I wonder if this is a bug or a feature The command `select f

Question

I wonder if this is a bug or a feature The command `select from users` only comes up with local users as the documentation states Thus anything I join it to like `shell history` is similarly only local users However if you put in a where clause that calls out a specific username or uid it ll grab information about non local users like myself so easy to test Is there some way to enumerate all the users

HarlanF · Answer

If it matters I m seeing this in v5 2 2 on CentOS Stream release 8

Stefano Bonicatti · Answer

What do you mean non local users in the context of Linux How are you connecting to that machine

Stefano Bonicatti · Answer

oh sorry you mean users through ldap for instance

Stefano Bonicatti · Answer

So this is a side effect of the underlying system APIs the osquery uses There s currently no way to list non local users domain users the API used by osquery loops through users that are defined in ` etc passwd` `getpwent r` But when you provide a uid that uses `getpwuid r` which also passes through the various translation layers if defined like NIS or LDAP

Stefano Bonicatti · Answer

And no there s currently no way to list all users Although I wonder what all means All the ones that the client knows because they interacted in some way or all the users that could interact with it possibly thousands of domain users