Using top to see processes run by a user on behalf of sudo
It doesn't seem to be possible in an easy way.
From top
's perspective, any command a user runs using sudo
would appear to be running as root
because it really is running as root.
One way you could try, is to track it down to the terminal where the user is logged in, then see processes running as root on that terminal.
For example,
$ w user
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
user pts/0 w.x.y.z 07:01 0.00s 1.07s 0.03s w user
Note the user is on pts/0
.
Now run top
.
Now press f (field select), then g (toggle controlling tty field), then Enter.
Now watch for processes with pts/0
in the TTY
column.
You can also sort by TTY
by pressing g a second time.
Or you could use procfs
to get a list of pids
, e.g.
$ sudo grep -l SUDO_USER="\<user\>" /proc/*/environ
Then do anything with that list. Even use it to run top -p <pid1>,<pid2>...
.
sudo top -p $(sudo grep -l SUDO_USER='\<user\>' /proc/[0-9]*/environ |
cut -f 3 -d / |
tr '\n' ',' |
sed -e 's/,$//')
Of course, in that case, top
won't show you if that user starts a new command using sudo
.
Also don't forget that a user running a command is probably being logged, e.g. to /var/log/secure
or /var/log/auth.log
, or /var/log/sudo.log
, or whatever your system uses.
Related videos on Youtube
Comments
-
amccormack almost 2 years
If I run
top -u username
I will see all the processes by a particular user. Is there a way to also see all the processes that the user called via sudo? -
Arcege over 13 yearsremember that
sudo -u
starts the subprocess with a uid of the given user, not as root; you would want to limit based on that user. -
Olli over 13 yearsActually, at least in Linux even sudo command is shown under target user (so, for example under root). So ps is not going to help.
-
Mikel over 13 yearsIt is possible under
ps
using the same method I just described fortop
: filter based onTTY
(i.e.ps -t <tty>
).