What's with `root` logins?

[Fred Barclay]

Hey mates. I just discovered the magic of the last and lastlog commands and I'm puzzling over why I have multiple logins by root listed by the "last" command. For example:

Code: Select all

$ last root | head -n 25
root     pts/0        :0               Wed Sep 21 23:02 - 23:02  (00:00)    
root     pts/0        :0               Wed Sep 21 23:02 - 23:02  (00:00)    
root     pts/0        :0               Wed Sep 21 23:02 - 23:02  (00:00)    
root     pts/0        :0               Wed Sep 21 23:02 - 23:02  (00:00)    
root     pts/0        :0               Wed Sep 21 23:02 - 23:02  (00:00)    
root     pts/0        :0               Wed Sep 21 23:02 - 23:02  (00:00)    
root     pts/0        :0               Wed Sep 21 23:02 - 23:02  (00:00)    
root     pts/0        :0               Wed Sep 21 23:02 - 23:02  (00:00)    
root     pts/0        :0               Wed Sep 21 23:02 - 23:02  (00:00)    
root     pts/0        :0               Wed Sep 21 23:02 - 23:02  (00:00)    
root     pts/0        :0               Wed Sep 21 23:00 - 23:02  (00:01)    
root     pts/0        :0               Wed Sep 21 23:00 - 23:00  (00:00)    
root     pts/0        :0               Wed Sep 21 22:58 - 23:00  (00:02)    
root     pts/0        :0               Wed Sep 21 22:58 - 22:58  (00:00)    
root     pts/0        :0               Wed Sep 21 22:53 - 22:57  (00:03)    
root     pts/0        :0               Wed Sep 21 22:50 - 22:53  (00:02)    
root     pts/3        :0.0             Wed Sep 21 12:39 - 12:39  (00:00)    
root     pts/0        :0               Sat Sep 17 05:36 - 05:36  (00:00)    
root     pts/0        :0               Sat Sep 17 05:35 - 05:36  (00:00)    
root     pts/0        :0               Sat Sep 17 05:35 - 05:35  (00:00)    
root     pts/0        :0               Sat Sep 17 05:35 - 05:35  (00:00)    
root     pts/0        :0               Sat Sep 17 05:34 - 05:35  (00:01)    
root     pts/0        :0               Sat Sep 17 05:34 - 05:34  (00:00)    
root     pts/0        :0               Sat Sep 17 05:34 - 05:34  (00:00)    
root     pts/0        :0               Sat Sep 17 05:31 - 05:33  (00:02)    

Most of the logins are short (between 0-3 minutes) though root does have a hour and 14-minutes login on September 15. Strangely, many logins are short but there are multiple ones per minute. E.g., yesterday there are 10 root logins at 23:02, all for pts/0.

The thing is, I never log in as root. As in, never! I've checked and neither sudo su nor sudo <some-action> create a "root login" listing for `last`. So where are these events coming from?
Is this a real root login, or is some programme to blame?

My firewall is up and runnning - I use firewalld with the "Public" connection zone.
I do use firejail which is a setuid programme but if that causes a root login, then there should be lots more events. In fact, there should be one right now - I'm using firejail to sandbox this browser.
This is a personal computer and I'm the only one who uses it. I've got BIOS and boot locked down so no one can boot without removing the CMOS battery, and if they did I'd know because I would no longer be prompted for the password. Besides, I completely trust anyone (only family) who has been around my computer.

One more strange thing. lastlog says that the last time root logged in was mid-June:

Code: Select all

lastlog | grep root
root             tty6                      Sun Jun 19 05:38:52 +1000 2016

Can someone help me figure out what's going on?
Thanks!

[richyrich]

If you are able to install and run htop in LMDE, you will then see everything that root is doing while a normal user is logged in . .

[Fred Barclay]

Thanks richy - I tried htop, but that doesn't explain everything.
For example, right now I can see several dozen programmes that the root user is running.

However, the root user still hasn't logged in (reportedly) since Sept 21, 4 days ago.
So it seems that root running a program is not the same as it logging in, at least as far as last is concerned.

Also, looking over the /var/log/wtmp logs, root is logging in much more frequently now than it used to. For example, there's only one recorded login in August, yet so far in September root has over a hundred reported logins (I counted).

EDIT: it wasn't clear that I had checked htop

[richyrich]

Who's running all of the services? Who is running mdm before you log in? upstart? apic? smbd? udev? getty? cron? etc. etc.

[Fred Barclay]

root handles all of those (except for upstart which was never installed, and smbd which I uninstalled).
E.g.

Code: Select all

$ ps aux | grep mdm
root      3017  0.0  0.1 140252  4792 ?        Ss   11:52   0:00 /usr/sbin/mdm
root      3018  0.0  0.2 203752  9700 ?        S    11:52   0:00 /usr/sbin/mdm
root      3030 14.1  1.8 309460 68500 tty8     Ssl+ 11:52   6:29 /usr/bin/X :0 -audit 0 -auth /var/lib/mdm/:0.Xauth -nolisten tcp vt8
mdm       3609  0.0  0.0  24504  1816 ?        S    11:52   0:00 dbus-launch --autolaunch=b359e1232f6e4995b2c912457a9984f4 --binary-syntax --close-stderr
mdm       3613  0.0  0.0  42124   360 ?        Ss   11:52   0:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
fred     10643  0.0  0.0  12732  2092 pts/1    S+   12:38   0:00 grep --color=auto mdm

However, that doesn't explain matters (correct me if I'm wrong):
1. If root running a programme = root logging in, then root should have logged in multiple times today (I've shut down several times and had one overheat crash). Yet the last reported login by last is still the 21st of September, four days ago.

2. If root running a programme had anything at all to do with these logins, then there should be more than one root login for the month of August, seeing as how I booted my computer every single day. Yet the only reported root login was August 10, compared to over a hundred in this month.
I haven't made any drastic changes to the computer either.

Thoughts?

[jepo]

However, that doesn't explain matters (correct me if I'm wrong):
1. If root running a programme = root logging in, then root should have logged in multiple times today

No. The "root" is only referring to the effective User-ID attached to those processes, they run with an effective UID of 0.
Therefore, they are shown to run "as root", since that's the login-name of the user with UID 0.
This isn't triggered by a login using the root login-name.
There's no contradiction, looks just alright.

[Fred Barclay]

This isn't triggered by a login using the root login-name.
There's no contradiction, looks just alright.

Thanks, that's what I was thinking. So now I'm really confused as to why last reports root logging in.