On Wed, 20 Sep 2000, Art Sackett wrote: >On Tue, Sep 19, 2000 at 06:03:48PM -0500, [EMAIL PROTECTED] wrote: >> Hey Guys, >> Do any of you know what may have caused this message in my syslogs? >> >> Unusual System Events >> =-=-=-=-=-=-=-=-=-=-= >> Sep 19 06:25:02 ghost su[322]: + ??? root-nobody >> Sep 19 06:25:02 ghost PAM_unix[322]: (su) session opened for user nobody >> by (uid=0) > >Likely, it's logrotate or somebody else who starts as nobody but >has to get root to move things around.
You got that wrong. root-nobody means that some program running as root executed "su nobody". Just to verify this I did a test with su and checked my logs before posting this message. >At least, that's the normal, non-threatening thing that probably >happens every morning at about the same time, I'd guess. Nobody suing to root is not non-threatening! Ideally you would have a group wheel or root required for su to root to prevent this. Currently I haven't as I haven't got the PAM setup for it going yet. Russell Coker
