Either the program he is running is suid root (look for a file owned by root with the s set in the file permissions when you do an ls -l on the file.) Or you have sudo or some such that is allowing to execute certain programs as root.
Still, it would not hurt to change the root password. Someone could have guessed that user's password and might be using the account. On 15-Nov-97 Ben Pfaff wrote: > A user on my system caused a number of entries like this in the > syslog: > > Nov 15 12:21:07 pfaffben su: (to root) eric on /dev/ttyp0 > > However, the user says that he just uses `lynx' and `talk' (and I > trust him to tell the truth about this). What could cause a syslog > entry like this? > -- > Ben Pfaff <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> > > > -- > TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to > [EMAIL PROTECTED] . > Trouble? e-mail to [EMAIL PROTECTED] . > > -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
