"Successful su for user by root" - suspicious entries in my /var/log/auth.log?
Solution 1
Those warnings are when you switch from root to your user.
It doesn't appear that you have any problem.
Solution 2
These are not from when you run sudo
. But they are not a problem, either.
The messages say:
Successful su for user by root
This happens whenever you log in. Whether you're logging in as a real user or as a guest user, the login screen runs as root
, so it must change user identity from root
to a non-root
user as part of the login process.
This isn't user
becoming root
. This is root
becoming user
.
Solution 3
I think I may have found at least one of the culprits:
Aug 21 16:15:09 UbuntuSystem su[30135]: Successful su for user by root
Aug 21 16:15:09 UbuntuSystem su[30135]: + ??? root:user
Aug 21 16:15:09 UbuntuSystem su[30135]: pam_unix(su:session): session opened for user user by (uid=0)
Aug 21 16:15:09 UbuntuSystem su[30135]: pam_unix(su:session): session closed for user user
Aug 21 16:15:09 UbuntuSystem sudo: pam_unix(sudo:session): session closed for user root
Aug 21 16:15:12 UbuntuSystem sudo: user : TTY=unknown ; PWD=/home/user ; USER=root ; COMMAND=/usr/lib/jupiter/scripts/cpu-control high
Aug 21 16:15:12 UbuntuSystem sudo: pam_unix(sudo:session): session opened for user root by (uid=1000)
Aug 21 16:15:12 UbuntuSystem su[30174]: Successful su for user by root
Aug 21 16:15:12 UbuntuSystem su[30174]: + ??? root:user
Aug 21 16:15:12 UbuntuSystem su[30174]: pam_unix(su:session): session opened for user user by (uid=0)
Aug 21 16:15:12 UbuntuSystem su[30174]: pam_unix(su:session): session closed for user user
Aug 21 16:15:12 UbuntuSystem sudo: pam_unix(sudo:session): session closed for user root
In this case the entries were connected to Jupiter power applet and specifically appeared when changing the CPU power mode. As there was no mention of Jupiter in any of the other instances, I cannot be sure whether they can be attributed to the same process.
I will keep monitoring my logs and post any further results here.
Related videos on Youtube
Glutanimate
Medical student, hobbyist programmer. https://www.youtube.com/c/glutanimate
Updated on September 18, 2022Comments
-
Glutanimate over 1 year
This post on reddit made me go through my logs. That's when I discovered the following entries which appeared on two non-subsequent days. "user" is my user account.
Aug 4 22:50:37 UbuntuSystem sudo: pam_unix(sudo:session): session opened for user root by user(uid=1000) Aug 4 22:50:39 UbuntuSystem sudo: pam_unix(sudo:session): session closed for user root Aug 4 22:51:16 UbuntuSystem su[10710]: Successful su for user by root Aug 4 22:51:16 UbuntuSystem su[10710]: + ??? root:user Aug 4 22:51:16 UbuntuSystem su[10710]: pam_unix(su:session): session opened for user user by (uid=0) Aug 4 22:51:17 UbuntuSystem su[10710]: pam_unix(su:session): session closed for user user Aug 4 22:51:17 UbuntuSystem su[10720]: Successful su for user by root Aug 4 22:51:17 UbuntuSystem su[10720]: + ??? root:user Aug 4 22:51:17 UbuntuSystem su[10720]: pam_unix(su:session): session opened for user user by (uid=0) Aug 4 22:51:17 UbuntuSystem su[10720]: pam_unix(su:session): session closed for user user Aug 4 22:51:17 UbuntuSystem su[10735]: Successful su for user by root Aug 4 22:51:17 UbuntuSystem su[10735]: + ??? root:user Aug 4 22:51:17 UbuntuSystem su[10735]: pam_unix(su:session): session opened for user user by (uid=0) Aug 4 22:51:17 UbuntuSystem su[10735]: pam_unix(su:session): session closed for user user Aug 4 22:51:17 UbuntuSystem su[10763]: Successful su for user by root Aug 4 22:51:17 UbuntuSystem su[10763]: + ??? root:user Aug 4 22:51:17 UbuntuSystem su[10763]: pam_unix(su:session): session opened for user user by (uid=0) Aug 4 22:51:17 UbuntuSystem su[10763]: pam_unix(su:session): session closed for user user Aug 4 22:51:17 UbuntuSystem su[10773]: Successful su for user by root Aug 4 22:51:17 UbuntuSystem su[10773]: + ??? root:user Aug 4 22:51:17 UbuntuSystem su[10773]: pam_unix(su:session): session opened for user user by (uid=0) Aug 4 22:51:17 UbuntuSystem su[10773]: pam_unix(su:session): session closed for user user Aug 4 22:51:17 UbuntuSystem su[10788]: Successful su for user by root Aug 4 22:51:17 UbuntuSystem su[10788]: + ??? root:user Aug 4 22:51:17 UbuntuSystem su[10788]: pam_unix(su:session): session opened for user user by (uid=0) Aug 4 22:51:17 UbuntuSystem su[10788]: pam_unix(su:session): session closed for user user Aug 4 22:51:17 UbuntuSystem su[10801]: Successful su for user by root Aug 4 22:51:17 UbuntuSystem su[10801]: + ??? root:user Aug 4 22:51:17 UbuntuSystem su[10801]: pam_unix(su:session): session opened for user user by (uid=0) Aug 4 22:51:17 UbuntuSystem su[10801]: pam_unix(su:session): session closed for user user Aug 4 22:51:17 UbuntuSystem su[10814]: Successful su for user by root Aug 4 22:51:17 UbuntuSystem su[10814]: + ??? root:user Aug 4 22:51:17 UbuntuSystem su[10814]: pam_unix(su:session): session opened for user user by (uid=0) Aug 4 22:51:17 UbuntuSystem su[10814]: pam_unix(su:session): session closed for user user Aug 4 22:51:17 UbuntuSystem su[10829]: Successful su for user by root Aug 4 22:51:17 UbuntuSystem su[10829]: + ??? root:user Aug 4 22:51:17 UbuntuSystem su[10829]: pam_unix(su:session): session opened for user user by (uid=0) Aug 4 22:51:17 UbuntuSystem su[10829]: pam_unix(su:session): session closed for user user Aug 4 22:51:17 UbuntuSystem su[10842]: Successful su for user by root Aug 4 22:51:17 UbuntuSystem su[10842]: + ??? root:user Aug 4 22:51:17 UbuntuSystem su[10842]: pam_unix(su:session): session opened for user user by (uid=0) Aug 4 22:51:17 UbuntuSystem su[10842]: pam_unix(su:session): session closed for user user Aug 4 22:51:17 UbuntuSystem su[10855]: Successful su for user by root Aug 4 22:51:17 UbuntuSystem su[10855]: + ??? root:user Aug 4 22:51:17 UbuntuSystem su[10855]: pam_unix(su:session): session opened for user user by (uid=0) Aug 4 22:51:17 UbuntuSystem su[10855]: pam_unix(su:session): session closed for user user Aug 4 23:41:39 UbuntuSystem su[11153]: Successful su for user by root Aug 4 23:41:39 UbuntuSystem su[11153]: + ??? root:user Aug 4 23:41:39 UbuntuSystem su[11153]: pam_unix(su:session): session opened for user user by (uid=0) Aug 4 23:41:39 UbuntuSystem su[11153]: pam_unix(su:session): session closed for user user Aug 4 23:41:39 UbuntuSystem su[11166]: Successful su for user by root Aug 4 23:41:39 UbuntuSystem su[11166]: + ??? root:user Aug 4 23:41:39 UbuntuSystem su[11166]: pam_unix(su:session): session opened for user user by (uid=0) Aug 4 23:41:39 UbuntuSystem su[11166]: pam_unix(su:session): session closed for user user Aug 4 23:41:39 UbuntuSystem su[11181]: Successful su for user by root Aug 4 23:41:39 UbuntuSystem su[11181]: + ??? root:user Aug 4 23:41:39 UbuntuSystem su[11181]: pam_unix(su:session): session opened for user user by (uid=0) Aug 4 23:41:39 UbuntuSystem su[11181]: pam_unix(su:session): session closed for user user Aug 4 23:41:39 UbuntuSystem su[11193]: Successful su for user by root Aug 4 23:41:39 UbuntuSystem su[11193]: + ??? root:user Aug 4 23:41:39 UbuntuSystem su[11193]: pam_unix(su:session): session opened for user user by (uid=0) Aug 4 23:41:39 UbuntuSystem su[11193]: pam_unix(su:session): session closed for user user Aug 4 23:41:39 UbuntuSystem su[11211]: Successful su for user by root Aug 4 23:41:39 UbuntuSystem su[11211]: + ??? root:user Aug 4 23:41:39 UbuntuSystem su[11211]: pam_unix(su:session): session opened for user user by (uid=0) Aug 4 23:41:39 UbuntuSystem su[11211]: pam_unix(su:session): session closed for user user Aug 4 23:41:39 UbuntuSystem su[11226]: Successful su for user by root Aug 4 23:41:39 UbuntuSystem su[11226]: + ??? root:user Aug 4 23:41:39 UbuntuSystem su[11226]: pam_unix(su:session): session opened for user user by (uid=0) Aug 4 23:41:39 UbuntuSystem su[11226]: pam_unix(su:session): session closed for user user Aug 4 23:41:39 UbuntuSystem su[11241]: Successful su for user by root Aug 4 23:41:39 UbuntuSystem su[11241]: + ??? root:user Aug 4 23:41:39 UbuntuSystem su[11241]: pam_unix(su:session): session opened for user user by (uid=0) Aug 4 23:41:39 UbuntuSystem su[11241]: pam_unix(su:session): session closed for user user Aug 4 23:41:39 UbuntuSystem su[11253]: Successful su for user by root Aug 4 23:41:39 UbuntuSystem su[11253]: + ??? root:user Aug 4 23:41:39 UbuntuSystem su[11253]: pam_unix(su:session): session opened for user user by (uid=0) Aug 4 23:41:39 UbuntuSystem su[11253]: pam_unix(su:session): session closed for user user Aug 4 23:42:18 UbuntuSystem gnome-screensaver-dialog: gkr-pam: unlocked login keyring Aug 4 23:42:33 UbuntuSystem polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.48, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Aug 15 20:17:01 UbuntuSystem CRON[26579]: pam_unix(cron:session): session opened for user root by (uid=0) Aug 15 20:17:01 UbuntuSystem CRON[26579]: pam_unix(cron:session): session closed for user root Aug 15 21:15:15 UbuntuSystem su[27098]: Successful su for user by root Aug 15 21:15:15 UbuntuSystem su[27098]: + ??? root:user Aug 15 21:15:15 UbuntuSystem su[27098]: pam_unix(su:session): session opened for user user by (uid=0) Aug 15 21:15:15 UbuntuSystem su[27098]: pam_unix(su:session): session closed for user user Aug 15 21:17:01 UbuntuSystem CRON[27141]: pam_unix(cron:session): session opened for user root by (uid=0) Aug 15 21:17:01 UbuntuSystem CRON[27141]: pam_unix(cron:session): session closed for user root
Apart from these iterations the only other times I found a similar output was when trying out the guest account:
Aug 11 22:38:49 UbuntuSystem lightdm: pam_unix(lightdm:session): session closed for user lightdm Aug 11 22:38:49 UbuntuSystem groupadd[2918]: group added to /etc/group: name=guest-4Eflre, GID=125 Aug 11 22:38:49 UbuntuSystem groupadd[2918]: group added to /etc/gshadow: name=guest-4Eflre Aug 11 22:38:49 UbuntuSystem groupadd[2918]: new group: name=guest-4Eflre, GID=125 Aug 11 22:38:50 UbuntuSystem useradd[2922]: new user: name=guest-4Eflre, UID=115, GID=125, home=/, shell=/bin/bash Aug 11 22:38:50 UbuntuSystem usermod[2927]: change user 'guest-4Eflre' password Aug 11 22:38:50 UbuntuSystem chage[2932]: changed password expiry for guest-4Eflre Aug 11 22:38:50 UbuntuSystem chfn[2935]: changed user 'guest-4Eflre' information Aug 11 22:38:50 UbuntuSystem usermod[2943]: change user 'guest-4Eflre' home from '/' to '/tmp/guest-4Eflre' Aug 11 22:38:50 UbuntuSystem su[2948]: Successful su for guest-4Eflre by root Aug 11 22:38:50 UbuntuSystem su[2948]: + ??? root:guest-4Eflre Aug 11 22:38:50 UbuntuSystem su[2948]: pam_unix(su:session): session opened for user guest-4Eflre by (uid=0) Aug 11 22:38:50 UbuntuSystem su[2948]: pam_unix(su:session): session closed for user guest-4Eflre Aug 11 22:38:50 UbuntuSystem lightdm: pam_unix(lightdm-autologin:session): session opened for user guest-4Eflre by (uid=0) Aug 11 22:38:50 UbuntuSystem lightdm: pam_ck_connector(lightdm-autologin:session): nox11 mode, ignoring PAM_TTY :0
I might have to add that I set up my system only fairly recently (Aug 4).
Is this behaviour normal? What exactly is going on with all the su commands? Do I have to be worried that my system might be compromised?
Many thanks in advance.
-
Glutanimate over 11 yearsThanks for you quick reply! I sincerely hope that's the case. However, in general I issue at least one sudo command (mostly apt-get update&upgrade) per session. Do you have any idea why these entries only appeared on two days total?
-
LnxSlck over 11 yearsIt could be some scheduled jobs or one version of sudo that had that issue.
-
Glutanimate over 11 yearsAlright, thanks again. I am relieved for now. Sill, I'll make sure to monitor the logs over the next days to see if those entries reappear and try to find out what's causing them. I'll edit my OP if I find anything.
-
Eliah Kagan over 11 years@Glutanimate That's a good point. While this is root becoming you (and not you becoming root), there's something wrong with my assumption that this is you logging on. On a 12.04 system configured normally, a login actually looks different from this. For example, on my 12.04 system it looks like
Aug 17 17:09:37 Del lightdm: pam_unix(lightdm:session): session opened for user ek by (uid=0)
. I wonder if you have scheduled tasks running as your user. (Some such tasks can be revealed by runningcrontab -l
.) -
Eliah Kagan over 11 yearsUltimately, something is going on that I cannot (presently) explain. I don't think it's cause for concern, but it's worth looking into.