Good morning! I just (and I hardly ever do this ... ) had a look at /var/log/auth.log on a Debian Etch running in a VirtualBox VM.

Almost all the entries are simply references to CRON, e.g.

Aug 26 03:17:01 localhost CRON[26804]: (pam_unix) session opened for user root by (uid=0) Aug 26 03:17:01 localhost CRON[26804]: (pam_unix) session closed for user root

However, there is a short sequence of root su-ing to "nobody":

Aug 26 07:35:05 localhost su[30229]: Successful su for nobody by root Aug 26 07:35:05 localhost su[30229]: + ??? root:nobody Aug 26 07:35:05 localhost su[30229]: (pam_unix) session opened for user nobody by (uid=0) Aug 26 07:35:05 localhost su[30229]: (pam_unix) session closed for user nobody Aug 26 07:35:05 localhost su[30232]: Successful su for nobody by root Aug 26 07:35:05 localhost su[30232]: + ??? root:nobody Aug 26 07:35:05 localhost su[30232]: (pam_unix) session opened for user nobody by (uid=0) Aug 26 07:35:05 localhost su[30232]: (pam_unix) session closed for user nobody Aug 26 07:35:05 localhost su[30234]: Successful su for nobody by root Aug 26 07:35:05 localhost su[30234]: + ??? root:nobody Aug 26 07:35:05 localhost su[30234]: (pam_unix) session opened for user nobody by (uid=0) Aug 26 07:37:52 localhost su[30234]: (pam_unix) session closed for user nobody

These are the only occurrences of such things in about 80 oepn.close entries over 24 hours (the others being like the CRON one above).

Anyone know what "nobody" has to do with anything?

With thanks, Ted.

-------------------------------------------------------------------- E-Mail: (Ted Harding) Ted.Harding@manchester.ac.uk Fax-to-email: +44 (0)870 094 0861 Date: 26-Aug-10 Time: 08:13:26 ------------------------------ XFMail ------------------------------