Is this user root or not

dargaud asked:

I see the following in /var/log/auth.log (system is current Ubuntu).

myserver su[14993]: illegal option minimum_uid=1000
myserver su[14993]: Successful su for jeanbon by root
myserver su[14993]: + ??? root:jeanbon
myserver su[14993]: pam_unix(su:session): session opened for user jeanbon by (uid=0)
myserver systemd-logind[1931]: New session c253 of user jeanbon.
myserver systemd: pam_unix(systemd-user:session): session opened for user jeanbon by (uid=0)
myserver su[14993]: pam_unix(su:session): session closed for user jeanbon
myserver systemd-logind[1931]: Removed session c253.

Does it mean that user jeanbon has become root using the su command ? This user cannot use sudo and tells me he doesn’t know the root password. There are many similar logs in rapid succession, for 4 different users at various times.

My answer:


These log entries indicate that the root user became jeanbon, not that jeanbon became root.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.