On Wed, 31 Mar 2004 00:40:19 +0200, Martin Dickopp <[EMAIL PROTECTED]> wrote:
> Matthijs <[EMAIL PROTECTED]> writes: > > > Since a few days, Logcheck reports a lot of messages like this: > > > > --------------------------------------------------------------------- > > Security Violations for su > > =-=-=-=-=-=-=-=-=-=-=-=-=- > > Mar 30 06:25:02 MyMail su[13083]: (pam_unix) session opened for user > > nobody by (uid=0) > > --------------------------------------------------------------------- > > > > The only way I can read this messages is that user 'nobody' has done a > > 'su' - become root. > > No, it's the other way around: 'root' has used 'su' to become 'nobody'. > This is probably part of a script (run by a cronjob?). Ah, I interpreted the word 'for' in the report incorrectly! Indeed a cronjob, something that is executed precisely at 06:25. I sleep much better now - thanks! -- Matthijs [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
