Re: what's that?

To: Kirill Zverev <kirill@cmss.ru>
Cc: debian security <debian-security@lists.debian.org>
Subject: Re: what's that?
From: tony mancill <tony@mancill.com>
Date: Thu, 4 Apr 2002 21:47:02 -0800 (PST)
Message-id: <[🔎] Pine.LNX.4.44.0204042142190.15392-100000@bach>
In-reply-to: <[🔎] 105041569.20020405112139@cmss.ru>

On Fri, 5 Apr 2002, Kirill Zverev wrote:

> I found that in my logs:
>
> Apr  4 06:25:01 cmss su[30315]: + ??? root-nobody
> Apr  4 06:25:01 cmss PAM_unix[30315]: (su) session opened for user nobody by (uid=0)
>
> who could use su at six o'clock in the morning?

from /etc/crontab:

	# m h dom mon dow user  command
	25 6    * * *   root    test -e /usr/sbin/anacron || run-parts --report /etc/cron.daily

which then in turn invokes:

	/etc/cron.daily/find

which contains the line:

	cd / && updatedb --localuser=nobody 2>/dev/null

and from the manpage for updatedb, you'll see that --localuser invokes su.
:)

In short, this appears to be normal daily processing on your system.

tony
--
All parts should go together without forcing.  You must remember that
the parts you are reassembling were disassembled by you.  Therefore,
if you can't get them together again, there must be a reason.  By all
means, do not use a hammer.    -- IBM maintenance manual, 1925


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- what's that?
  - From: Kirill Zverev <kirill@cmss.ru>

Prev by Date: Re: what's that?
Next by Date: Re: what's that?
Previous by thread: Re: what's that?
Next by thread: Re: what's that?
Index(es):
- Date
- Thread