Re: Strange auth.log entry
Brian P. Flaherty [bxf4@psu.edu] wrote:
>
> I found this in my auth.log yesterday and I am puzzeled by it.
>
> Nov 7 00:52:56 localhost PAM_unix[4704]: authentication failure; (uid=0) -> **unknown** for passwd service
>
> I don't know how to interpret the (uid=0) -> **unknown** part. I
> don't think I was working as root at the time (in fact, I don't think
> I was working at all at the time). I know sometimes a root process
> switches over to nobody (for example, wwwoffle). I searched through
> all my past auth.log* files and did not find any other examples of
> this, so I don't think it is a (daily) cron job. Finally, I don't see
> any record of someone trying to access the machine in kern.log or the
> ippl log.
>
> Also, how do I find out what PAM_unix[4704] refers to? I assume 4704
> is some sort of message, but I don't know where to look. I perused
> the libpam-doc in /usr/doc, but did not see any sections that looked
> like a code reference.
>
the **unknown* is due to if there is not a correct uid (number) match to a
username (your login name) in /etc/passwd. I only know this because of a bug
in the dialy server I use (connectd) which didn't for whatever reason collect
the correct uid for the user 'nobody'. Obviously something (maybe in yer
cron job or an application running as root) is trying to lower its privilages
but failing. It could be a normal application (such as apache) trying to
change its userid to 'www-data' only to find its not there. Look out for
these kind of things.
As for the 4704 I think if I'm correct that is the PID (process id, use top
or ps ax to find out) that tried to lower its privilages. When you see this
error again do a 'ps ax' and see if you can match up the 'upset' application.
good luck
Alex
--
Reply to: