Re: Seeing who has su-ed
From: Jason Kohles (jkohles@redhat.com)
Date: 03/21/03
- Previous message: Cameron Simpson: "Re: Seeing who has su-ed"
- In reply to: Klotz, Brian: "Seeing who has su-ed"
- Next in thread: Stephen Samuel: "Re: Seeing who has su-ed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 Mar 2003 11:40:53 -0500 From: Jason Kohles <jkohles@redhat.com> To: "Klotz, Brian" <Brian_Klotz@heald.edu>
On Thu, Mar 20, 2003 at 02:25:42PM -0800, Klotz, Brian wrote:
>
> I teach a Linux basics course and each term I have the problem of students
> who do an su to become root, then rather than exiting, they su again to go
> back to their regular account. The trouble is identifying when someone has
> done this (they usually don't remember). The "who" command only shows login
> shells (AFAIK) so it does not reveal when someone has su-ed.
>
Just check the logs, if I su to root, /var/log/messages on my machine logs:
traveller su(pam_unix)[3315]: session opened for user root by jason(uid=500)
So you can see I went from uid 500 (my normal userid) to the root account, if
I then su back to my own account I get:
traveller su(pam_unix)[3504]: session opened for user jason by jason(uid=0)
So user jason, running as root (uid=0) su'ed to user jason.
Of course if you aren't using pam, then you'll have to try something else.
-- Jason Kohles jkohles@redhat.com Senior Engineer Red Hat Professional Consulting
- Previous message: Cameron Simpson: "Re: Seeing who has su-ed"
- In reply to: Klotz, Brian: "Seeing who has su-ed"
- Next in thread: Stephen Samuel: "Re: Seeing who has su-ed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
