Re: Seeing who has su-ed

From: Jason Kohles (jkohles@redhat.com)
Date: 03/21/03

  • Next message: Stephen Samuel: "Re: Seeing who has su-ed"
    Date: Fri, 21 Mar 2003 11:40:53 -0500
    From: Jason Kohles <jkohles@redhat.com>
    To: "Klotz, Brian" <Brian_Klotz@heald.edu>
    
    

    On Thu, Mar 20, 2003 at 02:25:42PM -0800, Klotz, Brian wrote:
    >
    > I teach a Linux basics course and each term I have the problem of students
    > who do an su to become root, then rather than exiting, they su again to go
    > back to their regular account. The trouble is identifying when someone has
    > done this (they usually don't remember). The "who" command only shows login
    > shells (AFAIK) so it does not reveal when someone has su-ed.
    >
    Just check the logs, if I su to root, /var/log/messages on my machine logs:

    traveller su(pam_unix)[3315]: session opened for user root by jason(uid=500)

    So you can see I went from uid 500 (my normal userid) to the root account, if
    I then su back to my own account I get:

    traveller su(pam_unix)[3504]: session opened for user jason by jason(uid=0)

    So user jason, running as root (uid=0) su'ed to user jason.

    Of course if you aren't using pam, then you'll have to try something else.

    -- 
    Jason Kohles                                 jkohles@redhat.com
    Senior Engineer                 Red Hat Professional Consulting
    

  • Next message: Stephen Samuel: "Re: Seeing who has su-ed"

    Relevant Pages

    • RE: Seeing who has su-ed
      ... | who do an su to become root, then rather than exiting, they su again ... | shells (AFAIK) so it does not reveal when someone has su-ed. ...
      (Focus-Linux)
    • Re: Seeing who has su-ed
      ... > I teach a Linux basics course and each term I have the problem of students ... Mar 21 12:45:18 xx su: Authentication failed for alvin ... and if i su - root ... ...
      (Focus-Linux)
    • Re: user privledges
      ... > redhat 7.2 i created a user account for myself to use on a daily basis. ... > fare i have just been su - and entering the root pass. ... it started but would not install because i did ... sofware to /opt/musicmatch as a normal user. ...
      (comp.security.unix)
    • Re: Alerting - Malicious software removal tool
      ... >needed to install an application that she could not install from ... >"Administrator" account. ... You failed to analyze the root cause and correct it ... use their computers to have fun. ...
      (microsoft.public.security.virus)
    • Re: hi all..
      ... And with sudo, I certainly wouldn't because they already have root. ... If you somehow had access to my account right now, ... install an effective key logger without root. ...
      (Fedora)