"Successful su for user by root" - suspicious entries in my /var/log/auth.log?

security authentication viruses su logs
22,182

Solution 1

Those warnings are when you switch from root to your user.

It doesn't appear that you have any problem.

Solution 2

These are not from when you run sudo. But they are not a problem, either.

The messages say:

Successful su for user by root

This happens whenever you log in. Whether you're logging in as a real user or as a guest user, the login screen runs as root, so it must change user identity from root to a non-root user as part of the login process.

This isn't user becoming root. This is root becoming user.

Solution 3

I think I may have found at least one of the culprits:

Aug 21 16:15:09 UbuntuSystem su[30135]: Successful su for user by root
Aug 21 16:15:09 UbuntuSystem su[30135]: + ??? root:user
Aug 21 16:15:09 UbuntuSystem su[30135]: pam_unix(su:session): session opened for user user by (uid=0)
Aug 21 16:15:09 UbuntuSystem su[30135]: pam_unix(su:session): session closed for user user
Aug 21 16:15:09 UbuntuSystem sudo: pam_unix(sudo:session): session closed for user root
Aug 21 16:15:12 UbuntuSystem sudo:      user : TTY=unknown ; PWD=/home/user ; USER=root ; COMMAND=/usr/lib/jupiter/scripts/cpu-control high
Aug 21 16:15:12 UbuntuSystem sudo: pam_unix(sudo:session): session opened for user root by (uid=1000)
Aug 21 16:15:12 UbuntuSystem su[30174]: Successful su for user by root
Aug 21 16:15:12 UbuntuSystem su[30174]: + ??? root:user
Aug 21 16:15:12 UbuntuSystem su[30174]: pam_unix(su:session): session opened for user user by (uid=0)
Aug 21 16:15:12 UbuntuSystem su[30174]: pam_unix(su:session): session closed for user user
Aug 21 16:15:12 UbuntuSystem sudo: pam_unix(sudo:session): session closed for user root

In this case the entries were connected to Jupiter power applet and specifically appeared when changing the CPU power mode. As there was no mention of Jupiter in any of the other instances, I cannot be sure whether they can be attributed to the same process.

I will keep monitoring my logs and post any further results here.

Share:
22,182

Related videos on Youtube

Glutanimate
Author by

Glutanimate

Medical student, hobbyist programmer. https://www.youtube.com/c/glutanimate

Updated on September 18, 2022

Comments

  • Glutanimate
    Glutanimate over 1 year

    This post on reddit made me go through my logs. That's when I discovered the following entries which appeared on two non-subsequent days. "user" is my user account.

    Aug  4 22:50:37 UbuntuSystem sudo: pam_unix(sudo:session): session opened for user root by user(uid=1000)
Aug  4 22:50:39 UbuntuSystem sudo: pam_unix(sudo:session): session closed for user root
Aug  4 22:51:16 UbuntuSystem su[10710]: Successful su for user by root
Aug  4 22:51:16 UbuntuSystem su[10710]: + ??? root:user
Aug  4 22:51:16 UbuntuSystem su[10710]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10710]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10720]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10720]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10720]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10720]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10735]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10735]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10735]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10735]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10763]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10763]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10763]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10763]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10773]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10773]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10773]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10773]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10788]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10788]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10788]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10788]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10801]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10801]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10801]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10801]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10814]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10814]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10814]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10814]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10829]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10829]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10829]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10829]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10842]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10842]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10842]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10842]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10855]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10855]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10855]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10855]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11153]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11153]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11153]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11153]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11166]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11166]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11166]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11166]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11181]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11181]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11181]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11181]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11193]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11193]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11193]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11193]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11211]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11211]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11211]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11211]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11226]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11226]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11226]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11226]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11241]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11241]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11241]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11241]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11253]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11253]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11253]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11253]: pam_unix(su:session): session closed for user user
Aug  4 23:42:18 UbuntuSystem gnome-screensaver-dialog: gkr-pam: unlocked login keyring
Aug  4 23:42:33 UbuntuSystem polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.48, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

Aug 15 20:17:01 UbuntuSystem CRON[26579]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 15 20:17:01 UbuntuSystem CRON[26579]: pam_unix(cron:session): session closed for user root
Aug 15 21:15:15 UbuntuSystem su[27098]: Successful su for user by root
Aug 15 21:15:15 UbuntuSystem su[27098]: + ??? root:user
Aug 15 21:15:15 UbuntuSystem su[27098]: pam_unix(su:session): session opened for user user by (uid=0)
Aug 15 21:15:15 UbuntuSystem su[27098]: pam_unix(su:session): session closed for user user
Aug 15 21:17:01 UbuntuSystem CRON[27141]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 15 21:17:01 UbuntuSystem CRON[27141]: pam_unix(cron:session): session closed for user root

    Apart from these iterations the only other times I found a similar output was when trying out the guest account:

    Aug 11 22:38:49 UbuntuSystem lightdm: pam_unix(lightdm:session): session closed for user lightdm
Aug 11 22:38:49 UbuntuSystem groupadd[2918]: group added to /etc/group: name=guest-4Eflre, GID=125
Aug 11 22:38:49 UbuntuSystem groupadd[2918]: group added to /etc/gshadow: name=guest-4Eflre
Aug 11 22:38:49 UbuntuSystem groupadd[2918]: new group: name=guest-4Eflre, GID=125
Aug 11 22:38:50 UbuntuSystem useradd[2922]: new user: name=guest-4Eflre, UID=115, GID=125, home=/, shell=/bin/bash
Aug 11 22:38:50 UbuntuSystem usermod[2927]: change user 'guest-4Eflre' password
Aug 11 22:38:50 UbuntuSystem chage[2932]: changed password expiry for guest-4Eflre
Aug 11 22:38:50 UbuntuSystem chfn[2935]: changed user 'guest-4Eflre' information
Aug 11 22:38:50 UbuntuSystem usermod[2943]: change user 'guest-4Eflre' home from '/' to '/tmp/guest-4Eflre'
Aug 11 22:38:50 UbuntuSystem su[2948]: Successful su for guest-4Eflre by root
Aug 11 22:38:50 UbuntuSystem su[2948]: + ??? root:guest-4Eflre
Aug 11 22:38:50 UbuntuSystem su[2948]: pam_unix(su:session): session opened for user guest-4Eflre by (uid=0)
Aug 11 22:38:50 UbuntuSystem su[2948]: pam_unix(su:session): session closed for user guest-4Eflre
Aug 11 22:38:50 UbuntuSystem lightdm: pam_unix(lightdm-autologin:session): session opened for user guest-4Eflre by (uid=0)
Aug 11 22:38:50 UbuntuSystem lightdm: pam_ck_connector(lightdm-autologin:session): nox11 mode, ignoring PAM_TTY :0

    I might have to add that I set up my system only fairly recently (Aug 4).

    Is this behaviour normal? What exactly is going on with all the su commands? Do I have to be worried that my system might be compromised?

    Many thanks in advance.

  • Glutanimate
    Glutanimate over 11 years
    Thanks for you quick reply! I sincerely hope that's the case. However, in general I issue at least one sudo command (mostly apt-get update&upgrade) per session. Do you have any idea why these entries only appeared on two days total?
  • LnxSlck
    LnxSlck over 11 years
    It could be some scheduled jobs or one version of sudo that had that issue.
  • Glutanimate
    Glutanimate over 11 years
    Alright, thanks again. I am relieved for now. Sill, I'll make sure to monitor the logs over the next days to see if those entries reappear and try to find out what's causing them. I'll edit my OP if I find anything.
  • Eliah Kagan
    Eliah Kagan over 11 years
    @Glutanimate That's a good point. While this is root becoming you (and not you becoming root), there's something wrong with my assumption that this is you logging on. On a 12.04 system configured normally, a login actually looks different from this. For example, on my 12.04 system it looks like Aug 17 17:09:37 Del lightdm: pam_unix(lightdm:session): session opened for user ek by (uid=0). I wonder if you have scheduled tasks running as your user. (Some such tasks can be revealed by running crontab -l.)
  • Eliah Kagan
    Eliah Kagan over 11 years
    Ultimately, something is going on that I cannot (presently) explain. I don't think it's cause for concern, but it's worth looking into.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

php not redirecting and logging in
ASP.NET Core using custom authenticationhandler with cookieauthentication
WCF transport security with no authentication
ASP.Net Authentication using <credentials> in web.config
How can I calculate the Failed Acceptance Rate and False Recognition Rate?
Password hashing (non-SSL)
How to Deactivate a LDAP User?
Securing a Docker container with HTTP BASIC AUTH
How to automatically login as a user using Spring Security without knowing their password?
MySQL root-login with SSH private key?