[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: logcheck

On Wed, 20 Sep 2000, Art Sackett wrote:
>On Tue, Sep 19, 2000 at 06:03:48PM -0500, debian-isp@ghost.net.cfw.com wrote:
>> Hey Guys,
>> Do any of you know what may have caused this message in my syslogs?
>> Unusual System Events
>> =-=-=-=-=-=-=-=-=-=-=
>> Sep 19 06:25:02 ghost su[322]: + ??? root-nobody
>> Sep 19 06:25:02 ghost PAM_unix[322]: (su) session opened for user nobody
>> by (uid=0)
>Likely, it's logrotate or somebody else who starts as nobody but
>has to get root to move things around.

You got that wrong.  root-nobody means that some program running as root 
executed "su nobody".  Just to verify this I did a test with su and checked my 
logs before posting this message.

>At least, that's the normal, non-threatening thing that probably
>happens every morning at about the same time, I'd guess.

Nobody suing to root is not non-threatening!  Ideally you would have a group 
wheel or root required for su to root to prevent this.  Currently I haven't as 
I haven't got the PAM setup for it going yet.

Russell Coker

Reply to: