On Thu, Mar 20, 2003 at 02:25:42PM -0800, Klotz, Brian wrote: > > I teach a Linux basics course and each term I have the problem of students > who do an su to become root, then rather than exiting, they su again to go > back to their regular account. The trouble is identifying when someone has > done this (they usually don't remember). The "who" command only shows login > shells (AFAIK) so it does not reveal when someone has su-ed. > Just check the logs, if I su to root, /var/log/messages on my machine logs:
traveller su(pam_unix)[3315]: session opened for user root by jason(uid=500) So you can see I went from uid 500 (my normal userid) to the root account, if I then su back to my own account I get: traveller su(pam_unix)[3504]: session opened for user jason by jason(uid=0) So user jason, running as root (uid=0) su'ed to user jason. Of course if you aren't using pam, then you'll have to try something else. -- Jason Kohles [EMAIL PROTECTED] Senior Engineer Red Hat Professional Consulting
