$ Linux One Liners
Back to lessons

Cybersecurity Triage

List Accounts with Login Shells

You need to separate human or interactive accounts from service accounts in a passwd-style file.

Command

awk -F: '$7 ~ /(bash|sh|zsh)$/ {printf "%s %s\n", $1, $7}' fixtures/user-access-audit/etc/passwd

What changed

Nothing changes. The command reads a fixture-local passwd stub and prints accounts with shell-like login programs.

Danger

safe

When to use it

Use during server handoff, user access reviews, and first-response checks before changing accounts.

When not to use it

Do not disable accounts from this list alone; confirm ownership, automation, and operational purpose first.

Undo or recovery

No undo needed because this command is read-only.

Expected output

Usernames and login shells for accounts that can start an interactive shell.

demo script

Disposable terminal steps

  1. sed -n '1,8p' fixtures/user-access-audit/etc/passwd
  2. awk -F: '$7 ~ /(bash|sh|zsh)$/ {printf "%s %s\n", $1, $7}' fixtures/user-access-audit/etc/passwd
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ sed -n '1,8p' fixtures/user-access-audit/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
alex:x:1000:1000:Alex Admin:/home/alex:/bin/bash
deploy:x:1001:1001:Deploy Bot:/home/deploy:/bin/bash
reports:x:1002:1002:Reports Service:/home/reports:/usr/sbin/nologin
breakglass:x:1003:1003:Break Glass:/home/breakglass:/bin/bash
backup:x:1004:1004:Backup Service:/srv/backup:/usr/sbin/nologin
::exit-code::0
$ awk -F: '$7 ~ /(bash|sh|zsh)$/ {printf "%s %s\n", $1, $7}' fixtures/user-access-audit/etc/passwd
root /bin/bash
alex /bin/bash
deploy /bin/bash
breakglass /bin/bash
::exit-code::0

YouTube Short

Who can get a shell?

Start an access review by listing accounts with shell-like login programs, then verify whether each one still has a reason to exist.

LinkedIn hook

Login shells are the first account inventory to review.

Question: Do you inventory login-capable accounts before changing server access?

experiments

A/B tests to run

Metric: save_rate

A: Who can get a shell?

B: Separate shell users from services.