Re: Seeing who has su-ed

> I teach a Linux basics course and each term I have the problem of students

Don't allow them to 'su root' but instead give them access to root commands using sudo. Then they'd "sudo ifconfig blahblahblah" each time to run ifconfig, etc, and don't get a shell from which they'd be running around as root itself, and wouldn't need to su back to their uid.[1]

If you do want to allow actual 'su' then you can simply check ps to see what processes chains have consecutive 'su' processes. Analyzing 'pstree' output with perl would probably be pretty easy. pstree will handle organizing parent and child processes, so you'd just need to watch to see when two su processes exist in a chain.

This could easily be defeated as well. Someone could create a two line C program to setuid and exec a shell s.t. there's no 'su' process in the list, but I assume you're just looking to watch for casual 'su' overuse.

[1] Of course you need to make sure that you lock things down well - for example if you allowed 'sudo vi' then someone could spawn a shell from vi to be at a root prompt. Locking down sudo is tough - start out very restrictive and add specific commands as they're needed.

--
Brian Hatch                  A closed mouth
   Systems and                gathers no feet.
   Security Engineer
www.hackinglinuxexposed.com

Every message PGP signed