HPE Community
Operating System - HP-UX
1820262 Members
2834 Online
109622 Solutions
New Discussion

/var/adm/sulog entry

 
SOLVED
Go to solution
coollllllllllll
Regular Advisor

‎01-22-2013 01:08 AM

‎01-22-2013 01:08 AM

/var/adm/sulog entry

Hi ,

 

We have 11i v2 server .

In which there is a user which has super user privileges , but the entry in /var/adm/sulog shown is root:root .

 

why is it so ?

If the user is test , the entry must be test:root right ???

0 Kudos
Reply
9 REPLIES 9
Duncan Edmonstone
HPE Pro

‎01-22-2013 05:54 AM - last edited on ‎06-29-2021 04:52 AM by

‎01-22-2013 05:54 AM - last edited on ‎06-29-2021 04:52 AM by

Re: /var/adm/sulog entry

If I am already root and run "su -" then I will see a root-root entry in sulog...

 

also it appears that sulog logs the real user ID rather than effective ID as in the following example:

 

# su - fred

$ id
uid=3000(fred) gid=20(users)

$ who am i
root       pts/0        Jan 22 13:45

$ su -
Password:

# tail -1 /var/adm/sulog
SU 01/22 13:52 + 0 root-root         <--- you might have expectd that to be fred-root


I am an HPE Employee
Accept or Kudo
Reply
Patrick Wallek
Honored Contributor

‎01-22-2013 06:24 AM

‎01-22-2013 06:24 AM

Re: /var/adm/sulog entry

>>user which has super user privileges

 

How does this user have super user privileges?  RBAC? Sudo?  Set up with UID 0?

Reply
Matti_Kurkela
Honored Contributor

‎01-22-2013 06:35 AM

‎01-22-2013 06:35 AM

Re: /var/adm/sulog entry

Does this "user which has super user privileges" have an UID equal to 0?

 

If so, remember that the system internally uses UID numbers to identify users rather than usernames. When a sulog message is being generated, the UID number is mapped back to the username by searching through /etc/passwd and picking the first username whose UID matches... and for UID 0, this is normally "root" because the entry for root is normally the first line in /etc/passwd.

 

This is one of the reasons why creating users with duplicate UIDs is a bad practice that should be avoided.

MK
Reply
coollllllllllll
Regular Advisor

‎01-22-2013 09:37 PM

‎01-22-2013 09:37 PM

Re: /var/adm/sulog entry

Hi ,

 

 

Its a test user with uid 120 .

We are using sudo to assign super user privileges .

 

 

 

0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎01-22-2013 11:45 PM

‎01-22-2013 11:45 PM

Re: /var/adm/sulog entry

Is the test user running a command like "sudo su -"?

 

This command actually changes users twice:

  • first, the "sudo" command without any "-u <username>" option runs the rest of the command line as root. At this point, sudo modifies the set of environment variables passed to the command: at least the dangerous environment variables like LD_PRELOAD are stripped away (depends on sudo version and configuration), but the HOME environment variable usually still points to the test user's home directory... so the test user's original login scripts are used. The sudo command logs a message telling that the test user successfully transitioned to root for the purpose of running the command "su -".
  • then, the "su -" command creates a completely new set of environment variables (including HOME), matching what the root user would get when logging in directly, and runs a shell as root. Because the su command is already being run as root, it does not ask for root password. The su command logs a message saying that the user "root" successfully became user "root", because as far as it is concerned, that is exactly what happened.

Unless your version of sudo is very old, the command "sudo -i" will achieve exactly the same result as "sudo su -", but without running the su command at all, and so the silly log message will be eliminated. Of course, if your sudoers file is configured to only allow running "sudo su -", then you'll need to change it before the user can use "sudo -i".

 

So if your sudoers file currently says something like:

test ALL = (root) /bin/su -

 then you'll need to change it to:

test ALL = (root) ALL

 Allowing the user to run a shell is equivalent to allowing the user to run all commands, so this change does not enable the user to do anything s/he could not do previously. Besides, this form will also allow the user to run individual commands through sudo as root (e.g. "sudo cat /etc/shadow"): in this way sudo will log the commands and the real username of the user that executed them, which provides a better (less ambiguous) log than relying on the shell history of the root user.

 

(Side note: the shell history file is not a log. It is designed to be a tool for the user him/herself, not to be a true and complete record of the user's actions.)

MK
Reply
coollllllllllll
Regular Advisor

‎01-23-2013 01:28 AM

‎01-23-2013 01:28 AM

Re: /var/adm/sulog entry

hi Matti ,

 

In my sudoers file we have entry like ;

 

test ALL=(ALL) ALL

 

The user "test"  uses sudo su - , then enters his password  and then gets logged in as root.

 

but sometimes i see an entry like test-root , and sometimes as root-root .

After using sudo -i  , am getting no entry in sulog .

Its escaping sulog totally , what am trying to achieve here is i need to check who are all logging in as root .

 

So m grepping "root" from sulog file.

 

 

 

 

0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎01-23-2013 06:19 AM - edited ‎01-23-2013 06:20 AM

‎01-23-2013 06:19 AM - edited ‎01-23-2013 06:20 AM

Re: /var/adm/sulog entry

/var/adm/sulog is produced by the "su" command only. An entry like "test-root" would mean the user is using "su -" without sudo, and entering the root password (or trying to).

 

With "sudo -i", sulog is not used, since the "su" command is not involved at all. Instead, sudo usually logs to syslog. See /var/adm/syslog/syslog.log for sudo log entries. If you want a separate log, there are a lot of logging options in sudo. For example, adding this line to the sudoers file (with visudo) would make sudo log into /var/adm/sudolog:

 

Defaults logfile=/var/adm/sudolog

 If you don't want sudo to log into two places simultaneously, you'll probably need to disable syslog logging of sudo if you use a dedicated sudo log file. This can be done by adding this line to the sudoers file:

Defaults !syslog

 

MK
Reply
coollllllllllll
Regular Advisor

‎01-24-2013 12:10 AM

‎01-24-2013 12:10 AM

Re: /var/adm/sulog entry

Hi Matti ,

 

We have 3 users in our setup.

test1 , test 2 and test3

 

test1 user has all root privileges in sudooers file.

test2 has only access to specific commands in sudoers file.

test3 has also set of another commands in sudoers file.

 

When i checked in syslog the entry is ;

Jan 24 11:49:56 riddhi sudo: test2 : TTY=unknown ; PWD=/home/test2 ; USER=root ; COMMAND=/usr/bin/su - oracle
Jan 24 11:49:57 riddhi su: + tty?? root-oracle
Jan 24 13:40:30 riddhi sudo: test1 : TTY=pts/61 ; PWD=/home/test1 ; USER=root ; COMMAND=/usr/bin/su -
Jan 24 13:40:30 riddhi su: + 61 test1-root

 

why am getting USER=root as in my syslog , although they are using ;

test1 using sudo su -

test2 using sudo su - oracle

 

I just want to trace whover is login in as root in my server , through any means.

Whether through sudo or any other way .

0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎01-24-2013 12:44 AM

‎01-24-2013 12:44 AM

Solution

Re: /var/adm/sulog entry

> Jan 24 11:49:56 riddhi sudo: test2 : TTY=unknown ; PWD=/home/test2 ; USER=root ; COMMAND=/usr/bin/su - oracle

 

Here, user "test2" is transitioning to "root" through sudo in order to run "/usr/bin/su - oracle".

So the "su - oracle" command will be run as root.

 

> Jan 24 11:49:57 riddhi su: + tty?? root-oracle

 

And here, the root user is transitioning to user "oracle" through su.

 

Note that the user has no TTY here (perhaps the command is run from a cron job?), so sudo says "TTY=unknown" and su says "tty??". This may make it harder for su to find the original username, so it logs the transition as "root-oracle".

 

If the test2 user would use "sudo -u oracle -i", then you could get a single log message describing the entire transition, like this:

 

Jan 24 11:50:00 riddhi sudo: test2: TTY=unknown; PWD=/home/test2 ; USER=oracle ; COMMAND=/usr/bin/sh


(or whatever is the shell of the oracle user).


This would clearly indicate that user "test2" switched to user "oracle".
Of course, this would require a sudoers entry like this:

 

test2 riddhi=(oracle) /usr/bin/sh

 

NOTE: the target user (within the parenthesis) must be "oracle", not "root".

 

Likewise, your second case also first uses sudo to switch to root user, then su to switch to the target user:

> Jan 24 13:40:30 riddhi sudo: test1 : TTY=pts/61 ; PWD=/home/test1 ; USER=root ; COMMAND=/usr/bin/su -
> Jan 24 13:40:30 riddhi su: + 61 test1-root

 

However, this time the user has a pseudo-TTY, as indicated by "TTY=pts/61" from sudo and "61" from su. The su command may be checking the ownership of the pseudo-TTY device to identify the actual original username of the session.

 

If the sudoers entry for test1 allows all commands, then the test1 user could simply run "sudo -i" instead of "sudo su -", and the log message would look like this:

 

Jan 24 13:41:00 riddhi sudo: test1 : TTY=pts/61 ; PWD=/home/test1 ; USER=root; COMMAND=/sbin/sh

MK
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.