How can I see the loggedin users that have used 'su'

Question

If I use a login shell to login as root then 'who' or 'users' commands will show an entry for the root user. However If I login with user1 and then use:

'su - root'

Then the 'who' and 'users' command will not show an entry for root.

Is there a way to find out whether there is a logged-in user in my system that has currently switched to root (or to any other account)?

Answer 1

Thanx to Davide Berra's answer, I think I have found what I was looking for.

> who | sort -k2 > /tmp/whoresult
> pgrep -x su | xargs -i ps hu -p{} | awk '{printf $7 " ";for (i=11; i<=NF; i++) printf $i " "; printf "\n"}' | sort -k1 | join -1 2 -2 1 /tmp/whoresult -

The output is something like:

pts/3 user1 2013-02-06 16:35 (:0.0) su - root    #logged in as user1 and executed 'sudo - root'
pts/5 user1 2013-02-06 16:51 (:0.0) su           #logged in as user1 executed 'sudo su'
tty2 root 2013-02-06 17:07 su - user1            #logged in as root and executed 'sudo - user1'

Answer 2

Look at the /var/log/secure file.

Search for line like this:

Feb  6 14:12:09 myhost su: pam_unix(su-l:session): session opened for user root by root(uid=999)

the uid at the end of the string is the one of the original user.

Otherwise you can search for shells that executed su command and check who's the owner.

pgrep su | \
xargs -i sh -c "ps -p {} -o ppid=" | \
xargs -i ps -p {} -f

The result will be the uids of who is currently running su

I'm sure there's a more elegant method but nothing better comes to my mind right now.