From owner-freebsd-questions@FreeBSD.ORG Wed Jul 19 17:27:44 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C83F16A4DA for ; Wed, 19 Jul 2006 17:27:44 +0000 (UTC) (envelope-from ml@t-b-o-h.net) Received: from vjofn.tucs-beachin-obx-house.com (vjofn.tucs-beachin-obx-house.com [204.107.90.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id B6BC543D5D for ; Wed, 19 Jul 2006 17:27:43 +0000 (GMT) (envelope-from ml@t-b-o-h.net) Received: from himinbjorg.tucs-beachin-obx-house.com (c-69-249-95-97.hsd1.nj.comcast.net [69.249.95.97]) (authenticated bits=0) by vjofn.tucs-beachin-obx-house.com (8.12.9/8.12.9) with ESMTP id k6JHRcF9086140; Wed, 19 Jul 2006 13:27:39 -0400 (EDT) Received: from himinbjorg.tucs-beachin-obx-house.com (localhost.tucs-beachin-obx-house.com [127.0.0.1]) by himinbjorg.tucs-beachin-obx-house.com (8.13.6/8.13.6) with ESMTP id k6JHRcZj027123; Wed, 19 Jul 2006 13:27:38 -0400 (EDT) (envelope-from ml@t-b-o-h.net) Received: (from tbohml@localhost) by himinbjorg.tucs-beachin-obx-house.com (8.13.6/8.13.6/Submit) id k6JHRbVs027122; Wed, 19 Jul 2006 13:27:37 -0400 (EDT) (envelope-from tbohml) From: "Tuc at T-B-O-H.NET" Message-Id: <200607191727.k6JHRbVs027122@himinbjorg.tucs-beachin-obx-house.com> To: xfb52@dial.pipex.com (Alex Zbyslaw) Date: Wed, 19 Jul 2006 13:27:37 -0400 (EDT) In-Reply-To: <44BE0729.2090607@dial.pipex.com> X-Mailer: ELM [version 2.5 PL8] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: nologin: Attempted login by root on UNKNOWN X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 17:27:44 -0000 > > Tuc at T-B-O-H.NET wrote: > > >>>Jul 18 14:08:47 asgard nologin: Attempted login by root on UNKNOWN > >>> > >>> > Something running *as* root is trying to "su" to an account which has > /bin/nologin as a shell > > e.g. # su avahi > > cartman nologin: Attempted login by alex on /dev/ttyp7 > > avahi:*:558:558:Avahi Daemon User:/nonexistent:/sbin/nologin > Thats what I was thinking... > > If it were running detached from a terminal (in the background; started > from an rc script) then it would have no terminal to report, hence UNKNOWN. > Makes sense. :) > > Tracking down what, is another matter. ps uagx and kill processes one > by one until the message stops! Or try ktracing suspects for a less > drastic approach. > I'm pretty sure it has to do with my sendmail. Why all of a sudden its done this I'm not sure. I shut down sendmail for an hour and the messages stopped. When I started it back up, it started again. I'm running : sendmail / procmail / SpamAssassin If I was to ktrace sendmail, what would I be looking for? What options do I pass to it to get all the sub processes? Thanks, Tuc