Ok, this is a new one. I almost had a heart attack when I saw this pop up in my logcheck mail this morning:
Jan 15 11:30:07 malchus su[15767]: + pts/7 foo-root Jan 15 11:30:07 malchus PAM_unix[15767]: (su) session opened for user root by bar(uid=15) Jan 15 11:44:23 malchus su[15881]: + pts/2 foo-root Jan 15 11:44:23 malchus PAM_unix[15881]: (su) session opened for user root by foo(uid=15) User 'foo' has UID 15. Note the discrepency however; in the first line it seems to think user 'bar' (UID=5012) opened the su session. However, bar isn't logged in, doesn't have the root password, and most importantly is obviously not UID 15. This is new. I had been running my own compiled 2.4.2 kernel, this started only after I upgraded to 2.4.17. I've not made any other major changes to the system that could account for this, and I'm not sure how to make it go away. Google searches haven't turned up anything on this. Anyone else seen this, or have anything they can point me to?
