$ Linux One Liners
Back to lessons

Cybersecurity Triage

List Users with Login Shells

You need to list accounts with shell-like login programs.

Command

awk -F: '$7 ~ /sh$/ {print $1, $7}' etc/passwd

What changed

Nothing changes. The command reads account records and prints shell users.

Danger

safe

When to use it

Use during account inventory, server handoff, or first-response checks.

When not to use it

Do not disable accounts from this output alone; confirm ownership and operational use first.

Undo or recovery

No undo needed because this command is read-only.

Expected output

Usernames and login shells for accounts ending in sh.

demo script

Disposable terminal steps

  1. cat etc/passwd
  2. awk -F: '$7 ~ /sh$/ {print $1, $7}' etc/passwd
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ cat etc/passwd
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
alex:x:1000:1000:Alex:/home/alex:/bin/bash
deploy:x:1001:1001:Deploy:/home/deploy:/bin/bash
backup:x:1002:1002:Backup:/srv/backup:/usr/sbin/nologin
::exit-code::0
$ awk -F: '$7 ~ /sh$/ {print $1, $7}' etc/passwd
root /bin/bash
alex /bin/bash
deploy /bin/bash
::exit-code::0

YouTube Short

Which users can log in?

Read passwd records and print accounts with shell-like login programs during server inventory.

LinkedIn hook

Not every local account should be able to log in.

Question: Do you inventory login-capable users during VPS handoff?

experiments

A/B tests to run

Metric: save_rate

A: Who can log in?

B: Service accounts versus shell users.