Re: 'su by nobody' - should I be worried?
Matthijs <vanaalten@hotmail.com> writes:
> Since a few days, Logcheck reports a lot of messages like this:
>
> ---------------------------------------------------------------------
> Security Violations for su
> =-=-=-=-=-=-=-=-=-=-=-=-=-
> Mar 30 06:25:02 MyMail su[13083]: (pam_unix) session opened for user
> nobody by (uid=0)
> ---------------------------------------------------------------------
>
> I've had similar messages for various users for cron and sshd.
>
> Should I be worried?
Probably not.
> The only way I can read this messages is that user 'nobody' has done a
> 'su' - become root.
No, it's the other way around: 'root' has used 'su' to become 'nobody'.
This is probably part of a script (run by a cronjob?).
Martin
--
,--. Martin Dickopp, Dresden, Germany ,= ,-_-. =.
/ ,- ) http://www.zero-based.org/ ((_/)o o(\_))
\ `-' `-'(. .)`-'
`-. Debian, a variant of the GNU operating system. \_/
Reply to: