...

#!/usr/bin/bash -eu

if [ $UID -ne 0 ]; then
    echo "WARNING: This script needs to run as root to be effective"
    exit 1
fi

export SYSTEMD_NSS_BYPASS_SYNTHETIC=1

if [ "${1:-}" = "--ignore-journal" ]; then
    shift
    ignore_journal=1
else
    ignore_journal=0
fi

echo "Checking processes..."
if ps h -u 99 | grep .; then
    echo "ERROR: ps reports processes with UID 99!"
    exit 2
fi
echo "... not found"

echo "Checking UTMP..."
if w -h 199 | grep . ; then
    echo "ERROR: w reports UID 99 as active!"
    exit 2
fi
if w -h nobody | grep . ; then
    echo "ERROR: w reports user nobody as active!"
    exit 2
fi
echo "... not found"

echo "Checking the journal..."
if [ "$ignore_journal" = 0 ] && journalctl -q -b -n10 _UID=99 | grep . ; then
    echo "ERROR: journalctl reports messages from UID 99 in current boot!"
    exit 2
fi
echo "... not found"

echo "Looking for files in /etc, /run, /tmp, and /var..."
if find /etc /run /tmp /var -uid 99 -print | grep -m 10 . ; then
    echo "ERROR: found files belonging to UID 99"
    exit 2
fi
echo "... not found"

echo "Checking if nobody is defined correctly..."
if getent passwd nobody |
	grep '^nobody:[x*]:65534:65534:.*:/:/sbin/nologin';
then
    echo "OK, nothing to do."
    exit 0
else
    echo "NOTICE: User nobody is not defined correctly"
fi

echo "Checking if nfsnobody or something else is using the uid..."
if getent passwd 65534 | grep . ; then
    echo "NOTICE: will have to remove this user"
else
    echo "... not found"
fi

if [ "${1:-}" = "-x" ]; then
    if getent passwd nobody >/dev/null; then
	# this will remove both the user and the group.
	( set -x
   	  userdel nobody
	)
    fi

if getent passwd 65534 >/dev/null; then
	# Make sure the uid is unused. This should free gid too.
	name="$(getent passwd 65534 | cut -d: -f1)"
	( set -x
	  userdel "$name"
	)
    fi

if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then
	echo "Sleeping, so sss can catch up"
	sleep 3
    fi

if getent group 65534; then
	# Make sure the gid is unused, even if uid wasn't.
	name="$(getent group 65534 | cut -d: -f1)"
	( set -x
	  groupdel "$name"
	)
    fi

# systemd-sysusers uses the same gid and uid
    ( set -x
      systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin'
    )
else
    echo "Pass '-x' to perform changes"
fi

.	Edit
..	Edit
boot	Edit
catalog	Edit
journald@netdata.conf.d	Edit
libsystemd-shared.abignore	Edit
network	Edit
ntp-units.d	Edit
purge-nobody-user	Edit
resolv.conf	Edit
system	Edit
system-generators	Edit
system-preset	Edit
system-shutdown	Edit
system-sleep	Edit
systemd	Edit
systemd-ac-power	Edit
systemd-backlight	Edit
systemd-binfmt	Edit
systemd-bless-boot	Edit
systemd-boot-check-no-failures	Edit
systemd-cgroups-agent	Edit
systemd-coredump	Edit
systemd-cryptsetup	Edit
systemd-export	Edit
systemd-fsck	Edit
systemd-growfs	Edit
systemd-hibernate-resume	Edit
systemd-hostnamed	Edit
systemd-initctl	Edit
systemd-integritysetup	Edit
systemd-journald	Edit
systemd-localed	Edit
systemd-logind	Edit
systemd-makefs	Edit
systemd-measure	Edit
systemd-modules-load	Edit
systemd-network-generator	Edit
systemd-pcrphase	Edit
systemd-pstore	Edit
systemd-quotacheck	Edit
systemd-random-seed	Edit
systemd-remount-fs	Edit
systemd-reply-password	Edit
systemd-rfkill	Edit
systemd-shutdown	Edit
systemd-sleep	Edit
systemd-socket-proxyd	Edit
systemd-sulogin-shell	Edit
systemd-sysctl	Edit
systemd-sysroot-fstab-check	Edit
systemd-sysupdate	Edit
systemd-sysv-install	Edit
systemd-timedated	Edit
systemd-udevd	Edit
systemd-update-done	Edit
systemd-update-helper	Edit
systemd-update-utmp	Edit
systemd-user-runtime-dir	Edit
systemd-user-sessions	Edit
systemd-vconsole-setup	Edit
systemd-veritysetup	Edit
systemd-volatile-root	Edit
systemd-xdg-autostart-condition	Edit
user	Edit
user-environment-generators	Edit
user-generators	Edit
user-preset	Edit