Re: logcheck

To: Art Sackett <asackett@artsackett.com>
Cc: debian-isp <debian-isp@lists.debian.org>
Subject: Re: logcheck
From: Russell Coker <russell@coker.com.au>
Date: Wed, 20 Sep 2000 08:34:51 +0200
Message-id: <[🔎] 00092008345100.00880@lyta>
Reply-to: Russell Coker <russell@coker.com.au>
In-reply-to: <[🔎] 20000919160254.I4755@artsackett.com>
References: <[🔎] Pine.LNX.4.21.0009191802200.1482-100000@ghost.net.cfw.com> <[🔎] 20000919160254.I4755@artsackett.com>

On Wed, 20 Sep 2000, Art Sackett wrote:
>On Tue, Sep 19, 2000 at 06:03:48PM -0500, debian-isp@ghost.net.cfw.com wrote:
>> Hey Guys,
>> Do any of you know what may have caused this message in my syslogs?
>>
>> Unusual System Events
>> =-=-=-=-=-=-=-=-=-=-=
>> Sep 19 06:25:02 ghost su[322]: + ??? root-nobody
>> Sep 19 06:25:02 ghost PAM_unix[322]: (su) session opened for user nobody
>> by (uid=0)
>
>Likely, it's logrotate or somebody else who starts as nobody but
>has to get root to move things around.

You got that wrong.  root-nobody means that some program running as root 
executed "su nobody".  Just to verify this I did a test with su and checked my 
logs before posting this message.

>At least, that's the normal, non-threatening thing that probably
>happens every morning at about the same time, I'd guess.

Nobody suing to root is not non-threatening!  Ideally you would have a group 
wheel or root required for su to root to prevent this.  Currently I haven't as 
I haven't got the PAM setup for it going yet.

Russell Coker

Reply to:

Follow-Ups:
- Re: logcheck
  - From: <debian-isp@ghost.net.cfw.com>

References:
- logcheck
  - From: <debian-isp@ghost.net.cfw.com>
- Re: logcheck
  - From: Art Sackett <asackett@artsackett.com>

Prev by Date: Re: your mail
Next by Date: Configuring KDE- Dial Up PPP
Previous by thread: Re: logcheck
Next by thread: Re: logcheck
Index(es):
- Date
- Thread