- 5320 5000 6000 EXPIRED 0 0 0

I've been trying to solve it in several ways, however I can't seem to get it removed.
This is what I've done so far:

I've searched my /etc/passwd for a user called #883, as I've told you, there was no user

I've searched for the user with id 883 in my passwd file, so far, no user has that id number

I've used the command "finger 883" and it returns a bunch of users in the system, however, all of them have their own quotas and none has the id number 883

I've used the command find / -name "833" but it doesn't return any matches.

I've googled the user with and without the # simbol, along with keywords like solaris 8, however, it doesn't return any relevant information sources.

I would really appreciate help, since after all ,as you can see, the user's usage of HD space is growing and it'll be really troublesome.
Any aditional information I'm missing, feel free to tell me, so we can solve this problem. I hope I'm not the first person with this thig.
We think it might be a security breach, so if anyone knows about that, information is welcomed too

Thanks in advance
LZ

jim_mcnamara · January 27, 2009, 1:41pm

Did you have a user id = 833 in the past? That would be my answer.

File information utilities, like quota, use existing system files like passwd to display user id's. If the user has been completely removed, you get the user number in the display.

lzcool · January 27, 2009, 2:11pm

I think in the past the Another thing, I've several I've used:
repquota -a | grep '#'
and it returnes:
#484 #883 #889 #212 #222 #227 #231 #233 #301 #310 #311 #344 #354 #356 #440 #455 #484 #485 #486 #492 #622 #1069 #1075 user might have existed (I'm not the all life administrator :P), however, if the user was removed, why would it be growing his disk usage :-S??
users that quota displays as #number
-- 49 5000 6000 10 0 0
+- 365479 10000 15000 EXPIRED 11 0 0
-- 1543 40000 45000 8 0 0
-- 1 10000 15000 1 0 0
-- 1 20000 25000 0 0 0
-- 1 20000 25000 1 0 0
-- 7 20000 25000 1 0 0
-- 1 10000 15000 1 0 0
-- 1 20000 25000 1 0 0
-- 5 20000 25000 1 0 0
-- 1 20000 25000 1 0 0
-- 937 20000 25000 0 0 0
-- 9 20000 25000 1 0 0
-- 1 20000 25000 1 0 0
-- 1 20000 25000 1 0 0
-- 1 20000 25000 1 0 0
-- 1 20000 25000 0 0 0
-- 1 20000 25000 1 0 0
-- 1 20000 25000 1 0 0
-- 1 20000 25000 1 0 0
-- 1 20000 25000 1 0 0
-- 78 25000 30000 0 0 0
-- 19344 20000 25000 0 0 0

I'm concerned right now only with #883 because it's the only one growing in size =(

jlliagre · January 27, 2009, 2:13pm

That should be:

find / -user 883

lzcool · January 27, 2009, 2:57pm

ok, Thanks man!!!
You've help me solve a problem that had my head spinning quite a lot!!!
It's weird, how can a user have dissapeared from /etc/passwd and still have his files growing in size...
I believe, a previous administrator must've tried to delete the user, but quite stupidly...
Thanks a lot man!!
as root I used the command
find / -user 883
and all files from that user appeared, so I could erase them.
Now I'll try to investigate, why was it still growing...

jlliagre · January 27, 2009, 3:56pm

Erasing the files might not fix the problem. You should first check if the files are not still open by some processes.

incredible · January 28, 2009, 12:59am

True, deleting might not help. You will need to find where the process get spawned from.

lzcool · January 29, 2009, 12:45pm

Ok, thanks for that hint =). You're right. I'm searching the process list right now, I solved the immediate problem, however, I've to find what process was writing in those files.
I'll try to find anything useful in my server.

jlliagre · January 29, 2009, 1:39pm

What I meant is erasing the file doesn't even solve the immediate problem if the file is still open by the writing process.

otheus · January 30, 2009, 5:23am

Reminder: Extracting a tar as root will create files with the archived user id. This is probably not, but could be the source of your problem.

Do a ps -ef and grep for 833.

houston · January 31, 2009, 8:22pm

Is there any trace of the user in /etc/passwd?
I have seen some administrator just commenting(#) the user line with # in /etc/passwd.
In /etc/passwd, if you preceed the user line with #, the user is not disabled instead a user caller "#uname" is created with the same uid.

lzcool · February 3, 2009, 11:20am

There was no trace of the user in /etc/passwd :S
What I believe happened, was that a previous administrator deleted him from there, and the user had a process in his /export/home directory that was increasing a file size, maybe a log.
After I searched each process, we (the other administrator and me) found a process that seemed to be owned by him.
We killed it and the other administrator deleted all his home files without giving me the chance to know what file was increasing it's size.
However, so far we've not had any more trouble concerning this user, there were other cases of similar users not being deleted correctly, but due your nice help, we've handled them.
Thanks a lot =)

quirkasaurus · February 3, 2009, 1:58pm

just kill all this user's processes.....

kill -9 `ps -U 833 | grep -v PID | awk '{print $1}'`

BTW -- files owned by him, if they are group or world writable could be
getting bigger legimitately by someone actually doing work.

jlliagre · February 3, 2009, 4:11pm

or simpler:

pkill -9 -u 833