not whoami, but whowasi?

BigTexasDork

Once I've 'sudo su' to a different user, is it possible to find out who I was?

Scenario:

We have 3 users who switch to a build-user to do the builds. I want the build process to be able to figure out who really started the build.

Thanks in advance.

Goineasy9

In Fedora I have a log called secure that would show changes. Check out /var/log/secure and see if your distro has this log. If not, look in /var/log/ and see if there's any other similarly named security log.

saqman2060

Did not see that on my system. Nothing equivalent.

Goineasy9

Well, maybe the OP can tell us what distro he's using. Sudo su is more something you would use on an Ubuntu platform. I wonder if /var/log messages would contain similar info?

mfillpot

Goineasy9 wrote:

In Fedora I have a log called secure that would show changes. Check out /var/log/secure and see if your distro has this log. If not, look in /var/log/ and see if there's any other similarly named security log.

This is correct, /var/log/secure will give you information about all privileged escalations.

marc

saqman2060 wrote:

Did not see that on my system. Nothing equivalent.

AFAIK it might be something like /var/log/access or something like that....

kerneldaemon

For me running Fedora 15, having su'd to root, "whoami" tells me that I am root. If you type "w" it will report who is logged in, so if it's just you and root logged in you can deduce who you were from that.

Otherwise try "logname", even when su'd it reports my user account not the superuser.

sudo su is something I have only ever done on an Ubuntu system to change the root account password.

matteocisilino

What you are looking for is a simple Auth.* event .
Every Distro match the pattern in a significant log file .

Look for auth.log or secure /var/log . Or simply "grep" this pattern "COMMAND=/bin/su" in any file in var/log , to inspect where it's logged.