linux - How to detect if remote SSH session is root?
2014-07
I know I can see the list of logged in users with w
or similar commands. I want to know which of logged in users currently has root access, i.e. has done su
to become root. The output of w
just shows the first (actual) username, not root if the user has done su
.
Indeed w
only displays login shells. If a user does su
to another program (shell) it will not display because it is not a login shell.
The main problem here is that you are trying to correlate date which was not designed to be correlated. You have to get information from several sources and then cross-reference it.
To get a list of all people who used su
, you can check /var/log/auth
(depending on your distro). You will see the following message:
May 1 09:47:32 frisbee su[7000]: Successful su for root by mtak
May 1 09:47:32 frisbee su[7000]: + /dev/pts/5 mtak:root
You can check which pts'es are still active by checking if the pseudo-terminals are still active with ls /dev/pts
(you would have to do this quickly though, because pts'es get re-used). You could also use the modify time of the pseudo-terminal and cross-reference it with the time in the auth.log
file. You can find the modify time of the pts with stat /dev/pts/
.
Admittedly, it's not perfect, but I think with some scripting you would be able to get a list of users who su'ed.
You can use ps
to check which user is running a su
process.
ps aux | grep ' [s]u'
This should give you a list of user names who are running 'su -' to be root:
for ppid in $(for pid in $(pgrep -u root -f "^su -"); do ps lh $pid | awk '{print $4;}'; done); do ps uh $ppid | awk '{print $1;}'; done | uniq
I sshed into a Linux machine (bash shell) from a public Windows machine (in our lab) and forgot to log out. I'm now back at my seat in another room and I am too lazy to walk back and log out that session; I can ssh into the Linux machine from my current PC though. Can I force-logout the other session from a new SSH session?
When I ssh to the Linux box from my current PC and type users
command, I can see that I'm still logged in there; my name is listed twice - one for the current session and another for the session from lab PC.
I don't have root privileges on the said machine, but I guess that shouldn't matter as I'm just trying to log out myself.
Run tty
on your current session, to find out on which tty you are working, so you do not log yourself out from current session. Run w
to show you current users and associated pseudo-terminals(tty). Assuming that you are logged twice and there are no other users on your ssh server, your previous ssh session will be on pts/0
and current on pts/1
. To ditch the session on pts/0
simply kill processes that are associated to it with
pkill -9 -t pts/0