Re: Seeing who has su-ed
From: Jason Kohles (firstname.lastname@example.org)
Date: Fri, 21 Mar 2003 11:40:53 -0500 From: Jason Kohles <email@example.com> To: "Klotz, Brian" <Brian_Klotz@heald.edu>
On Thu, Mar 20, 2003 at 02:25:42PM -0800, Klotz, Brian wrote:
> I teach a Linux basics course and each term I have the problem of students
> who do an su to become root, then rather than exiting, they su again to go
> back to their regular account. The trouble is identifying when someone has
> done this (they usually don't remember). The "who" command only shows login
> shells (AFAIK) so it does not reveal when someone has su-ed.
Just check the logs, if I su to root, /var/log/messages on my machine logs:
traveller su(pam_unix): session opened for user root by jason(uid=500)
So you can see I went from uid 500 (my normal userid) to the root account, if
I then su back to my own account I get:
traveller su(pam_unix): session opened for user jason by jason(uid=0)
So user jason, running as root (uid=0) su'ed to user jason.
Of course if you aren't using pam, then you'll have to try something else.
-- Jason Kohles firstname.lastname@example.org Senior Engineer Red Hat Professional Consulting