cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Trevor
Commander Commander
Commander
Sunday
  • 143 Views

Services running as root user

Jump to solution

How can I go about getting a list of services that are running as the root user?  Just the root user - I don't wish to see services that are being run with other user accounts.

 

Thanks in advance!

Trevor "Red Hat Evangelist" Chandler
Labels (3)
Labels
Join the discussion
1 Solution

Accepted Solutions
Travis
Moderator
Moderator
Sunday
  • 88 Views

Jump to solution

@Trevor -

Not 100% sure about the question, so I'm answering based on how I'm interpreting it since you said services and I know you do a lot with RHCSA, so I'm interpreting the question as SystemD services and not just processes and commands running as root.

So, the systemctl command can list all SystemD units (specifically looking for services). So with this command, you can list all units, select the state of "running" and then search for an look for "root".

systemctl list-units --type=service --state=running --no-legend --plain | awk '{print $1}' | while read unit; do
    user=$(systemctl show -p User --value "$unit")
    # If User is empty (implies default/root) or explicitly set to root
    if [ -z "$user" ] || [ "$user" = "root" ]; then
        echo "$unit"
    fi
done

 

I've taken a true example for you from our workstation VM ...

[root@workstation ~]# systemctl list-units --type=service --state=running --no-legend --plain | awk '{print $1}' | while read unit; do
    user=$(systemctl show -p User --value "$unit")
    # If User is empty (implies default/root) or explicitly set to root
    if [ -z "$user" ] || [ "$user" = "root" ]; then
        echo "$unit"
    fi
done
accounts-daemon.service
atd.service
auditd.service
avahi-daemon.service
chronyd.service
crond.service
cups.service
dbus-broker.service
firewalld.service
fwupd.service
gdm.service
gssproxy.service
irqbalance.service
libstoragemgmt.service
mcelog.service
ModemManager.service
NetworkManager.service
polkit.service
power-profiles-daemon.service
rhsmcertd.service
rpcbind.service
rsyslog.service
rtkit-daemon.service
serial-getty@ttyS0.service
sshd.service
sssd-kcm.service
switcheroo-control.service
systemd-journald.service
systemd-logind.service
systemd-udevd.service
udisks2.service
upower.service
wpa_supplicant.service
[root@workstation ~]#

Hopeufully this helps.

Another way it can be done with the ps command is not only looking for the user, but also the .service indicating it is the SystemD service.

[root@workstation ~]# ps -e -o user,unit | grep "^root" | awk '{print $2}' | grep "\.service" | sort -u
accounts-daemon.service
atd.service
auditd.service
crond.service
cups.service
firewalld.service
fwupd.service
gdm.service
gssproxy.service
irqbalance.service
mcelog.service
ModemManager.service
NetworkManager.service
power-profiles-daemon.service
rhsmcertd.service
rsyslog.service
serial-getty@ttyS0.service
sshd.service
sssd-kcm.service
switcheroo-control.service
systemd-journald.service
systemd-logind.service
systemd-udevd.service
udisks2.service
upower.service
user@0.service
wpa_supplicant.service

Keep in mind, these give only the currently running services as root and would not show a service that is "dead" or that has run at boot time and since completed. This only returns running services as the root user.

For any potential services that could run as the root user, you need to run a different query ...

systemctl show --type=service --all --property=Id,User | \
awk -F= '/^Id=/ {id=$2} /^User=/ {if ($2 == "" || $2 == "root") print id}'

 

This will look at all SystemD services in all states. It pulls from all defined SystemD service files (the .service) SystemD unit and returns the information.

[root@workstation ~]# systemctl show --type=service --all --property=Id,User | \
awk -F= '/^Id=/ {id=$2} /^User=/ {if ($2 == "" || $2 == "root") print id}'

accounts-daemon.service
alsa-restore.service
alsa-state.service
atd.service
auditd.service
auth-rpcgss-module.service
auto-cpufreq.service
autofs.service
avahi-daemon.service
blk-availability.service
chronyd.service
cloud-config.service
cloud-final.service
cloud-init-local.service
colord.service
cpupower.service
crond.service
cups.service
dbus-broker.service
dlerpm-upgrade.service
dm-event.service
dnf-makecache.service
dracut-cmdline.service
dracut-initqueue.service
dracut-mount.service
dracut-pre-mount.service
dracut-pre-pivot.service
dracut-pre-trigger.service
dracut-pre-udev.service
dracut-shutdown-onfailure.service
dracut-shutdown.service
ebtables.service
emergency.service
fcoe.service
firewalld.service
fwupd.service
gdm.service
getty@tty1.service
gssproxy.service
hv_kvp_daemon.service
initrd-cleanup.service
initrd-parse-etc.service
initrd-switch-root.service
initrd-udevadm-cleanup-db.service
insights-client-boot.service
ip6tables.service
ipset.service
iptables.service
irqbalance.service
iscsi-init.service
iscsi-onboot.service
iscsi-shutdown.service
iscsi-starter.service
iscsi.service
iscsid.service
iscsiuio.service
lab-service.service
ldconfig.service
libstoragemgmt.service
logrotate.service
low-memory-monitor.service
lvm2-activation-early.service
lvm2-lvmpolld.service
lvm2-monitor.service
mcelog.service
mdmonitor.service
microcode.service
mlocate-updatedb.service
ModemManager.service
modprobe@configfs.service
modprobe@drm.service
modprobe@fuse.service
multipathd.service
network.service
NetworkManager-wait-online.service
NetworkManager.service
nfs-idmapd.service
nfs-mountd.service
nfs-server.service
nfs-utils.service
nfsdcld.service
nftables.service
nis-domainname.service
nslcd.service
ntpd.service
ntpdate.service
nvmefc-boot-connections.service
ostree-readonly-sysroot-migration.service
ostree-remount.service
plymouth-quit-wait.service
plymouth-quit.service
plymouth-read-write.service
plymouth-start.service
plymouth-switch-root.service
polkit.service
power-profiles-daemon.service
rbdmap.service
rc-local.service
rescue.service
rhsmcertd.service
rpc-gssd.service
rpc-statd-notify.service
rpc-statd.service
rpc-svcgssd.service
rpcbind.service
rsyslog.service
rtkit-daemon.service
selinux-autorelabel-mark.service
serial-getty@ttyS0.service
smartd.service
snapd.seeded.service
sntp.service
sshd-keygen.service
sshd-keygen@ecdsa.service
sshd-keygen@ed25519.service
sshd-keygen@rsa.service
sshd.service
sssd-kcm.service
sssd.service
switcheroo-control.service
syslog.service
system76-power.service
systemd-ask-password-console.service
systemd-ask-password-plymouth.service
systemd-ask-password-wall.service
systemd-binfmt.service
systemd-boot-random-seed.service
systemd-boot-update.service
systemd-firstboot.service
systemd-fsck-root.service
systemd-fsck@dev-disk-by\x2duuid-7B77\x2d95E7.service
systemd-fsck@dev-sda2.service
systemd-hwdb-update.service
systemd-initctl.service
systemd-journal-catalog-update.service
systemd-journal-flush.service
systemd-journald.service
systemd-logind.service
systemd-machine-id-commit.service
systemd-modules-load.service
systemd-network-generator.service
systemd-networkd-wait-online.service
systemd-pcrmachine.service
systemd-pcrphase-initrd.service
systemd-pcrphase-sysinit.service
systemd-pcrphase.service
systemd-quotacheck.service
systemd-random-seed.service
systemd-remount-fs.service
systemd-repart.service
systemd-rfkill.service
systemd-sysctl.service
systemd-sysext.service
systemd-sysusers.service
systemd-timesyncd.service
systemd-tmpfiles-clean.service
systemd-tmpfiles-setup-dev.service
systemd-tmpfiles-setup.service
systemd-tmpfiles.service
systemd-udev-settle.service
systemd-udev-trigger.service
systemd-udevd.service
systemd-update-done.service
systemd-update-utmp-runlevel.service
systemd-update-utmp.service
systemd-user-sessions.service
systemd-vconsole-setup.service
tlp.service
tuned.service
udisks2.service
upower.service
user-runtime-dir@0.service
user@1000.service
vgauthd.service
webterminal.service
workstation-status.service
wpa_supplicant.service
ypbind.service
yppasswdd.service
ypserv.service

Again, these would be defined services on the system and they might never run because they aren't enabled. Why did I point this out ... because of the yp* services listed as I know that we aren't using YellowPages and NIS, but those services are still defined and present. So what we can do is just look at "enabled" services

This will look only for enabled services configured to run as the root user.

As you can see the list is much smaller. One other thing to keep in mind, some services can run on a scheduled timer and things like that so a service might not run when you've run a command to see what is currently running, but looking at enabled, you know services that could possibly run. Also keep in mind there are things like ".socket" UNIT files that can call and start a SystemD service to run.

 

Hope this helps and answers maybe the question you meant to ask or that I might have interpreted your question correctly. 

 

In the even I misread or misunderstood your question ...

ps -U root -u root -f

This will get all running processes that have a real user of root and effective user of root. 

If you want to filter out Kernel noise and only want userspace proceses ...

ps -U root -u root -f | grep -v "\["

 

 

Travis Michette, RHCA XIII
https://rhtapps.redhat.com/verify?certId=111-134-086
SENIOR TECHNICAL INSTRUCTOR / CERTIFIED INSTRUCTOR AND EXAMINER
Red Hat Certification + Training

View solution in original post

4 Replies
alchimie
Cadet
Cadet
Sunday
  • 111 Views

Jump to solution
Services running as root user:

Hello,

ps -elf | grep root

 

Travis
Moderator
Moderator
Sunday
  • 89 Views

Jump to solution

@Trevor -

Not 100% sure about the question, so I'm answering based on how I'm interpreting it since you said services and I know you do a lot with RHCSA, so I'm interpreting the question as SystemD services and not just processes and commands running as root.

So, the systemctl command can list all SystemD units (specifically looking for services). So with this command, you can list all units, select the state of "running" and then search for an look for "root".

systemctl list-units --type=service --state=running --no-legend --plain | awk '{print $1}' | while read unit; do
    user=$(systemctl show -p User --value "$unit")
    # If User is empty (implies default/root) or explicitly set to root
    if [ -z "$user" ] || [ "$user" = "root" ]; then
        echo "$unit"
    fi
done

 

I've taken a true example for you from our workstation VM ...

[root@workstation ~]# systemctl list-units --type=service --state=running --no-legend --plain | awk '{print $1}' | while read unit; do
    user=$(systemctl show -p User --value "$unit")
    # If User is empty (implies default/root) or explicitly set to root
    if [ -z "$user" ] || [ "$user" = "root" ]; then
        echo "$unit"
    fi
done
accounts-daemon.service
atd.service
auditd.service
avahi-daemon.service
chronyd.service
crond.service
cups.service
dbus-broker.service
firewalld.service
fwupd.service
gdm.service
gssproxy.service
irqbalance.service
libstoragemgmt.service
mcelog.service
ModemManager.service
NetworkManager.service
polkit.service
power-profiles-daemon.service
rhsmcertd.service
rpcbind.service
rsyslog.service
rtkit-daemon.service
serial-getty@ttyS0.service
sshd.service
sssd-kcm.service
switcheroo-control.service
systemd-journald.service
systemd-logind.service
systemd-udevd.service
udisks2.service
upower.service
wpa_supplicant.service
[root@workstation ~]#

Hopeufully this helps.

Another way it can be done with the ps command is not only looking for the user, but also the .service indicating it is the SystemD service.

[root@workstation ~]# ps -e -o user,unit | grep "^root" | awk '{print $2}' | grep "\.service" | sort -u
accounts-daemon.service
atd.service
auditd.service
crond.service
cups.service
firewalld.service
fwupd.service
gdm.service
gssproxy.service
irqbalance.service
mcelog.service
ModemManager.service
NetworkManager.service
power-profiles-daemon.service
rhsmcertd.service
rsyslog.service
serial-getty@ttyS0.service
sshd.service
sssd-kcm.service
switcheroo-control.service
systemd-journald.service
systemd-logind.service
systemd-udevd.service
udisks2.service
upower.service
user@0.service
wpa_supplicant.service

Keep in mind, these give only the currently running services as root and would not show a service that is "dead" or that has run at boot time and since completed. This only returns running services as the root user.

For any potential services that could run as the root user, you need to run a different query ...

systemctl show --type=service --all --property=Id,User | \
awk -F= '/^Id=/ {id=$2} /^User=/ {if ($2 == "" || $2 == "root") print id}'

 

This will look at all SystemD services in all states. It pulls from all defined SystemD service files (the .service) SystemD unit and returns the information.

[root@workstation ~]# systemctl show --type=service --all --property=Id,User | \
awk -F= '/^Id=/ {id=$2} /^User=/ {if ($2 == "" || $2 == "root") print id}'

accounts-daemon.service
alsa-restore.service
alsa-state.service
atd.service
auditd.service
auth-rpcgss-module.service
auto-cpufreq.service
autofs.service
avahi-daemon.service
blk-availability.service
chronyd.service
cloud-config.service
cloud-final.service
cloud-init-local.service
colord.service
cpupower.service
crond.service
cups.service
dbus-broker.service
dlerpm-upgrade.service
dm-event.service
dnf-makecache.service
dracut-cmdline.service
dracut-initqueue.service
dracut-mount.service
dracut-pre-mount.service
dracut-pre-pivot.service
dracut-pre-trigger.service
dracut-pre-udev.service
dracut-shutdown-onfailure.service
dracut-shutdown.service
ebtables.service
emergency.service
fcoe.service
firewalld.service
fwupd.service
gdm.service
getty@tty1.service
gssproxy.service
hv_kvp_daemon.service
initrd-cleanup.service
initrd-parse-etc.service
initrd-switch-root.service
initrd-udevadm-cleanup-db.service
insights-client-boot.service
ip6tables.service
ipset.service
iptables.service
irqbalance.service
iscsi-init.service
iscsi-onboot.service
iscsi-shutdown.service
iscsi-starter.service
iscsi.service
iscsid.service
iscsiuio.service
lab-service.service
ldconfig.service
libstoragemgmt.service
logrotate.service
low-memory-monitor.service
lvm2-activation-early.service
lvm2-lvmpolld.service
lvm2-monitor.service
mcelog.service
mdmonitor.service
microcode.service
mlocate-updatedb.service
ModemManager.service
modprobe@configfs.service
modprobe@drm.service
modprobe@fuse.service
multipathd.service
network.service
NetworkManager-wait-online.service
NetworkManager.service
nfs-idmapd.service
nfs-mountd.service
nfs-server.service
nfs-utils.service
nfsdcld.service
nftables.service
nis-domainname.service
nslcd.service
ntpd.service
ntpdate.service
nvmefc-boot-connections.service
ostree-readonly-sysroot-migration.service
ostree-remount.service
plymouth-quit-wait.service
plymouth-quit.service
plymouth-read-write.service
plymouth-start.service
plymouth-switch-root.service
polkit.service
power-profiles-daemon.service
rbdmap.service
rc-local.service
rescue.service
rhsmcertd.service
rpc-gssd.service
rpc-statd-notify.service
rpc-statd.service
rpc-svcgssd.service
rpcbind.service
rsyslog.service
rtkit-daemon.service
selinux-autorelabel-mark.service
serial-getty@ttyS0.service
smartd.service
snapd.seeded.service
sntp.service
sshd-keygen.service
sshd-keygen@ecdsa.service
sshd-keygen@ed25519.service
sshd-keygen@rsa.service
sshd.service
sssd-kcm.service
sssd.service
switcheroo-control.service
syslog.service
system76-power.service
systemd-ask-password-console.service
systemd-ask-password-plymouth.service
systemd-ask-password-wall.service
systemd-binfmt.service
systemd-boot-random-seed.service
systemd-boot-update.service
systemd-firstboot.service
systemd-fsck-root.service
systemd-fsck@dev-disk-by\x2duuid-7B77\x2d95E7.service
systemd-fsck@dev-sda2.service
systemd-hwdb-update.service
systemd-initctl.service
systemd-journal-catalog-update.service
systemd-journal-flush.service
systemd-journald.service
systemd-logind.service
systemd-machine-id-commit.service
systemd-modules-load.service
systemd-network-generator.service
systemd-networkd-wait-online.service
systemd-pcrmachine.service
systemd-pcrphase-initrd.service
systemd-pcrphase-sysinit.service
systemd-pcrphase.service
systemd-quotacheck.service
systemd-random-seed.service
systemd-remount-fs.service
systemd-repart.service
systemd-rfkill.service
systemd-sysctl.service
systemd-sysext.service
systemd-sysusers.service
systemd-timesyncd.service
systemd-tmpfiles-clean.service
systemd-tmpfiles-setup-dev.service
systemd-tmpfiles-setup.service
systemd-tmpfiles.service
systemd-udev-settle.service
systemd-udev-trigger.service
systemd-udevd.service
systemd-update-done.service
systemd-update-utmp-runlevel.service
systemd-update-utmp.service
systemd-user-sessions.service
systemd-vconsole-setup.service
tlp.service
tuned.service
udisks2.service
upower.service
user-runtime-dir@0.service
user@1000.service
vgauthd.service
webterminal.service
workstation-status.service
wpa_supplicant.service
ypbind.service
yppasswdd.service
ypserv.service

Again, these would be defined services on the system and they might never run because they aren't enabled. Why did I point this out ... because of the yp* services listed as I know that we aren't using YellowPages and NIS, but those services are still defined and present. So what we can do is just look at "enabled" services

This will look only for enabled services configured to run as the root user.

As you can see the list is much smaller. One other thing to keep in mind, some services can run on a scheduled timer and things like that so a service might not run when you've run a command to see what is currently running, but looking at enabled, you know services that could possibly run. Also keep in mind there are things like ".socket" UNIT files that can call and start a SystemD service to run.

 

Hope this helps and answers maybe the question you meant to ask or that I might have interpreted your question correctly. 

 

In the even I misread or misunderstood your question ...

ps -U root -u root -f

This will get all running processes that have a real user of root and effective user of root. 

If you want to filter out Kernel noise and only want userspace proceses ...

ps -U root -u root -f | grep -v "\["

 

 

Travis Michette, RHCA XIII
https://rhtapps.redhat.com/verify?certId=111-134-086
SENIOR TECHNICAL INSTRUCTOR / CERTIFIED INSTRUCTOR AND EXAMINER
Red Hat Certification + Training
Trevor
Commander Commander
Commander
Sunday
  • 81 Views

Jump to solution

Travis, in addition to your technical prowess, you're a mind reader!!  Services that were intended to be launched by systemd were exactly the ones that I was referring to.  Shame on me for not being explicit.  I was doing some work with systemd, and it was as though I just assumed that everyone was looking over my shoulder at what I was doing, and would know that I was asking about services in a systemd context.

I know it wasn't heavy lifting for you to provide a solution that involved looping and conditional constructs, so thanks for going that extra mile. Again, I should have been more specific with my query, by asking for a single command - without having to bring in extra tools like awk, looping, and conditionals.  Certainly nothing wrong with taking that route, if that aids in getting the job done.  I'm still learning how to articulate questions

With your mentioning .socket unit files, potentially starting a systemd configured service, you were intent on covering all the bases!

Thank you for closing out your lesson, with those 2 renditions, involving the "ps" command.  It was what I consider low-hanging fruit.  However, this will be of benefit to that RHCSA-level learner.  

You answered the query that I had in mind!

Thank you!!!

 

Trevor "Red Hat Evangelist" Chandler
Chetan_Tiwary_
Community Manager
Community Manager
yesterday
  • 40 Views

Jump to solution

womderful answer by @Travis ! Not sure what to add - in a nbutshell:

To get a clear picture of high-privilege activity, you can start by using #ps -U root -u root u (or a filtered ps aux | grep root) to capture a full snapshot of every process currently owned by the root user. To complement this, running #systemctl list-units --type=service --state=running provides a clean list of all active services managed by systemd. By cross-matching these two outputs, you can quickly isolate which specific background services are running with root privileges. This filtered list serves as a high-priority audit trail, allowing you to focus your inspection on the attack surface, specifically checking their configurations, file permissions, and overall security posture to ensure they aren't introducing unnecessary risk.

Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright @ 2025 Red Hat Privacy statement Terms of service Community Guidelines