On Wed, 20 Sep 2000, Art Sackett wrote:
>On Tue, Sep 19, 2000 at 06:03:48PM -0500, email@example.com wrote:
>> Hey Guys,
>> Do any of you know what may have caused this message in my syslogs?
>> Unusual System Events
>> Sep 19 06:25:02 ghost su: + ??? root-nobody
>> Sep 19 06:25:02 ghost PAM_unix: (su) session opened for user nobody
>> by (uid=0)
>Likely, it's logrotate or somebody else who starts as nobody but
>has to get root to move things around.
You got that wrong. root-nobody means that some program running as root
executed "su nobody". Just to verify this I did a test with su and checked my
logs before posting this message.
>At least, that's the normal, non-threatening thing that probably
>happens every morning at about the same time, I'd guess.
Nobody suing to root is not non-threatening! Ideally you would have a group
wheel or root required for su to root to prevent this. Currently I haven't as
I haven't got the PAM setup for it going yet.
- From: <firstname.lastname@example.org>
- Re: logcheck
- From: Art Sackett <email@example.com>