How to list users that have su'ed to different accounts
I'm trying to figure out a quick & easy way to see a list of everyone's effective user id... I would have thought 'w' or 'who' would be able to display if someone had switched user accounts... but it's only showing the real user ID they logged in with.
su
edited 10 hours ago
Rui F Ribeiro
41.3k1481140
asked 10 hours ago
BodishaBodisha
282
add a comment |
I'm trying to figure out a quick & easy way to see a list of everyone's effective user id... I would have thought 'w' or 'who' would be able to display if someone had switched user accounts... but it's only showing the real user ID they logged in with.
su
edited 10 hours ago
Rui F Ribeiro
41.3k1481140
asked 10 hours ago
BodishaBodisha
282
1
Doing an su generates logs, it is easier to look at that. You can and should disable su and force everybody to use sudo. If you have "rogue" root operators, then usually it is complicated trying to get technical solutions for political problems.
– Rui F Ribeiro
10 hours ago
sudocreates logs, but ensure that the logs are stored off device, and are only appendable, and readable (not truncatable, deletable), from this device. So a compromised root can to change the logs.
– ctrl-alt-delor
9 hours ago
add a comment |
I'm trying to figure out a quick & easy way to see a list of everyone's effective user id... I would have thought 'w' or 'who' would be able to display if someone had switched user accounts... but it's only showing the real user ID they logged in with.
su
edited 10 hours ago
Rui F Ribeiro
41.3k1481140
asked 10 hours ago
BodishaBodisha
282
I'm trying to figure out a quick & easy way to see a list of everyone's effective user id... I would have thought 'w' or 'who' would be able to display if someone had switched user accounts... but it's only showing the real user ID they logged in with.
su
su
edited 10 hours ago
Rui F Ribeiro
41.3k1481140
asked 10 hours ago
BodishaBodisha
282
edited 10 hours ago
Rui F Ribeiro
41.3k1481140
asked 10 hours ago
BodishaBodisha
282
edited 10 hours ago
Rui F Ribeiro
41.3k1481140
edited 10 hours ago
Rui F Ribeiro
41.3k1481140
edited 10 hours ago
Rui F Ribeiro
41.3k1481140
41.3k1481140
asked 10 hours ago
BodishaBodisha
282
asked 10 hours ago
BodishaBodisha
282
asked 10 hours ago
BodishaBodisha
282
282
1
Doing an su generates logs, it is easier to look at that. You can and should disable su and force everybody to use sudo. If you have "rogue" root operators, then usually it is complicated trying to get technical solutions for political problems.
– Rui F Ribeiro
10 hours ago
sudocreates logs, but ensure that the logs are stored off device, and are only appendable, and readable (not truncatable, deletable), from this device. So a compromised root can to change the logs.
– ctrl-alt-delor
9 hours ago
add a comment |
1
Doing an su generates logs, it is easier to look at that. You can and should disable su and force everybody to use sudo. If you have "rogue" root operators, then usually it is complicated trying to get technical solutions for political problems.
– Rui F Ribeiro
10 hours ago
sudocreates logs, but ensure that the logs are stored off device, and are only appendable, and readable (not truncatable, deletable), from this device. So a compromised root can to change the logs.
– ctrl-alt-delor
9 hours ago
1
1
Doing an su generates logs, it is easier to look at that. You can and should disable su and force everybody to use sudo. If you have "rogue" root operators, then usually it is complicated trying to get technical solutions for political problems.
– Rui F Ribeiro
10 hours ago
Doing an su generates logs, it is easier to look at that. You can and should disable su and force everybody to use sudo. If you have "rogue" root operators, then usually it is complicated trying to get technical solutions for political problems.
– Rui F Ribeiro
10 hours ago
sudo creates logs, but ensure that the logs are stored off device, and are only appendable, and readable (not truncatable, deletable), from this device. So a compromised root can to change the logs.– ctrl-alt-delor
9 hours ago
sudo creates logs, but ensure that the logs are stored off device, and are only appendable, and readable (not truncatable, deletable), from this device. So a compromised root can to change the logs.– ctrl-alt-delor
9 hours ago
add a comment |
2 Answers
2
active
oldest
votes
One approach could be to apply the fuser command to the pseudo-terminal devices in /dev/pts, e.g. sudo fuser -v /dev/pts/*.
As an example, I logged into a Linux system as user1 and ran sudo su user2, then logged in again (as user1) via another terminal. After running sudo fuser -v /dev/pts/*, I got the following output:
USER PID ACCESS COMMAND
/dev/pts/0: user1 5533 F.... bash
root 6291 F.... sudo
/dev/pts/1: user1 5655 F.... bash
root 5748 F.... sudo
root 5752 F.... su
user2 5753 F.... bash
Looking at the second block of output here (corresponding to /dev/pts/1), you can see that user1 has switched to user2. For more information on this approach, you may want to consult the following post: How can we know who's at the other end of a pseudo-terminal device?
answered 9 hours ago
igaligal
5,6811535
add a comment |
The logins will show up in the /var/log/secure file (red hatcentos) or /var/log/auth.log (debianubuntu), and the format for a login contains the line text "session opened for", so cat /var/log/(secure OR auth.log) | grep "session opened for" should provide a list of logins like this:
Jan 9 07:07:07 hostname su:pam_unix(su:session): session opened for user user1 by user2(uid=2000)
ps aux | grep username should list shells running under "username," which is a quick way to check for "username" activity, and very eye-catching if you don't expect to find any "username" activity. This won't tell you WHO logged in as "username" though, so the log files would still need to be consulted for that.
For a large number of users these checks could get cumbersome, I hoped there was something like ps -eo ruid,euid for just users instead of all processes, but I found nothing that straightforward.
answered 9 hours ago
wurtzkurdlewurtzkurdle
12
New contributor
wurtzkurdle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505345%2fhow-to-list-users-that-have-sued-to-different-accounts%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
One approach could be to apply the fuser command to the pseudo-terminal devices in /dev/pts, e.g. sudo fuser -v /dev/pts/*.
As an example, I logged into a Linux system as user1 and ran sudo su user2, then logged in again (as user1) via another terminal. After running sudo fuser -v /dev/pts/*, I got the following output:
USER PID ACCESS COMMAND
/dev/pts/0: user1 5533 F.... bash
root 6291 F.... sudo
/dev/pts/1: user1 5655 F.... bash
root 5748 F.... sudo
root 5752 F.... su
user2 5753 F.... bash
Looking at the second block of output here (corresponding to /dev/pts/1), you can see that user1 has switched to user2. For more information on this approach, you may want to consult the following post: How can we know who's at the other end of a pseudo-terminal device?
answered 9 hours ago
igaligal
5,6811535
add a comment |
One approach could be to apply the fuser command to the pseudo-terminal devices in /dev/pts, e.g. sudo fuser -v /dev/pts/*.
As an example, I logged into a Linux system as user1 and ran sudo su user2, then logged in again (as user1) via another terminal. After running sudo fuser -v /dev/pts/*, I got the following output:
USER PID ACCESS COMMAND
/dev/pts/0: user1 5533 F.... bash
root 6291 F.... sudo
/dev/pts/1: user1 5655 F.... bash
root 5748 F.... sudo
root 5752 F.... su
user2 5753 F.... bash
Looking at the second block of output here (corresponding to /dev/pts/1), you can see that user1 has switched to user2. For more information on this approach, you may want to consult the following post: How can we know who's at the other end of a pseudo-terminal device?
answered 9 hours ago
igaligal
5,6811535
add a comment |
One approach could be to apply the fuser command to the pseudo-terminal devices in /dev/pts, e.g. sudo fuser -v /dev/pts/*.
As an example, I logged into a Linux system as user1 and ran sudo su user2, then logged in again (as user1) via another terminal. After running sudo fuser -v /dev/pts/*, I got the following output:
USER PID ACCESS COMMAND
/dev/pts/0: user1 5533 F.... bash
root 6291 F.... sudo
/dev/pts/1: user1 5655 F.... bash
root 5748 F.... sudo
root 5752 F.... su
user2 5753 F.... bash
Looking at the second block of output here (corresponding to /dev/pts/1), you can see that user1 has switched to user2. For more information on this approach, you may want to consult the following post: How can we know who's at the other end of a pseudo-terminal device?
answered 9 hours ago
igaligal
5,6811535
One approach could be to apply the fuser command to the pseudo-terminal devices in /dev/pts, e.g. sudo fuser -v /dev/pts/*.
As an example, I logged into a Linux system as user1 and ran sudo su user2, then logged in again (as user1) via another terminal. After running sudo fuser -v /dev/pts/*, I got the following output:
USER PID ACCESS COMMAND
/dev/pts/0: user1 5533 F.... bash
root 6291 F.... sudo
/dev/pts/1: user1 5655 F.... bash
root 5748 F.... sudo
root 5752 F.... su
user2 5753 F.... bash
Looking at the second block of output here (corresponding to /dev/pts/1), you can see that user1 has switched to user2. For more information on this approach, you may want to consult the following post: How can we know who's at the other end of a pseudo-terminal device?
answered 9 hours ago
igaligal
5,6811535
edited 9 hours ago
answered 9 hours ago
igaligal
5,6811535
answered 9 hours ago
igaligal
5,6811535
answered 9 hours ago
igaligal
5,6811535
5,6811535
add a comment |
add a comment |
The logins will show up in the /var/log/secure file (red hatcentos) or /var/log/auth.log (debianubuntu), and the format for a login contains the line text "session opened for", so cat /var/log/(secure OR auth.log) | grep "session opened for" should provide a list of logins like this:
Jan 9 07:07:07 hostname su:pam_unix(su:session): session opened for user user1 by user2(uid=2000)
ps aux | grep username should list shells running under "username," which is a quick way to check for "username" activity, and very eye-catching if you don't expect to find any "username" activity. This won't tell you WHO logged in as "username" though, so the log files would still need to be consulted for that.
For a large number of users these checks could get cumbersome, I hoped there was something like ps -eo ruid,euid for just users instead of all processes, but I found nothing that straightforward.
answered 9 hours ago
wurtzkurdlewurtzkurdle
12
New contributor
wurtzkurdle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
The logins will show up in the /var/log/secure file (red hatcentos) or /var/log/auth.log (debianubuntu), and the format for a login contains the line text "session opened for", so cat /var/log/(secure OR auth.log) | grep "session opened for" should provide a list of logins like this:
Jan 9 07:07:07 hostname su:pam_unix(su:session): session opened for user user1 by user2(uid=2000)
ps aux | grep username should list shells running under "username," which is a quick way to check for "username" activity, and very eye-catching if you don't expect to find any "username" activity. This won't tell you WHO logged in as "username" though, so the log files would still need to be consulted for that.
For a large number of users these checks could get cumbersome, I hoped there was something like ps -eo ruid,euid for just users instead of all processes, but I found nothing that straightforward.
answered 9 hours ago
wurtzkurdlewurtzkurdle
12
New contributor
wurtzkurdle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
The logins will show up in the /var/log/secure file (red hatcentos) or /var/log/auth.log (debianubuntu), and the format for a login contains the line text "session opened for", so cat /var/log/(secure OR auth.log) | grep "session opened for" should provide a list of logins like this:
Jan 9 07:07:07 hostname su:pam_unix(su:session): session opened for user user1 by user2(uid=2000)
ps aux | grep username should list shells running under "username," which is a quick way to check for "username" activity, and very eye-catching if you don't expect to find any "username" activity. This won't tell you WHO logged in as "username" though, so the log files would still need to be consulted for that.
For a large number of users these checks could get cumbersome, I hoped there was something like ps -eo ruid,euid for just users instead of all processes, but I found nothing that straightforward.
answered 9 hours ago
wurtzkurdlewurtzkurdle
12
New contributor
wurtzkurdle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
The logins will show up in the /var/log/secure file (red hatcentos) or /var/log/auth.log (debianubuntu), and the format for a login contains the line text "session opened for", so cat /var/log/(secure OR auth.log) | grep "session opened for" should provide a list of logins like this:
Jan 9 07:07:07 hostname su:pam_unix(su:session): session opened for user user1 by user2(uid=2000)
ps aux | grep username should list shells running under "username," which is a quick way to check for "username" activity, and very eye-catching if you don't expect to find any "username" activity. This won't tell you WHO logged in as "username" though, so the log files would still need to be consulted for that.
For a large number of users these checks could get cumbersome, I hoped there was something like ps -eo ruid,euid for just users instead of all processes, but I found nothing that straightforward.
answered 9 hours ago
wurtzkurdlewurtzkurdle
12
New contributor
wurtzkurdle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 7 hours ago
answered 9 hours ago
wurtzkurdlewurtzkurdle
12
New contributor
wurtzkurdle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 9 hours ago
wurtzkurdlewurtzkurdle
12
answered 9 hours ago
wurtzkurdlewurtzkurdle
12
12
New contributor
wurtzkurdle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
wurtzkurdle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
wurtzkurdle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505345%2fhow-to-list-users-that-have-sued-to-different-accounts%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Doing an su generates logs, it is easier to look at that. You can and should disable su and force everybody to use sudo. If you have "rogue" root operators, then usually it is complicated trying to get technical solutions for political problems.
– Rui F Ribeiro
10 hours ago
sudocreates logs, but ensure that the logs are stored off device, and are only appendable, and readable (not truncatable, deletable), from this device. So a compromised root can to change the logs.– ctrl-alt-delor
9 hours ago