We have found that if a user is in a screen or tmux session and they su or sudo su an alert is not fired. If the user exits their screen/tmux session, the alerts will fire just fine.
It seems to be poorly documented that "who am i" does not properly return a user when the session is in screen/tmux. However, logname and other env variable such as $SUDO_USER will return the base user.
Is lfd making use of "who am i" when firing SU login alerts? And if so, can this be changed to a more reliable method of user detection?
su within screen does not alert
-
CHasenpflug
- Junior Member
- Posts: 2
- Joined: 06 Aug 2013, 18:37
Re: su within screen does not alert
We've looked at this a bit more, and see that it's actually the rows in the log file that are not writing properly:
su'ing outside of screen/tmux you get this:
su'ing inside screen/tmux you get this:
So while it may be possible to alter the lfd code to grab the second lines, it won't tell us who initiated the su session.
su'ing outside of screen/tmux you get this:
Code: Select all
Aug 6 13:47:18 epsilon su: pam_unix(su:session): session opened for user root by username(uid=0)Code: Select all
Aug 6 13:47:25 epsilon su: pam_unix(su:session): session opened for user root by (uid=0)