ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

su within screen does not alert

https://mail.forum.configserver.com/viewtopic.php?t=6849

Page 1 of 1

su within screen does not alert

Posted: 06 Aug 2013, 18:41
by CHasenpflug
We have found that if a user is in a screen or tmux session and they su or sudo su an alert is not fired. If the user exits their screen/tmux session, the alerts will fire just fine.

It seems to be poorly documented that "who am i" does not properly return a user when the session is in screen/tmux. However, logname and other env variable such as $SUDO_USER will return the base user.

Is lfd making use of "who am i" when firing SU login alerts? And if so, can this be changed to a more reliable method of user detection?

Re: su within screen does not alert

Posted: 06 Aug 2013, 20:03
by CHasenpflug
We've looked at this a bit more, and see that it's actually the rows in the log file that are not writing properly:

su'ing outside of screen/tmux you get this:

Code: Select all

Aug 6 13:47:18 epsilon su: pam_unix(su:session): session opened for user root by username(uid=0)
su'ing inside screen/tmux you get this:

Code: Select all

Aug 6 13:47:25 epsilon su: pam_unix(su:session): session opened for user root by (uid=0)
So while it may be possible to alter the lfd code to grab the second lines, it won't tell us who initiated the su session.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited