last
and lastlog
commands and I'm puzzling over why I have multiple logins by root listed by the "last" command. For example:
Code: Select all
$ last root | head -n 25
root pts/0 :0 Wed Sep 21 23:02 - 23:02 (00:00)
root pts/0 :0 Wed Sep 21 23:02 - 23:02 (00:00)
root pts/0 :0 Wed Sep 21 23:02 - 23:02 (00:00)
root pts/0 :0 Wed Sep 21 23:02 - 23:02 (00:00)
root pts/0 :0 Wed Sep 21 23:02 - 23:02 (00:00)
root pts/0 :0 Wed Sep 21 23:02 - 23:02 (00:00)
root pts/0 :0 Wed Sep 21 23:02 - 23:02 (00:00)
root pts/0 :0 Wed Sep 21 23:02 - 23:02 (00:00)
root pts/0 :0 Wed Sep 21 23:02 - 23:02 (00:00)
root pts/0 :0 Wed Sep 21 23:02 - 23:02 (00:00)
root pts/0 :0 Wed Sep 21 23:00 - 23:02 (00:01)
root pts/0 :0 Wed Sep 21 23:00 - 23:00 (00:00)
root pts/0 :0 Wed Sep 21 22:58 - 23:00 (00:02)
root pts/0 :0 Wed Sep 21 22:58 - 22:58 (00:00)
root pts/0 :0 Wed Sep 21 22:53 - 22:57 (00:03)
root pts/0 :0 Wed Sep 21 22:50 - 22:53 (00:02)
root pts/3 :0.0 Wed Sep 21 12:39 - 12:39 (00:00)
root pts/0 :0 Sat Sep 17 05:36 - 05:36 (00:00)
root pts/0 :0 Sat Sep 17 05:35 - 05:36 (00:00)
root pts/0 :0 Sat Sep 17 05:35 - 05:35 (00:00)
root pts/0 :0 Sat Sep 17 05:35 - 05:35 (00:00)
root pts/0 :0 Sat Sep 17 05:34 - 05:35 (00:01)
root pts/0 :0 Sat Sep 17 05:34 - 05:34 (00:00)
root pts/0 :0 Sat Sep 17 05:34 - 05:34 (00:00)
root pts/0 :0 Sat Sep 17 05:31 - 05:33 (00:02)
The thing is, I never log in as root. As in, never! I've checked and neither
sudo su
nor sudo <some-action>
create a "root login" listing for `last`. So where are these events coming from?Is this a real root login, or is some programme to blame?
My firewall is up and runnning - I use firewalld with the "Public" connection zone.
I do use firejail which is a setuid programme but if that causes a root login, then there should be lots more events. In fact, there should be one right now - I'm using firejail to sandbox this browser.
This is a personal computer and I'm the only one who uses it. I've got BIOS and boot locked down so no one can boot without removing the CMOS battery, and if they did I'd know because I would no longer be prompted for the password. Besides, I completely trust anyone (only family) who has been around my computer.
One more strange thing.
lastlog
says that the last time root logged in was mid-June:
Code: Select all
lastlog | grep root
root tty6 Sun Jun 19 05:38:52 +1000 2016
Thanks!