| View previous topic :: View next topic |
| Author |
Message |
SarahS93
l33t
Joined: 21 Nov 2013
Posts: 730
|
 Posted: Mon Mar 02, 2020 9:05 am Post subject: Successful su for man by root |
 |
|
never see something like this before....
| Code: | Mar 2 03:10:01 deruse su[10649]: Successful su for man by root
Mar 2 03:10:01 pc1 su[10649]: + ??? root:man
Mar 2 03:10:01 pc1 su[10649]: pam_unix(su:session): session opened for user man by (uid=0)
Mar 2 03:10:02 pc1 su[10649]: pam_unix(su:session): session closed for user man |
what happened?!?!? |
|
| Back to top |
|
 |
Ionen
Developer
Joined: 06 Dec 2018
Posts: 2892
|
| Posted: Mon Mar 02, 2020 9:07 am Post subject: |
|
|
From /etc/cron.daily/man-db: | Code: | | exec su man -s /bin/sh -c 'nice mandb --quiet' 2>/dev/null |
(Edit: I'd argue su coming from root shouldn't even be logged, if compromised being root is a bigger problem -- there is alternate options to change the running user from a script but I think su is used for availability safety without relying on setuid, "runuser" is notably not available on a typical non-pam system) |
|
| Back to top |
|
|
ChrisJumper
Advocate
Joined: 12 Mar 2005
Posts: 2403
Location: Germany
|
| Posted: Tue Mar 03, 2020 11:23 pm Post subject: Re: Successful su for man by root |
|
|
| SarahS93 wrote: | never see something like this before....
| Code: | Mar 2 03:10:01 deruse su[10649]: Successful su for man by root
Mar 2 03:10:01 pc1 su[10649]: + ??? root:man
Mar 2 03:10:01 pc1 su[10649]: pam_unix(su:session): session opened for user man by (uid=0)
Mar 2 03:10:02 pc1 su[10649]: pam_unix(su:session): session closed for user man |
what happened?!?!? |
I have zero Strings in my logs like "user man". |
|
| Back to top |
|
|
|
Networking & Security
