Do I have hidden users on my system?

In following another thread, I ran the command below:

“inxi -F”

At the end of the output from that command, there was an info section, shown below:

  **Processes:** 396  
  **Uptime:** 07:39:40  up 4 days 17:19,  3 users,  load average: 2.36, 4.32, 4.56  
  **Memory:** 31.27 GiB **used:** 12.47 GiB (39.9%) **Shell:** bash **inxi:** 3.1.00

The info section says there are 3 users. I have only one user as confirmed in yast, User and Group Management. Also. /home directory shows only 1 user.

Is it possible that somehow hidden users got installed on my system? I sure hope not.

Thanks for any insights into this query, tom kosvic

From the terminal your running inxi also run the command who.

(base) tom@mydesktop:~> who
(base) tom@mydesktop:~>

who command shows 1 user who I know.

I always found this amusing - everyone on this forum requests inxi output and apparently no one actually knows how to interpret it.

Is not this a question to inxi support forum - what exactly “users” means and how this program computes this number? Besides if these users are counted, they are not hidden, right? Anyway

$ ps --no-headers -eo user | sort -u | wc -l

I am the single user on this system, yet there are processes belonging to 12 other users here. Which are various system services. Check the list of processes to see if there is some unexpected user, check loginctl to see if there are some other login sessions. But again - unless you know exactly what inxi reports, any further steps are pretty pointless.

OK, it looks like the straight “uptime” output in which case it comes from utmp. Can you post “utmpdump /run/utmp”?

The users configured in your system are as such in /etc/passwd. A text file with one line per user. Thus counting the lines gives you the number of users:

wc -l /etc/passwd

But when you are curious you can of course also look inside /etc/passwd, :wink:

I have no idea what you mean with “hidden”, but I am not aware of any configuration parameter in /etc/passwd that makes a difference between “hidden” and “not hidden”.

you can see what “users” are on you system with this command (ignore the UID - it is part of the ps -ef command output).

ney@VM1:~> ps -ef | awk '{print $1}' | sort | uniq 

When I run that “inxi” command here, it does not show a count of users. However, this is Leap 15.4 Beta.

If I run the “uptime” command, it shows 5 users. They are all me (as shown by the “who” command):

% who
rickert  :            2022-05-12 18:33 (:)
rickert  :0           2022-05-12 18:33 (:0)
rickert  pts/0        2022-05-12 18:33 (:0)
rickert  pts/1        2022-05-12 18:33 (:0)
rickert  pts/2        2022-05-12 18:35 (:0)

The user at “pts/1” is because I have a xterm open (to run that “inxi” command, for example).
The user at “pts/2” is my Yakuake drop down terminal.
The remaining 3 users seem to be associated with my X11 session. As mentioned by arvidjaar, they are the entries from the utmp database.

The last command will show more detail, in your case last -n 5.

**erlangen:~ #** who -m 
karl     pts/2        May 15 08:22 (:0) 
**erlangen:~ #**
**erlangen:~ #** who -l 
LOGIN    tty1         May 15 06:36              1014 id=tty1 
LOGIN    tty2         May 15 16:54             13465 id=tty2 
**erlangen:~ #**
**erlangen:~ #** who -d 
         pts/1        May 15 08:22              1630 id=ts/1  term=0 exit=0 
         pts/1        May 15 14:05             21697 id=/1    term=0 exit=0 
**erlangen:~ #**
**erlangen:~ #** who -T 
karl     + tty7         May 15 06:36 (:0) 
karl     + pts/0        May 15 06:36 (:0) 
karl     - pts/2        May 15 08:22 (:0) 
karl     - pts/3        May 15 08:23 (:0) 
root     + pts/4        May 15 15:03 (xxxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx:xxx) 
**erlangen:~ #**
**erlangen:~ #** who -q 
karl karl karl karl 
# users=4 
**erlangen:~ #** 

**erlangen:~ #** ps --no-headers -eo user | sort -u 
**erlangen:~ #**


By hidden, I mean users not seen by yast

As requested, I ran utmpdump /run/utmp. See below:

(base) tom@mydesktop:~> utmpdump /run/utmp
Utmp dump of /run/utmp
[2] [00000] ~~  ] [reboot  ] ~           ] [5.3.18-150300.59.63-default] [  
      ] [2022-05-10T14:20:39,881353+00:00]
[1] [00053] ~~  ] [runlevel] ~           ] [5.3.18-150300.59.63-default] [  
      ] [2022-05-10T19:21:21,836755+00:00]
[6] [02567] [tty1] [LOGIN   ] [tty1        ]                     ] [        ]
[7] [02669] :   ] [tom     ] :           ] :                   ] [        ]
[7] [02708]     ] [tom     ] :1          ] :1                  ] [        ]
[7] [03603] [ts/2] [tom     ] [pts/2       ] :1                  ] [        ]
[8] [03585] [ts/1] [tom     ] [pts/1       ]                     ] [        ]
(base) tom@mydesktop:~> 

Those are utmp records that are counted as “user” by uptime. They belong to the same signle user. And “who” should have shown the same. The output you provided

is not from “who” but from “whoami”. So either “who” is aliased to different command or you have some very peculiar version.

I suggested to do

wc -l /etc/passwd

You did not report you did.

When in YaST > Security and Users > User and Group Managemnt, there is somewhere top right a menu Set Filter (or similar wording). The default there is Local Users, but you can also choose System Users. It is not the case that they are “not seen by YaST”. it is that you did not ask them to be shown.

You seem to have a strange Leap 15.3 inxi version – I’m seeing only the following –

 # inxi --admin -xx --info
Info:      Processes: 347 Uptime: 3h 53m Memory: 13.57 GiB used: 3.27 GiB (24.1%) Init: systemd v: 246 runlevel: 5 
           target: Compilers: gcc: 7.5.0 alt: 7 clang: 11.0.1 Shell: bash (su) v: 4.4.23 running in: konsole 
           inxi: 3.1.00 
 # LANG=C uptime
 12:09:31  up   3:53,  7 users,  load average: 0.17, 0.20, 0.22

But, the “uptime” command is showing something similar to your worry.

  • The number of users indicated include, the system users
    – users who are running system processes → «The user “root” doesn’t run EVERYTHING in the system» …

 > ps -ef | awk '{print $1}' | sort | uniq

  • xxx
    ” is my logged in username on this system.

Further –

 > grep -E 'avahi|chrony|colord|xxx|message|nscd|polkitd|postfix|root|rpc|rtkit|statd|tss|UID|wwwrun' /etc/passwd
avahi:x:466:468:User for Avahi:/run/avahi-daemon:/bin/false
chrony:x:468:469:Chrony Daemon:/var/lib/chrony:/bin/false
colord:x:452:450:user for colord:/var/lib/colord:/sbin/nologin
messagebus:x:499:498:User for D-Bus:/run/dbus:/usr/bin/false
nscd:x:474:474:User for nscd:/run/nscd:/sbin/nologin
polkitd:x:493:481:User for polkitd:/var/lib/polkit:/sbin/nologin
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
rpc:x:473:65534:user for rpcbind:/var/lib/empty:/sbin/nologin
statd:x:471:65533:NFS statd daemon:/var/lib/nfs:/sbin/nologin
tss:x:98:98:TSS daemon:/var/lib/tpm:/bin/false
wwwrun:x:459:459:WWW daemon apache:/var/lib/wwwrun:/sbin/nologin

It’s perfectly normal that, the system users have either ‘/sbin/nologin’ or ‘/bin/false’ as their login shell – these users shall never, ever, support a login via a terminal – they only run their system processes as system daemon processes …

  • The user “UID” ain’t a user – it’s the 1st word of the “ps -ef” header –
  • The user “message+” is a little bit more tricky –

 > ps -f 1175
message+  1175     1  0 08:15 ?        Ss     0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
 > ps -o pid,user,args,euid,luid 1175
  PID USER     COMMAND                      EUID  LUID
 1175 message+ /usr/bin/dbus-daemon --syst   499     -

The “effective user ID” (euid) is the value “499” which is the UID of the user “messagebus” – the command “ps” shortened it to “message+”.

  • BTW, “ps -eo pid,user,args --sort user” is a useful command to view all the processes running on a system.
    Or, if the DE is KDE Plasma, run “ksysguard” …

[HR][/HR]Bottom line:

  • There ain’t no “hidden users
    ” but, there are “system users” …

Yet another nonsense.

To reply to multiple tips provided, see below:

I ran inxi -F, not inxi --admin -xx --info as other contributor did. That command as published by @dcurisfra showed 7 users. That command suggested when run on my machine shows 3 users again.

(base) tom@mydesktop:~> inxi --admin -xx --info
  **Processes:** 393  
  **Uptime:** 08:25:18  up 5 days 18:04,  3 users,  load average: 5.52, 5.43, 4.97  
  **Memory:** 31.27 GiB **used:** 12.63 GiB (40.4%) **Init:** systemd **v:** 246 **runlevel:** 5  
  **target:** **Compilers:****gcc:** 7.5.0 **alt:** 10/7/8/9 **clang:** 11.0.1  
  **Shell:** bash **v:** 4.4.23 **running in:** konsole **inxi:** 3.1.00  
(base) tom@mydesktop:~> 

With respect to yast, User and Group Management, the filter command is at default “local users”. Showing “system users” presents about 50 available groups. Not 3.

With respect to suggrstion to run wc -l /etc/passwd, that yields (run both as user and root):

(base) tom@mydesktop:~> wc -l /etc/passwd
52 /etc/passwd
(base) tom@mydesktop:~>

I still do not know what are the three users that inxi gives (or the 7 that anothers inxi gave).
The man page for inxi gives no clarification of what it defines as a user. I will try to look more into inxi docs if i can find some.

thanks all, tom kosvic

It is not quite clear to me what you want information on.

Your main question (see the title of the thread) is: Do I have hidden users on my system. Apart from a failing definition of “hidden users” in the begin, you said that you see YaST only displays one user. You later confirm that you mean with “hidden users” those users that are configured on the system, but you do not see in the YaST display.

My answer to this was

  • In the first place, users are configured in /etc/passwd, so please look there. And when you want to know the number of users defined, which is equal to thenumber of lines in /etc/passwd, count the l;ines (with the wc tool). Which you did and which shows that there are 52 users defined in your system. And I still encourage you to take a look there. And yes, that file can be read by everyone, so there is not difference between any user and root when counting the lines.
  • Then you wonder why you do not see all those 52 users in your YaST display. That is because, for convenience, they are split up in several views ands you only looked at the Local Users view, apparently not seeing that there is a button top right. Now you have used that and you have seen all the other users (not groups
    as you say in the quote above).

I can add the information that the split between Local Users and System Users is an artificial one, and used by convention. All users with a UID below 1000 (Years ago 500 was considered to be the boundary) are seen as System users: users that are installed/configured for special tasks belonging to specific products. And that includes user with UID=0, better known as root.
The UIDs of 1000 and above are, according to this convention, used for “normal users”, the poor fellows that log in in the system (either CLI or GUI) to to their daily score of work.

This has of course all nothing to do with inxi, but that wasn’t your question. IMHO inxi was only the trigger that made you aware of other isers in your system then root and tom.

Ooops – yes indeed – the 7 users are the TTY and pseudo terminals I’m using – the X11 session and the Konsole sessions … :shame:

I have looked at a half dozen doc articles on inxi and none discuss “users” output.

The discussion on looks to be the most elaborate. It does not go over the output. It has no discussion on users.

I think this should be reported as a bug in inxi regarding lack of documentation on what it defines as a user.

tom kosvic