HPE Community
Operating System - HP-UX
1832494 Members
5949 Online
110043 Solutions
New Discussion

Re: su: + tty?? root-root

 
N.D
Occasional Advisor

‎12-28-2007 04:39 AM

‎12-28-2007 04:39 AM

su: + tty?? root-root

I've found several entries in the syslog, but unable to pinpoint where the jobs are coming from. They are being run twice every 20mins. There is nothing running in the cron.

Syslog:
Dec 28 12:01:25 ch*** su: + tty?? root-root
Dec 28 12:13:55 ch*** su: + tty?? root-root
Dec 28 12:14:03 ch*** above message repeats 50 times
Dec 28 12:14:09 ch*** su: + tty?? root-root
Dec 28 12:33:54 ch*** su: + tty?? root-root
Dec 28 12:34:03 ch*** above message repeats 79 times
Dec 28 12:34:10 ch*** su: + tty?? root-root


Sulog:

ch***:/usr/lib/sa: tail /var/adm/sulog
SU 12/28 12:36 + tty?? root-root
SU 12/28 12:36 + tty?? root-root
SU 12/28 12:36 + tty?? root-root
SU 12/28 12:37 + tty?? root-root
SU 12/28 12:37 + tty?? root-root
SU 12/28 12:37 + tty?? root-root
SU 12/28 12:37 + tty?? root-root
SU 12/28 12:38 + tty?? root-root
SU 12/28 12:38 + tty?? root-root
SU 12/28 12:38 + tty?? root-root

Not sure to look. Need to know where these are coming from
0 Kudos
Reply
5 REPLIES 5
Dennis Handly
Acclaimed Contributor

‎12-28-2007 04:57 AM

‎12-28-2007 04:57 AM

Re: su: + tty?? root-root

>They are being run twice every 20mins

What is run twice?
I see 3 - 4 messages a minute in sulog.
And about 4 per minute for syslog.
The "+" indicates each su(1) is successful.
Perhaps that "tty???" means there is no tty.
I'm not sure what "root-root" means??
You might try su from root to some other user and then see what is logged.
0 Kudos
Reply
N.D
Occasional Advisor

‎12-28-2007 05:09 AM

‎12-28-2007 05:09 AM

Re: su: + tty?? root-root

Actually they are running many times.

Basically it looks like a script/job already run as root is then trying to su to root,

For example I am looged on as root and I tried su-ing to root and the following showed up in the syslog:

Dec 28 13:04:51 ch*** su: + ttyrc nd-root

So I need to find the script/job that is trying to 'su'. We are using powerbroker so we shouldnt be 'su-ing'.

Previuosly this has caused the accounts to be locked out.
0 Kudos
Reply
Eric SAUBIGNAC
Honored Contributor

‎12-28-2007 05:17 AM

‎12-28-2007 05:17 AM

Re: su: + tty?? root-root

Bonjour ND,

I will be rather hard to find wich process is doing su, as tty?? probably means that a it comes from a daemon.

If by chance the daemon issue "su - root" you could modify root's profile to log some environments values like PPID. That could help you to find the responsible process ...

Eric
0 Kudos
Reply
Eric SAUBIGNAC
Honored Contributor

‎12-28-2007 05:40 AM

‎12-28-2007 05:40 AM

Re: su: + tty?? root-root

And if it doesn't work you can try to write a small wrapper. Example :

cd /usr/bin

create a file named su_my with following lines :

echo "=======" >>/tmp/su.log
echo "this process is $$" >>/tmp/su.log
echo "calling processe is $PPID" >>/tmp/su.log
exec /usr/bin/su_ok "$@"

then modify owner and permissions :

chown root:bin su_my
chmod 4555 su_my

then change names :

mv su su_ok
mv su_my su

As soon as you have trapped valuable informations in /tmp/su.log, don't forget to return to a "normal" situation :

mv su su_my
mv su_ok su

Hope this will help

Eric


0 Kudos
Reply
Eric SAUBIGNAC
Honored Contributor

‎01-02-2008 04:24 AM

‎01-02-2008 04:24 AM

Re: su: + tty?? root-root

Hi N.D.,

What news ? Did you finally trap the process or script responsible of those su: + tty?? root-root ... ?

Eric
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.