Re: 'su by nobody' - should I be worried?

To: debian-user@lists.debian.org
Subject: Re: 'su by nobody' - should I be worried?
From: Martin Dickopp <martin-deb@zero-based.org>
Date: Wed, 31 Mar 2004 00:32:26 +0200
Message-id: <[🔎] cun65cm0xvp.fsf@zero-based.org>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 57nj609da2pb4kotulie06sk3qckvu9t63@4ax.com> (vanaalten@hotmail.com's message of "Tue, 30 Mar 2004 22:55:29 +0200")
References: <[🔎] 57nj609da2pb4kotulie06sk3qckvu9t63@4ax.com>

Matthijs <vanaalten@hotmail.com> writes:

> Since a few days, Logcheck reports a lot of messages like this:
>
> ---------------------------------------------------------------------
> Security Violations for su
> =-=-=-=-=-=-=-=-=-=-=-=-=-
> Mar 30 06:25:02 MyMail su[13083]: (pam_unix) session opened for user
> nobody by (uid=0)
> ---------------------------------------------------------------------
>
> I've had similar messages for various users for cron and sshd.
>
> Should I be worried?

Probably not.

> The only way I can read this messages is that user 'nobody' has done a
> 'su' - become root.

No, it's the other way around: 'root' has used 'su' to become 'nobody'.
This is probably part of a script (run by a cronjob?).

Martin


-- 
   ,--.    Martin Dickopp, Dresden, Germany                 ,= ,-_-. =.
  / ,- )   http://www.zero-based.org/                      ((_/)o o(\_))
  \ `-'                                                     `-'(. .)`-'
   `-.     Debian, a variant of the GNU operating system.       \_/

Reply to:

References:
- 'su by nobody' - should I be worried?
  - From: Matthijs <vanaalten@hotmail.com>

Prev by Date: Does dselect use apt?
Next by Date: Re: 'su by nobody' - should I be worried?
Previous by thread: 'su by nobody' - should I be worried?
Next by thread: Re: 'su by nobody' - should I be worried?
Index(es):
- Date
- Thread