how to determine what is causing su entries in the auth log

Joncas · June 12, 2009, 4:26pm

Hello,

On a Debian 4 server running VirtualMin, I find a lot of entries in the auth log of this type:

Jun 12 05:46:05 lvi-mailer su[20022]: Successful su for anton by root
Jun 12 05:46:05 lvi-mailer su[20022]: + ??? root:anton
Jun 12 05:46:05 lvi-mailer su[20022]: (pam_unix) session opened for user anton by (uid=0)
Jun 12 05:46:05 lvi-mailer su[20022]: (pam_unix) session closed for user anton

and some of them get highlighted especially by the logcheck utility.

Since these occur at regular times every day, they must originate from cron jobs set up by Virtualmin, so I would like to learn how to track down what job they correspond to? Is there some way of looking it up by the number in brackets?

And why do any of these routine jobs need su privileges?

My apologies for putting what probably amounts to a new-bee question, and many thanks in advance for any insights!
Robert

Eric · June 12, 2009, 5:51pm

Hi Robert,

Yeah, those are all pretty typical.

They don’t actually need root privileges – it’s the other way around.

The message is:

“Successful su for anton by root”

That is, since Cron runs as root – it’s decreasing it’s privileges from root to the user anton prior to executing any commands.

To determine what is being run, you could always look in /etc/cron.d/ and /var/spool/cron/crontabs/ for entries starting with the number “46” (meaning, they run when the minute reaches 46, such as yours does above).

To do that, you could run:

grep ‘^46’ /etc/cron.d/* /var/spool/cron/crontabs/*

Feel free to yell if you have any other questions!
-Eric

Joncas · June 13, 2009, 4:48am

Hi Eric,

thanks a million! That reveals it to be the awstats reporting cron job.

This leads to another oddity: on some days, several of these awstats cron job run multiple times in successive seconds:

Jun 13 02:11:01 lvi-mailer su[10538]: Successful su for sam by root
Jun 13 02:11:01 lvi-mailer su[10538]: (pam_unix) session opened for user sam by (uid=0)
Jun 13 02:11:02 lvi-mailer su[10538]: (pam_unix) session closed for user sam

Jun 13 02:11:02 lvi-mailer su[10542]: Successful su for sam by root
Jun 13 02:11:02 lvi-mailer su[10542]: (pam_unix) session opened for user sam by (uid=0)
Jun 13 02:11:03 lvi-mailer su[10542]: (pam_unix) session closed for user sam

Jun 13 02:11:04 lvi-mailer su[10546]: Successful su for sam by root
Jun 13 02:11:04 lvi-mailer su[10546]: (pam_unix) session opened for user sam by (uid=0)
Jun 13 02:11:05 lvi-mailer su[10546]: (pam_unix) session closed for user sam

Jun 13 02:11:05 lvi-mailer su[10550]: Successful su for sam by root
Jun 13 02:11:05 lvi-mailer su[10550]: (pam_unix) session opened for user sam by (uid=0)
Jun 13 02:11:06 lvi-mailer su[10550]: (pam_unix) session closed for user sam

Is that because they don’t succeed on the first round? But why could that be ? !

Eric · June 13, 2009, 5:20pm

I’m honestly not sure

In general, if a cron job fails, you typically would get an email (from cron) regarding that.

I personally wouldn’t be too concerned about those messages.

If you’re concerned that they may not be running correctly, you could always try running it manually to see what, if anything, it reports.
-Eric

Joncas · June 14, 2009, 6:04am

Hi Eric – many thanks again!
You are right: running the awstats routine manually also produces these multiple su calls, so it must just be the way awstats operates.
best regards, Robert