Quote:
Originally Posted by tjallen
It seems that the root process su-ing to my username is looking to mount filesystems via fuse. Now I need to find it.
|
My guess would be that the fuse-mounting-thing is some feature from some desktop environment. Maybe it would go away if you switched to some other rather full-featured desktop environment like KDE or XFCE. It would most likely go away if you switched to some less featured window manager like fvwm.
But those are only my guesses, with some audit logging it might be possible to track down exactly what is going on. I did some quick testing to get an easy cookbook recipe:
Code:
/etc/rc.d/rc.auditd start
auditctl -w /bin/su -p x -k test
su henca
exit
auditctl -W /bin/su -p x -k test
ausearch --start recent -k test -m syscall
After starting audit logging of su I did try to su as root to my own username. The interesting lines in the log output looked like this:
Code:
type=EXECVE msg=audit(1672483564.552:4): argc=2 a0="su" a1="henca"
type=SYSCALL msg=audit(1672483564.552:4): arch=c000003e syscall=59 success=yes exit=0 a0=1558f68 a1=1558708 a2=1555008 a3=598 items=2 ppid=28654 pid=29027 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts21 ses=4294967295 comm="su" exe="/bin/su" key="test"
The pid 29027 was the pid of su and that pid was gone after I had exit. However, the ppid process was still the bash process which I was running as root.
Once I had successfully done this test I stopped auditd whith:
Code:
/etc/rc.d/rc.auditd stop
regards Henrik