HPE Community
Operating System - HP-UX
1838379 Members
3469 Online
110125 Solutions
New Discussion

why normally "su -" is used to login as root

 
SOLVED
Go to solution
senthil_kumar_1
Super Advisor

‎04-11-2009 04:30 AM

‎04-11-2009 04:30 AM

why normally "su -" is used to login as root

Hi

In my company, Normally we are first logging by our user account and then issuing "su -" to get root access.

what is the purpose of this?

can we not log in by root directly?
0 Kudos
Reply
8 REPLIES 8
TTr
Honored Contributor

‎04-11-2009 05:13 AM

‎04-11-2009 05:13 AM

Solution

Re: why normally "su -" is used to login as root

This is a false sense of audit trail and security imposed by policies in many companies today. That's what happens when ignorant company managers get together with even more IT ignorant auditors. If something happens on the server, supposedly this allows to identify which admin was working as root at the time. As if when I log in as root via "su" I can not erase any traces of my login from all the logs.
Reply
senthil_kumar_1
Super Advisor

‎04-11-2009 06:37 AM

‎04-11-2009 06:37 AM

Re: why normally "su -" is used to login as root

In which file su logs are stored.

Pls tell me the log file names where all su activities are logged for Redhat, Suse and HP-UX.
0 Kudos
Reply
TTr
Honored Contributor

‎04-11-2009 06:43 AM

‎04-11-2009 06:43 AM

Re: why normally "su -" is used to login as root

In HP-UX they are in the syslog daemon log file /var/adm/syslog/syslog.log. I don't know about Linux but I presume they might be in the a similar log file of the syslog daemon.
Reply
James R. Ferguson
Acclaimed Contributor

‎04-11-2009 06:51 AM

‎04-11-2009 06:51 AM

Re: why normally "su -" is used to login as root

Hi:

> In which file su logs are stored

HP-UX logs the successful and unsuccessful 'su' attempts in '/var/adm/sulog'. On these systems, the usual configuration of '/etc/rc.config.d/clean' causes the '/sbin/init.d/clean_adm' script to move the 'sulog' to 'OLDsulog' following a reboot.

As TTr notes, anyone who can login to root can easily erase their tracks if they desire. This reminds me of the old adage that "Locked doors are for honest people".

If I wanted to hide my passage from my account to root (via 'su') I would simply delete the 'su' entry from the aforementioned log and obliterate the root login '.sh_history' contents.

Regards!

...JRF...
Reply
senthil_kumar_1
Super Advisor

‎04-11-2009 07:24 AM

‎04-11-2009 07:24 AM

Re: why normally "su -" is used to login as root

Hi

Now checked with suse. the all su logs are stored in /var/log/messages.

In that i deleted some log entry after loging as root using "su -"

How it is possible.

Pls explain the difference between normal root login and "su -" root login.
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎04-11-2009 08:00 AM

‎04-11-2009 08:00 AM

Re: why normally "su -" is used to login as root

Hi (again):

> Now checked with suse. the all su logs are stored in /var/log/messages.

Yes, I would expect that, since in Linux the HP-UX '/var/adm/syslog/syslog.log' counterpart is '/var/log/messsages'. HP-UX records 'su' events in the syslog as well as in the 'sulog' as noted.

> In that i deleted some log entry after loging as root using "su -" How it is possible.

I use 'vi' since the log file is an ASCII text one.

> Pls explain the difference between normal root login and "su -" root login.

While both cause the user's login profile (e.g. ${HOME}/.profile for the Posix/ksh shells) to be processed, direct logins are recorded in '/var/adm/wtmp' (if present) and failed attempts in '/var/adm/btmp' (if present). This isn't the case for 'su' transitions as nothing is recorded in either 'wtmp' or 'btmp'.

The 'wtmp' and 'btmp' logs are binary files that can be examined with 'last' and 'lastb'. Once again, reading the manpages for these commands and following their references leads to a wealth of information.

Regards!

...JRF...
Reply
Bill Hassell
Honored Contributor

‎04-11-2009 06:08 PM

‎04-11-2009 06:08 PM

Re: why normally "su -" is used to login as root

> In that i deleted some log entry after loging as root using "su -"

OK. Did you expect something different?

> How it is possible.

If you are root, there is nothing that you cannot do. That's why root is called the super user.

> Pls explain the difference between normal root login and "su -" root login.

There is no difference except there is a log entry in sulog. Some sysadmins will not allow root to ever login except through the true console port. This means that root access requires two authentications, one as a user and another as root.

If good security and prevention of mistakes is desired, root can never be used because the password is randomly changed every day and the /etc/securetty file prevents logins except from the real console. All root commands are run using sudo, an add-on command that has extensive controls on the user that may use it and the commands they can run.


Bill Hassell, sysadmin
Reply
Sajjad Sahir
Honored Contributor

‎04-29-2009 10:54 PM

‎04-29-2009 10:54 PM

Re: why normally "su -" is used to login as root

Dear Senthil


The su attempt will be log in /var/adm/sulog file

sajjad
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.