Using top to see processes run by a user on behalf of sudo

It doesn't seem to be possible in an easy way.

From top's perspective, any command a user runs using sudo would appear to be running as root because it really is running as root.

One way you could try, is to track it down to the terminal where the user is logged in, then see processes running as root on that terminal.

For example,

$ w user
USER     TTY      FROM        LOGIN@   IDLE   JCPU   PCPU WHAT
user     pts/0    w.x.y.z     07:01    0.00s  1.07s  0.03s w user

Note the user is on pts/0.

Now run top.

Now press f (field select), then g (toggle controlling tty field), then Enter.

Now watch for processes with pts/0 in the TTY column.

You can also sort by TTY by pressing g a second time.

---

Or you could use procfs to get a list of pids, e.g.

$ sudo grep -l SUDO_USER="\<user\>" /proc/*/environ

Then do anything with that list. Even use it to run top -p <pid1>,<pid2>....

sudo top -p $(sudo grep -l SUDO_USER='\<user\>' /proc/[0-9]*/environ |
    cut -f 3 -d / |
    tr '\n' ',' |
    sed -e 's/,$//')

Of course, in that case, top won't show you if that user starts a new command using sudo.

---

Also don't forget that a user running a command is probably being logged, e.g. to /var/log/secure or /var/log/auth.log, or /var/log/sudo.log, or whatever your system uses.

Related videos on Youtube