> I teach a Linux basics course and each term I have the problem of students > who do an su to become root, then rather than exiting, they su again to go > back to their regular account. The trouble is identifying when someone has > done this (they usually don't remember). The "who" command only shows login > shells (AFAIK) so it does not reveal when someone has su-ed. > > Does anyone know of a way to list all of the users currently logged in, > including when someone has su-ed to become another user?
Don't allow them to 'su root' but instead give them access to root commands using sudo. Then they'd "sudo ifconfig blahblahblah" each time to run ifconfig, etc, and don't get a shell from which they'd be running around as root itself, and wouldn't need to su back to their uid.[1] If you do want to allow actual 'su' then you can simply check ps to see what processes chains have consecutive 'su' processes. Analyzing 'pstree' output with perl would probably be pretty easy. pstree will handle organizing parent and child processes, so you'd just need to watch to see when two su processes exist in a chain. This could easily be defeated as well. Someone could create a two line C program to setuid and exec a shell s.t. there's no 'su' process in the list, but I assume you're just looking to watch for casual 'su' overuse. [1] Of course you need to make sure that you lock things down well - for example if you allowed 'sudo vi' then someone could spawn a shell from vi to be at a root prompt. Locking down sudo is tough - start out very restrictive and add specific commands as they're needed. -- Brian Hatch A closed mouth Systems and gathers no feet. Security Engineer www.hackinglinuxexposed.com Every message PGP signed
pgp00000.pgp
Description: PGP signature
