HPE Community
Operating System - HP-UX
1834272 Members
70009 Online
110066 Solutions
New Discussion

sudo user entry in syslog...

 
SOLVED
Go to solution
boomer_2
Super Advisor

‎05-29-2007 05:24 PM

‎05-29-2007 05:24 PM

sudo user entry in syslog...

Hi guys,
I would like to know about my sudo entry in syslog..i.e. whenver i log in with sudo su - the entry recorded is as follows:->

May 30 10:39:06 ge1 sudo: tejas : TTY=pts/8 ; PWD=/home/xyz ; USER=root ; COMMAND=/usr/bin/su -
May 30 10:39:06 ge1 su: + 8 test-root

where test is another ordinary user in my system...
Why am i getting this entry of test1-root and not xyz-root...???
But sometimes randomly i do get xyz-root in my syslog.
0 Kudos
Reply
3 REPLIES 3
boomer_2
Super Advisor

‎05-29-2007 05:32 PM

‎05-29-2007 05:32 PM

Re: sudo user entry in syslog...

hi guys,
the entry log ..its actually ...

May 30 10:39:06 ge1 sudo: xyz : TTY=pts/8 ; PWD=/home/xyz ; USER=root ; COMMAND=/usr/bin/su -
May 30 10:39:06 ge1 su: + 8 test-root...
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎05-29-2007 08:04 PM

‎05-29-2007 08:04 PM

Solution

Re: sudo user entry in syslog...

"sudo su -" is often used, but a slightly silly way to do things.

When you use it that way, the "sudo" command allows you to execute the command "su -" using the identity of root.

Then, the "su -" command makes you assume the identity and environment of root. Because you already have the identity of root (thanks to sudo) it won't ask for a password. You're effectively using "su -" to change from root to root!

The second syslog line looks a bit strange.
Do you happen to have a second copy of UID 0 with the username "test"? To check, run:

grep "^[^:]*:[^:]*:0:" /etc/passwd

It should return exactly one line, not two or more.

Or maybe your utmp file is corrupted because you've stopped some sessions with kill -9?
A reboot will regenerate your utmp file. You can also clear the utmp file manually, but you will lose the information about currently logged-in users, so you should do that only when you're the only person logged in.

A neater way to do the same thing as "sudo su -" would be "sudo -H -i". The -H option means to use root's home directory, so the environment settings that might be in root's .profile will take effect. The -i option means the same as the "-" in "su -", so you'll get the complete environment of the root user.

If you need to assume the identity of some other user, just use "sudo -u -H -i" instead of "sudo su - "
This way causes you to get just one line of syslog about the operation (from sudo), and it will say exactly what happened, i.e "xyz changed into someuser" instead of first saying "sudo: xyz became root" then "su: root became someuser".

MK
MK
Reply
Andrew Merritt_2
Honored Contributor

‎05-29-2007 10:53 PM

‎05-29-2007 10:53 PM

Re: sudo user entry in syslog...

Hi,
Matti may be on the right lines, but I would suggest checking your /etc/passwd file for a user called 'test' with the same uid as 'xyz', and also the sudoers file for the same.

Andrew

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.