user nobody performed su?

twlilinux · 06-25-2008, 09:07 AM

Hi guys, I have some /var/log/auth.log entries that I don't understand well.

First, there's pam_unix session getting opened and closed by root. What's all this opennings and closings?

Second, the user nobody performed su. What could this be?

There isn't an IP associated with any of this, so I probably shouldn't be worried. But, I just want to be aware.

I appreciate your advice!

Jun 25 06:09:01 mydomain CRON[16326]: (pam_unix) session opened for user root by (uid=0)
Jun 25 06:09:01 mydomain CRON[16328]: (pam_unix) session opened for user root by (uid=0)
Jun 25 06:09:01 mydomain CRON[16326]: (pam_unix) session closed for user root
Jun 25 06:09:01 mydomain CRON[16328]: (pam_unix) session closed for user root
Jun 25 06:17:01 mydomain CRON[16347]: (pam_unix) session opened for user root by (uid=0)
Jun 25 06:17:01 mydomain CRON[16347]: (pam_unix) session closed for user root
Jun 25 06:25:01 mydomain CRON[16350]: (pam_unix) session opened for user root by (uid=0)
Jun 25 06:25:02 mydomain su[16390]: Successful su for nobody by root
Jun 25 06:25:02 mydomain su[16390]: + ??? root:nobody
Jun 25 06:25:02 mydomain su[16390]: (pam_unix) session opened for user nobody by (uid=0)
Jun 25 06:25:02 mydomain su[16390]: (pam_unix) session closed for user nobody
Jun 25 06:25:02 mydomain su[16394]: Successful su for nobody by root
Jun 25 06:25:02 mydomain su[16394]: + ??? root:nobody
Jun 25 06:25:02 mydomain su[16394]: (pam_unix) session opened for user nobody by (uid=0)
Jun 25 06:25:02 mydomain su[16394]: (pam_unix) session closed for user nobody
Jun 25 06:25:02 mydomain su[16396]: Successful su for nobody by root
Jun 25 06:25:02 mydomain su[16396]: + ??? root:nobody
Jun 25 06:25:02 mydomain su[16396]: (pam_unix) session opened for user nobody by (uid=0)
Jun 25 06:25:02 mydomain su[16396]: (pam_unix) session closed for user nobody
Jun 25 06:25:03 mydomain CRON[16350]: (pam_unix) session closed for user root
Jun 25 06:39:01 mydomain CRON[16470]: (pam_unix) session opened for user root by (uid=0)

-------
My favorite websites:
Buy and sell class notes, old exams, papers, lab reports, admission essays.
Ask and answer Linux questions.
Read free books without walking to the library.

Hangdog42 · 06-25-2008, 11:26 AM

I don't know about the pam stuff, but the su looks pretty innocuous. It is root becoming nobody, not nobody becoming root.

twlilinux · 06-25-2008, 12:27 PM

thanks for clearing this up! So, is there anyway I can find out what the pam_sessions are doing?

-------
My favorite websites:
Buy and sell class notes, old exams, papers, lab reports, admission essays.
Ask and answer Linux questions.
Read free books without walking to the library.

bsdunix · 06-25-2008, 12:49 PM

Look at your system/root cron jobs and grep for nobody.

There were three process that su'd from root to nobody all within 1 second, Jun 25 06:25:02.

twlilinux · 06-25-2008, 07:29 PM

hmm I think this is how you look at system/cron jobs:

mydomain:/etc/cron.daily# ls -l
total 40
-rwxr-xr-x 1 root root 5041 2007-02-26 16:21 apt
-rwxr-xr-x 1 root root 314 2007-03-14 10:11 aptitude
-rwxr-xr-x 1 root root 502 2007-01-02 12:26 bsdmainutils
-rwxr-xr-x 1 root root 3961 2007-01-20 04:46 exim4-base
-rwxr-xr-x 1 root root 419 2007-07-30 13:24 find
-rwxr-xr-x 1 root root 89 2006-04-08 18:16 logrotate
-rwxr-xr-x 1 root root 946 2007-01-29 07:20 man-db
-rwxr-xr-x 1 root root 3283 2006-12-19 19:02 standard
-rwxr-xr-x 1 root root 1307 2006-05-25 05:38 sysklogd

so which ones are the culprits..

-------
My favorite websites:
Buy and sell class notes, old exams, papers, lab reports, admission essays.
Ask and answer Linux questions.
Read free books without walking to the library.

bsdunix · 06-26-2008, 02:18 PM

Code:

grep nobody *

If any of the files contain "nobody", then they will be listed with the matching line(s).

Howto use grep command in Linux - UNIX
http://www.cyberciti.biz/faq/howto-u...in-linux-unix/

jamesapnic · 07-08-2008, 11:50 AM

I think you will find thats most likely the locatedb being updated, for when you type updatedb
It su's to nobody to prevent any malicious files placed by users from compromising super user access.

twlilinux · 07-09-2008, 12:23 PM

Yeah, I didn't think this is likely a security breach either. But I'm still curious. I typed grep -R nobody ./ and just as bsdunix said, it returned:

./find:LOCALUSER="nobody"

I googled linux cron.daily find and many results showed up that the find process is run by user nobody. I have no idea what "find" is, but I'm sure it's harmless

-------
My favorite websites:
Buy and sell class notes, old exams, papers, lab reports, admission essays.
Ask and answer Linux questions.
Read free books without walking to the library.