Re: Seeing who has su-ed

From: Jason Kohles (
Date: 03/21/03

  • Next message: Stephen Samuel: "Re: Seeing who has su-ed"
    Date: Fri, 21 Mar 2003 11:40:53 -0500
    From: Jason Kohles <>
    To: "Klotz, Brian" <>

    On Thu, Mar 20, 2003 at 02:25:42PM -0800, Klotz, Brian wrote:
    > I teach a Linux basics course and each term I have the problem of students
    > who do an su to become root, then rather than exiting, they su again to go
    > back to their regular account. The trouble is identifying when someone has
    > done this (they usually don't remember). The "who" command only shows login
    > shells (AFAIK) so it does not reveal when someone has su-ed.
    Just check the logs, if I su to root, /var/log/messages on my machine logs:

    traveller su(pam_unix)[3315]: session opened for user root by jason(uid=500)

    So you can see I went from uid 500 (my normal userid) to the root account, if
    I then su back to my own account I get:

    traveller su(pam_unix)[3504]: session opened for user jason by jason(uid=0)

    So user jason, running as root (uid=0) su'ed to user jason.

    Of course if you aren't using pam, then you'll have to try something else.

    Jason Kohles                       
    Senior Engineer                 Red Hat Professional Consulting

  • Next message: Stephen Samuel: "Re: Seeing who has su-ed"