Welcome to the Linux Foundation Forum!

not whoami, but whowasi?

Once I've 'sudo su' to a different user, is it possible to find out who I was?

Scenario:

We have 3 users who switch to a build-user to do the builds. I want the build process to be able to figure out who really started the build.

Thanks in advance.

Comments

  • Goineasy9
    Goineasy9 Posts: 1,114
    In Fedora I have a log called secure that would show changes. Check out /var/log/secure and see if your distro has this log. If not, look in /var/log/ and see if there's any other similarly named security log.
  • saqman2060
    saqman2060 Posts: 777
    Did not see that on my system. Nothing equivalent.
  • Goineasy9
    Goineasy9 Posts: 1,114
    Well, maybe the OP can tell us what distro he's using. Sudo su is more something you would use on an Ubuntu platform. I wonder if /var/log messages would contain similar info?
  • mfillpot
    mfillpot Posts: 2,177
    Goineasy9 wrote:
    In Fedora I have a log called secure that would show changes. Check out /var/log/secure and see if your distro has this log. If not, look in /var/log/ and see if there's any other similarly named security log.

    This is correct, /var/log/secure will give you information about all privileged escalations.
  • marc
    marc Posts: 647
    saqman2060 wrote:
    Did not see that on my system. Nothing equivalent.

    AFAIK it might be something like /var/log/access or something like that....
  • For me running Fedora 15, having su'd to root, "whoami" tells me that I am root. If you type "w" it will report who is logged in, so if it's just you and root logged in you can deduce who you were from that.

    Otherwise try "logname", even when su'd it reports my user account not the superuser.

    sudo su is something I have only ever done on an Ubuntu system to change the root account password.
  • What you are looking for is a simple Auth.* event .
    Every Distro match the pattern in a significant log file .

    Look for auth.log or secure /var/log . Or simply "grep" this pattern "COMMAND=/bin/su" in any file in var/log , to inspect where it's logged.

Categories

Upcoming Training