# Successful su for man by root

## SarahS93

never see something like this before....

```
Mar  2 03:10:01 deruse su[10649]: Successful su for man by root

Mar  2 03:10:01 pc1 su[10649]: + ??? root:man

Mar  2 03:10:01 pc1 su[10649]: pam_unix(su:session): session opened for user man by (uid=0)

Mar  2 03:10:02 pc1 su[10649]: pam_unix(su:session): session closed for user man
```

what happened?!?!?

----------

## Ionen

From /etc/cron.daily/man-db:

```
exec su man -s /bin/sh -c 'nice mandb --quiet' 2>/dev/null
```

(Edit: I'd argue su coming from root shouldn't even be logged, if compromised being root is a bigger problem -- there is alternate options to change the running user from a script but I think su is used for availability safety without relying on setuid, "runuser" is notably not available on a typical non-pam system)

----------

## ChrisJumper

 *SarahS93 wrote:*   

> never see something like this before....
> 
> ```
> Mar  2 03:10:01 deruse su[10649]: Successful su for man by root
> 
> ...

 

I have zero Strings in my logs like "user man".

----------

