topic Re: su: + tty?? root-root in Operating System - HP-UX

su: + tty?? root-root

N.D — Fri, 28 Dec 2007 12:39:42 GMT

I've found several entries in the syslog, but unable to pinpoint where the jobs are coming from. They are being run twice every 20mins. There is nothing running in the cron.

Syslog:
Dec 28 12:01:25 ch*** su: + tty?? root-root
Dec 28 12:13:55 ch*** su: + tty?? root-root
Dec 28 12:14:03 ch*** above message repeats 50 times
Dec 28 12:14:09 ch*** su: + tty?? root-root
Dec 28 12:33:54 ch*** su: + tty?? root-root
Dec 28 12:34:03 ch*** above message repeats 79 times
Dec 28 12:34:10 ch*** su: + tty?? root-root

Sulog:

ch***:/usr/lib/sa: tail /var/adm/sulog
SU 12/28 12:36 + tty?? root-root
SU 12/28 12:36 + tty?? root-root
SU 12/28 12:36 + tty?? root-root
SU 12/28 12:37 + tty?? root-root
SU 12/28 12:37 + tty?? root-root
SU 12/28 12:37 + tty?? root-root
SU 12/28 12:37 + tty?? root-root
SU 12/28 12:38 + tty?? root-root
SU 12/28 12:38 + tty?? root-root
SU 12/28 12:38 + tty?? root-root

Not sure to look. Need to know where these are coming from

Re: su: + tty?? root-root

Dennis Handly — Fri, 28 Dec 2007 12:57:10 GMT

>They are being run twice every 20mins

What is run twice?
I see 3 - 4 messages a minute in sulog.
And about 4 per minute for syslog.
The "+" indicates each su(1) is successful.
Perhaps that "tty???" means there is no tty.
I'm not sure what "root-root" means??
You might try su from root to some other user and then see what is logged.

Re: su: + tty?? root-root

N.D — Fri, 28 Dec 2007 13:09:05 GMT

Actually they are running many times.

Basically it looks like a script/job already run as root is then trying to su to root,

For example I am looged on as root and I tried su-ing to root and the following showed up in the syslog:

Dec 28 13:04:51 ch*** su: + ttyrc nd-root

So I need to find the script/job that is trying to 'su'. We are using powerbroker so we shouldnt be 'su-ing'.

Previuosly this has caused the accounts to be locked out.

Re: su: + tty?? root-root

Eric SAUBIGNAC — Fri, 28 Dec 2007 13:17:19 GMT

Bonjour ND,

I will be rather hard to find wich process is doing su, as tty?? probably means that a it comes from a daemon.

If by chance the daemon issue "su - root" you could modify root's profile to log some environments values like PPID. That could help you to find the responsible process ...

Eric

Re: su: + tty?? root-root

Eric SAUBIGNAC — Fri, 28 Dec 2007 13:40:59 GMT

And if it doesn't work you can try to write a small wrapper. Example :

cd /usr/bin

create a file named su_my with following lines :

echo "=======" >>/tmp/su.log
echo "this process is $$" >>/tmp/su.log
echo "calling processe is $PPID" >>/tmp/su.log
exec /usr/bin/su_ok "$@"

then modify owner and permissions :

chown root:bin su_my
chmod 4555 su_my

then change names :

mv su su_ok
mv su_my su

As soon as you have trapped valuable informations in /tmp/su.log, don't forget to return to a "normal" situation :

mv su su_my
mv su_ok su

Hope this will help

Eric

Re: su: + tty?? root-root

Eric SAUBIGNAC — Wed, 02 Jan 2008 12:24:00 GMT

Hi N.D.,

What news ? Did you finally trap the process or script responsible of those su: + tty?? root-root ... ?

Eric