Operating System - HP-UX
1748060 Members
5834 Online
108758 Solutions
New Discussion юеВ

Re: how to understand su syslog msg

 
dom kris
Frequent Advisor

how to understand su syslog msg

Hi,

in the syslog, I saw the following message:
"
syslog: su : + tty?? root-oracle
"

what does this mean exactly?
That the 'root' user did an su to 'oracle', but why is the tty 'tty??'?

Is this because it was a script that did an su?

Ay help much appreciated

Kris
8 REPLIES 8
Todd McDaniel_1
Honored Contributor

Re: how to understand su syslog msg

yes...

root su'ed to oracle and was on tty?? which AFAIK means it couldnt determine the tty.
Unix, the other white meat.
Todd McDaniel_1
Honored Contributor

Re: how to understand su syslog msg

Actually it means that someone logged on DIRECTLY as root...

I just tried this and it showed my user ID b/c I su'ed to root then su'ed to oracle ...

Sulog recorded my userId and not root as su'er...
Unix, the other white meat.
Jdamian
Respected Contributor

Re: how to understand su syslog msg

tty?? is the value to say 'su' command was not executed from a terminal.
dom kris
Frequent Advisor

Re: how to understand su syslog msg

So if I understand it correctly, somebody logged in via the physical console and then 'su' to oracle?

What about rsh? Somebody doing as root (rsh system 'su oracle')?
Jdamian
Respected Contributor

Re: how to understand su syslog msg

I don't agree with Todd.

I log in console as user 'pete'.
Then su to superuser
su -

then su to user 'mark'...
the sulog file contains:

SU 04/07 16:14 + console pete-root
SU 04/07 16:16 + console pete-mark

No 'tty??' is shown.

'tty??' is shown when su is executed with no session attached. For instance:

su - mark -c /home/mark/list.sh
Bill Hassell
Honored Contributor

Re: how to understand su syslog msg

The tty?? is a placeholder when su is run in batch mode (ie, a cron script). There is no tty associated with a batch job.


Bill Hassell, sysadmin
Todd McDaniel_1
Honored Contributor

Re: how to understand su syslog msg

they logged in via telnet as root... console uses "console" on my host...instead of tty

sulog shows this:

SU 04/07 09:26 + console root-oracle

so they used a telnet session which is dangerous... check your /etc/securttys.
Unix, the other white meat.
Gary L. Paveza, Jr.
Trusted Contributor

Re: how to understand su syslog msg

I see this one all the time when executing automatic startup scripts which start oracle.

Do you have dbstartup in your /sbin/init.d?