linux - How to detect if remote SSH session is root?

I know I can see the list of logged in users with w or similar commands. I want to know which of logged in users currently has root access, i.e. has done su to become root. The output of w just shows the first (actual) username, not root if the user has done su.

Indeed w only displays login shells. If a user does su to another program (shell) it will not display because it is not a login shell.

The main problem here is that you are trying to correlate date which was not designed to be correlated. You have to get information from several sources and then cross-reference it.

To get a list of all people who used su, you can check /var/log/auth (depending on your distro). You will see the following message:

May  1 09:47:32 frisbee su[7000]: Successful su for root by mtak
May  1 09:47:32 frisbee su[7000]: + /dev/pts/5 mtak:root

You can check which pts'es are still active by checking if the pseudo-terminals are still active with ls /dev/pts (you would have to do this quickly though, because pts'es get re-used). You could also use the modify time of the pseudo-terminal and cross-reference it with the time in the auth.log file. You can find the modify time of the pts with stat /dev/pts/.

Admittedly, it's not perfect, but I think with some scripting you would be able to get a list of users who su'ed.

You can use ps to check which user is running a su process.

ps aux | grep ' [s]u'

This should give you a list of user names who are running 'su -' to be root:

for ppid in $(for pid in $(pgrep -u root -f "^su -"); do ps lh $pid | awk '{print $4;}'; done); do ps uh $ppid | awk '{print $1;}'; done | uniq