messages log file - su

[Haarsma, Michael (SAPOL)]

Andrew,

It means root has su'd to the user nobody.
This could be from cron jobs (and based on the nice times, probably is -
I assume your other cron jobs take the ~30secs to run prior to this job
starting) something like updatedb from slocate package could give you
such logs, as by default it uses nobody to index, not root for obvious
reasons.

Cheers,
Michael 


> -----Original Message-----
> From: linuxsa-bounces at linuxsa.org.au 
> [mailto:linuxsa-bounces at linuxsa.org.au] On Behalf Of Andrew Galdes
> Sent: Tuesday, 7 November 2006 10:08 AM
> To: linuxsa at linuxsa.org.au
> Subject: messages log file - su
> 
> 
> Hello all,
> 
> I have found something interesting in a server log. This 
> server is a proxy/mail gateway server. The logs show the following:
> 
> Any ideas what's going on?
> 
> Oct 29 19:15:35 mailsrv su: (to nobody) root on none
> Oct 29 19:15:35 mailsrv su: (to nobody) root on none
> Oct 29 19:15:35 mailsrv su: (to nobody) root on none
> Oct 29 19:15:35 mailsrv su: (to nobody) root on none
> Oct 29 19:15:35 mailsrv su: (to nobody) root on none
> ...
> Oct 31 10:00:29 mailsrv su: (to nobody) root on none
> Oct 31 10:00:29 mailsrv su: (to nobody) root on none
> Oct 31 10:00:29 mailsrv su: (to nobody) root on none
> ...
> Nov  5 11:00:28 mailsrv su: (to nobody) root on none
> Nov  5 11:00:28 mailsrv su: (to nobody) root on none
> Nov  5 11:00:28 mailsrv su: (to nobody) root on none
> Nov  5 11:00:28 mailsrv su: (to nobody) root on none
> Nov  5 11:00:28 mailsrv su: (to nobody) root on none
> 
> Cheers,
> -Andrew
> 
> 
> -- 
> LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on 
> irc.freenode.net To unsubscribe or change your options:
>   http://www.netcraft.com.au/mailman/listinfo/linuxsa
>