On Fri, May 12, 2000 at 02:41:46PM +0800, [EMAIL PROTECTED] wrote:
>
> I always get this message on 4:02am, on my red hat machine, I suspect
> is a program login as nobody and try to become a superuser. What should I
> do to track down, where is user came from, my own maching? or some other
> place.
>
> May 7 04:02:02 linux PAM_pwdb[2926]: (su) session opened for user nobody
> by (uid=99)
> May 7 04:02:38 linux PAM_pwdb[2926]: (su) session closed for user nobody
>
if its consistently happening every day at the same time its probably
a cron job, look though the scripts in /etc/cron.daily/ one of them is
probably doing something like this:
su nobody -c 'foo'
im not sure what your options are for redhat, Debian has a
start-stop-daemon utility which will has a --chuid option that would
let you do the same thing without the auth logs being cluttered.
also check the program being executed, it very well may already have a
--user option, for example updatedb (locate database rebuilder) has a
--user option to drop to uid nobody so that locate does not locate
protected files.
--
Ethan Benson
http://www.alaska.net/~erbenson/
