Home / server / Questions / 376719
Accepted
grs
Asked: 2012-04-05 08:05:21 +0800 CST

Successful su for user by root in /var/log/auth.log

  • 772

I have this sorts of entries in my /var/log/auth.log:

Apr  3 12:32:23 machine_name su[1521]: Successful su for user1 by root
Apr  3 12:32:23 machine_name su[1654]: Successful su for user2 by root
Apr  3 12:32:24 machine_name su[1772]: Successful su for user3 by root

Situation:

  • All users are real accounts in /etc/passwd;
  • None of the users has its own crontab;
  • All of those users are logged in the machine some time ago via SSH or No Machine - time varies from few minutes to few hours;
  • no cron jobs are scheduled to run at that time, anacron is removed;
  • I can see similar entries for other days and other times. The common part is the users are logged in when it appears. It does not appear during login, but some time afterwards.

This machine has similar setup with few others but it is the only one where I see these entries.

What causes them? Thanks

Edit: I managed to narrow it down. I believe it is caused by cron @reboot. The funny part is - it runs "something" only for the users logged in right before the reboot. I checked /var/spool/cron, crontab -u <username> -l, grep -r @reboot /etc /var and can't see anything.

How I could run cron @reboot manually?

linux ubuntu logging

2 Answers

  1. Best Answer

    If you can't find the source of the su launches, auditd will track them for you. See here: https://superuser.com/a/222924

    • 1

  2. It says here that the login program is run by root. When a user opens a session it is open by root, then root su-es to that user, which is consistent with the log entries you have (root becoming user through su)

    • 0