postgres queries

Hey all,

Who or what would be querying postgres when the anything I can find to do with it is turned off? I’m not using it but evey five minutes something tries to open a session.

Mar 1 17:45:05 hosta su(pam_unix)[[21784]]: session opened for user postgres by (uid=0)
Mar 1 17:45:05 hosta su(pam_unix)[[21784]]: session closed for user postgres
Mar 1 17:50:03 hosta su(pam_unix)[[21871]]: session opened for user postgres by (uid=0)
Mar 1 17:50:03 hosta su(pam_unix)[[21871]]: session closed for user postgres
Mar 1 17:55:02 hosta su(pam_unix)[[21951]]: session opened for user postgres by (uid=0)
Mar 1 17:55:02 hosta su(pam_unix)[[21951]]: session closed for user postgres

Hey Dan,

That would be Webmin’s System and Server Status module. You can just delete the PostgreSQL monitor if you don’t like those to show up…but then again, Webmin won’t be able to email you if PostgreSQL goes down.

There are other ways to see if postgres is running (checking for the process, looking for the pid, asking /etc/init.d/postgresql, etc.), but they won’t necessarily tell you if it is responding to queries, while the standard Webmin monitor does.

This one got me too.

When I searched on google I found a number of references to hackers using the postgres user as way to hide themselves on a server …

Anyways its good to know what causes this message to show up in the log, but I still don’t understand why the Webmin monitoring module would cause root to su to postgres?

Other services that are being monitored and that are turned off don’t exhibit the same behaviour. What’s up?

see webmin/Others/System and Server Status

but I still don’t understand why the Webmin monitoring module would cause root to su to postgres?

Because Webmin runs as root. If it wants to do something as another user, it has to su. Your system happens to be configured to log that action, and logwatch happens to be configured to note it in the log summary for the day. It’s nothing suspicious or undesirable.