How to unzip a zip file from the Terminal?

Question

Glutanimate

Asked: 2012-08-18 11:08:10 +0800 CST2012-08-18 11:08:10 +0800 CST 2012-08-18 11:08:10 +0800 CST

"Successful su for user by root" - suspicious entries in my /var/log/auth.log?

772

This post on reddit made me go through my logs. That's when I discovered the following entries which appeared on two non-subsequent days. "user" is my user account.

Aug  4 22:50:37 UbuntuSystem sudo: pam_unix(sudo:session): session opened for user root by user(uid=1000)
Aug  4 22:50:39 UbuntuSystem sudo: pam_unix(sudo:session): session closed for user root
Aug  4 22:51:16 UbuntuSystem su[10710]: Successful su for user by root
Aug  4 22:51:16 UbuntuSystem su[10710]: + ??? root:user
Aug  4 22:51:16 UbuntuSystem su[10710]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10710]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10720]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10720]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10720]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10720]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10735]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10735]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10735]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10735]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10763]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10763]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10763]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10763]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10773]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10773]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10773]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10773]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10788]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10788]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10788]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10788]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10801]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10801]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10801]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10801]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10814]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10814]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10814]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10814]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10829]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10829]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10829]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10829]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10842]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10842]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10842]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10842]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10855]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10855]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10855]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10855]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11153]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11153]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11153]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11153]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11166]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11166]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11166]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11166]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11181]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11181]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11181]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11181]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11193]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11193]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11193]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11193]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11211]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11211]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11211]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11211]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11226]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11226]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11226]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11226]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11241]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11241]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11241]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11241]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11253]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11253]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11253]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11253]: pam_unix(su:session): session closed for user user
Aug  4 23:42:18 UbuntuSystem gnome-screensaver-dialog: gkr-pam: unlocked login keyring
Aug  4 23:42:33 UbuntuSystem polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.48, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

Aug 15 20:17:01 UbuntuSystem CRON[26579]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 15 20:17:01 UbuntuSystem CRON[26579]: pam_unix(cron:session): session closed for user root
Aug 15 21:15:15 UbuntuSystem su[27098]: Successful su for user by root
Aug 15 21:15:15 UbuntuSystem su[27098]: + ??? root:user
Aug 15 21:15:15 UbuntuSystem su[27098]: pam_unix(su:session): session opened for user user by (uid=0)
Aug 15 21:15:15 UbuntuSystem su[27098]: pam_unix(su:session): session closed for user user
Aug 15 21:17:01 UbuntuSystem CRON[27141]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 15 21:17:01 UbuntuSystem CRON[27141]: pam_unix(cron:session): session closed for user root

Apart from these iterations the only other times I found a similar output was when trying out the guest account:

Aug 11 22:38:49 UbuntuSystem lightdm: pam_unix(lightdm:session): session closed for user lightdm
Aug 11 22:38:49 UbuntuSystem groupadd[2918]: group added to /etc/group: name=guest-4Eflre, GID=125
Aug 11 22:38:49 UbuntuSystem groupadd[2918]: group added to /etc/gshadow: name=guest-4Eflre
Aug 11 22:38:49 UbuntuSystem groupadd[2918]: new group: name=guest-4Eflre, GID=125
Aug 11 22:38:50 UbuntuSystem useradd[2922]: new user: name=guest-4Eflre, UID=115, GID=125, home=/, shell=/bin/bash
Aug 11 22:38:50 UbuntuSystem usermod[2927]: change user 'guest-4Eflre' password
Aug 11 22:38:50 UbuntuSystem chage[2932]: changed password expiry for guest-4Eflre
Aug 11 22:38:50 UbuntuSystem chfn[2935]: changed user 'guest-4Eflre' information
Aug 11 22:38:50 UbuntuSystem usermod[2943]: change user 'guest-4Eflre' home from '/' to '/tmp/guest-4Eflre'
Aug 11 22:38:50 UbuntuSystem su[2948]: Successful su for guest-4Eflre by root
Aug 11 22:38:50 UbuntuSystem su[2948]: + ??? root:guest-4Eflre
Aug 11 22:38:50 UbuntuSystem su[2948]: pam_unix(su:session): session opened for user guest-4Eflre by (uid=0)
Aug 11 22:38:50 UbuntuSystem su[2948]: pam_unix(su:session): session closed for user guest-4Eflre
Aug 11 22:38:50 UbuntuSystem lightdm: pam_unix(lightdm-autologin:session): session opened for user guest-4Eflre by (uid=0)
Aug 11 22:38:50 UbuntuSystem lightdm: pam_ck_connector(lightdm-autologin:session): nox11 mode, ignoring PAM_TTY :0

I might have to add that I set up my system only fairly recently (Aug 4).

Is this behaviour normal? What exactly is going on with all the su commands? Do I have to be worried that my system might be compromised?

Many thanks in advance.

3 Answers

Voted

LnxSlck · Answer 1 · 2012-08-18T11:43:42+08:00

Best Answer

LnxSlck

2012-08-18T11:43:42+08:002012-08-18T11:43:42+08:00

Those warnings are when you switch from root to your user.

It doesn't appear that you have any problem.

7

Eliah Kagan · Answer 2 · 2012-08-18T12:50:42+08:00

Eliah Kagan

2012-08-18T12:50:42+08:002012-08-18T12:50:42+08:00

These are not from when you run sudo. But they are not a problem, either.

The messages say:

Successful su for user by root

This happens whenever you log in. Whether you're logging in as a real user or as a guest user, the login screen runs as root, so it must change user identity from root to a non-root user as part of the login process.

This isn't user becoming root. This is root becoming user.

7

Glutanimate · Answer 3 · 2012-08-22T06:20:53+08:00

I think I may have found at least one of the culprits:

Aug 21 16:15:09 UbuntuSystem su[30135]: Successful su for user by root
Aug 21 16:15:09 UbuntuSystem su[30135]: + ??? root:user
Aug 21 16:15:09 UbuntuSystem su[30135]: pam_unix(su:session): session opened for user user by (uid=0)
Aug 21 16:15:09 UbuntuSystem su[30135]: pam_unix(su:session): session closed for user user
Aug 21 16:15:09 UbuntuSystem sudo: pam_unix(sudo:session): session closed for user root
Aug 21 16:15:12 UbuntuSystem sudo:      user : TTY=unknown ; PWD=/home/user ; USER=root ; COMMAND=/usr/lib/jupiter/scripts/cpu-control high
Aug 21 16:15:12 UbuntuSystem sudo: pam_unix(sudo:session): session opened for user root by (uid=1000)
Aug 21 16:15:12 UbuntuSystem su[30174]: Successful su for user by root
Aug 21 16:15:12 UbuntuSystem su[30174]: + ??? root:user
Aug 21 16:15:12 UbuntuSystem su[30174]: pam_unix(su:session): session opened for user user by (uid=0)
Aug 21 16:15:12 UbuntuSystem su[30174]: pam_unix(su:session): session closed for user user
Aug 21 16:15:12 UbuntuSystem sudo: pam_unix(sudo:session): session closed for user root

In this case the entries were connected to Jupiter power applet and specifically appeared when changing the CPU power mode. As there was no mention of Jupiter in any of the other instances, I cannot be sure whether they can be attributed to the same process.

I will keep monitoring my logs and post any further results here.

"Successful su for user by root" - suspicious entries in my /var/log/auth.log?

How to delete a non-empty directory in Terminal?

How to unzip a zip file from the Terminal?

How can I copy the contents of a folder to another folder in a different directory using terminal?

How do I install a .deb file via the command line?

How do I run .sh scripts?

How do I install a .tar.gz (or .tar.bz2) file?

What command do I need to unzip/extract a .tar.gz file?

How to list all installed packages

Unable to lock the administration directory (/var/lib/dpkg/) is another process using it?

Change folder permissions and ownership