Журнал лабораторных работ

total 92
drwxr-xr-x   2 root root 24576 2009-05-28 12:07 bin
drwxr-xr-x   2 root root  4096 2009-05-25 03:20 games
drwxr-xr-x   9 root root  4096 2009-05-25 03:38 include
drwxr-xr-x 101 root root 32768 2009-05-28 11:25 lib
drwxrwsr-x  10 root root  4096 2009-05-24 13:16 local
drwxr-xr-x   2 root root 12288 2009-05-28 11:25 sbin
drwxr-xr-x 139 root root  4096 2009-05-28 11:25 share
drwxrwsr-x   2 root root  4096 2009-04-24 22:21 src
drwxr-xr-x   2 root root  4096 2009-05-24 13:22 X11R6

total 76
drwxr-xr-x   2 root root  4096 2009-05-25 03:20 bin
drwxr-xr-x   3 root root  4096 2009-05-25 03:21 boot
drwxr-xr-x  15 root root  3520 2009-05-28 14:54 dev
drwxr-xr-x  85 root root  4096 2009-05-28 14:52 etc
drwxr-xr-x   4 root root  4096 2009-05-28 12:33 home
lrwxrwxrwx   1 root root    28 2009-05-24 18:18 initrd.img -> boot/initrd.img-2.6.29-2-686
drwxr-xr-x  13 root root  4096 2009-05-25 03:20 lib
drwx------   2 root root 16384 2009-05-24 18:14 lost+found
drwxr-xr-x   2 root root  4096 2009-05-28 14:53 media
...
dr-xr-xr-x 113 root root     0 2009-05-28 14:52 proc
drwxr-xr-x   6 root root  4096 2009-05-28 14:39 root
drwxr-xr-x   2 root root  4096 2009-05-25 03:20 sbin
drwxr-xr-x   2 root root  4096 2009-02-21 16:55 selinux
drwxr-xr-x   2 root root  4096 2009-05-24 13:15 srv
drwxr-xr-x  12 root root     0 2009-05-28 14:52 sys
drwxrwxrwt   7 root root  4096 2009-05-28 15:03 tmp
drwxr-xr-x  11 root root  4096 2009-05-24 13:22 usr
drwxr-xr-x  13 root root  4096 2009-05-24 13:15 var
lrwxrwxrwx   1 root root    25 2009-05-24 18:18 vmlinuz -> boot/vmlinuz-2.6.29-2-686

drwxr-xr-x 4 root root   4096 2009-05-25 03:20 ConsoleKit
drwxr-xr-x 2 root root   4096 2009-05-25 03:20 console-setup
drwxr-xr-x 2 root root   4096 2009-05-28 11:25 cron.d
drwxr-xr-x 2 root root   4096 2009-05-27 14:34 cron.daily
drwxr-xr-x 2 root root   4096 2009-05-24 13:16 cron.hourly
drwxr-xr-x 2 root root   4096 2009-05-27 14:34 cron.monthly
-rw-r--r-- 1 root root    777 2009-05-27 14:14 crontab
drwxr-xr-x 2 root root   4096 2009-05-27 14:34 cron.weekly
drwxr-xr-x 4 root root   4096 2009-05-25 03:20 dbus-1
-rw-r--r-- 1 root root   2969 2009-03-03 18:34 debconf.conf
...
drwxr-xr-x 2 root root   4096 2009-05-24 13:16 terminfo
-rw-r--r-- 1 root root     12 2009-05-27 11:53 timezone
-rw-r--r-- 1 root root    645 2009-03-25 13:05 ts.conf
-rw-r--r-- 1 root root   1260 2008-05-30 09:22 ucf.conf
drwxr-xr-x 4 root root   4096 2009-05-24 13:16 udev
drwxr-xr-x 2 root root   4096 2009-05-24 13:16 vim
-rw-r--r-- 1 root root   4221 2008-09-08 02:17 wgetrc
drwxr-xr-x 8 root root   4096 2009-05-26 11:31 X11
drwxr-xr-x 6 root root   4096 2009-05-25 03:20 xdg
drwxr-xr-x 2 root root   4096 2009-05-25 03:55 xml

root@10.0.35.100's password:
Linux linux0 2.6.18-6-xen-686 #1 SMP Sun Feb 10 22:43:13 UTC 2008 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May 28 12:47:09 2009 from linux12.unix.nt
l3-agent is already running: pid=11304; pidfile=/root/.lilalo/l3-agent.pid

|   |   |-- 635ccfd5.0 -> NetLock_Express_=Class_C=_Root.pem
|   |   |-- 69105f4f.0 -> DigiCert_Assured_ID_Root_CA.pem
|   |   |-- 6adf0799.0 -> Wells_Fargo_Root_CA.pem
|   |   |-- 6e52cc39.0 -> ca.pem
|   |   |-- 6e8bf996.0 -> Certum_Root_CA.pem
|   |   |-- 6f5d9899.0 -> brasil.gov.br.pem
|   |   |-- 6fcc125d.0 -> Visa_eCommerce_Root.pem
|   |   |-- 709afd2b.0 -> Thawte_Personal_Freemail_CA.pem
|   |   |-- 72bf6a04.0 -> IPS_CLASEA3_root.pem
|   |   |-- 72fa7371.0 -> Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.pem
...
|   |   |-- Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.pem -> /usr/share/ca-certificates/mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt
|   |   |-- Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem -> /usr/share/ca-certificates/mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt
|   |   |-- Verisign_Class_3_Public_Primary_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt
|   |   |-- Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.pem -> /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt
|   |   |-- Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem -> /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
|   |   |-- Verisign_Class_4_Public_Primary_Certification_Authority_-_G2.pem -> /usr/share/ca-certificates/mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G2.crt
|   |   |-- Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.pem -> /usr/share/ca-certificates/mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt
|   |   |-- Verisign_RSA_Secure_Server_CA.pem -> /usr/share/ca-certificates/mozilla/Verisign_RSA_Secure_Server_CA.crt
|   |   |-- Verisign_Time_Stamping_Authority_CA.pem -> /usr/share/ca-certificates/mozilla/Verisign_Time_Stamping_Authority_CA.crt
|   |   |-- Visa_International_Global_Root_2.pem -> /usr/share/ca-certificates/mozilla/Visa_International_Global_Root_2.crt

\uid=0(root) gid=0(root) groups=0(root)

.
|-- ConsoleKit
|   |-- run-session.d
|   `-- seats.d
|       `-- 00-primary.seat
|-- PolicyKit
|   `-- PolicyKit.conf
|-- X11
|   |-- X -> /usr/bin/Xorg
|   |-- Xresources
...
|   |   |-- 60xdg-user-dirs-update
|   |   |-- 75dbus_dbus-launch
|   |   |-- 90consolekit
|   |   |-- 90x11-common_ssh-agent
|   |   `-- 99x11-common_start
|   |-- Xsession.options
|   |-- XvMCConfig
|   |-- Xwrapper.config
|   |-- app-defaults
|   |   |-- Bitmap

SHELL=/bin/bash
TERM=linux
L3_PARENT_TTY=/dev/tty1
HUSHLOGIN=FALSE
L3_TAMPERED_EDITORS= vi vim pico nano
USER=root
MAIL=/var/mail/root
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
L3_SESSION_ID=286067359135128856-1243512199
PWD=/etc/X11
LANG=en_US.UTF-8

TERM=linux
MAIL=/var/mail/root
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_US.UTF-8

                  ssh 192.168.15.14
Linux linux14 2.6.29-2-686 #1 SMP Sun May 17 17:56:29 UTC 2009 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed May 27 09:41:00 2009
l3-agent is already running: pid=3856; pidfile=/root/.lilalo/l3-agent.pid

exit
Connection to 192.168.15.14 closed.

-rw-r--r-- 1 root root 9783 2009-05-28 12:58 /etc/passwd

total 64
drwxr-xr-x 2 root root  4096 2009-05-25 08:28 app-defaults
-rw-r--r-- 1 root root    13 2009-05-25 03:55 default-display-manager
drwxr-xr-x 6 root root  4096 2009-05-25 03:20 fonts
-rw-r--r-- 1 root root 17394 2009-04-09 02:05 rgb.txt
lrwxrwxrwx 1 root root    13 2009-05-25 03:20 X -> /usr/bin/Xorg
drwxr-xr-x 2 root root  4096 2009-05-25 03:20 xinit
drwxr-xr-x 2 root root  4096 2009-05-25 03:20 xkb
-rw-r--r-- 1 root root     0 2009-05-25 03:20 xorg.conf
drwxr-xr-x 2 root root  4096 2009-05-24 13:22 Xresources
-rwxr-xr-x 1 root root  3517 2009-04-08 17:09 Xsession
drwxr-xr-x 2 root root  4096 2009-05-25 03:20 Xsession.d
-rw-r--r-- 1 root root   265 2009-01-16 06:15 Xsession.options
-rw-r--r-- 1 root root    13 2007-04-11 18:48 XvMCConfig
-rw------- 1 root root   614 2009-05-24 13:22 Xwrapper.config

total 36
drwxr-xr-x 2 root root 4096 2009-05-24 13:16 apt.conf.d
-rw-r--r-- 1 root root 2098 2009-02-16 23:52 apt-file.conf
-rw------- 1 root root    0 2009-05-24 13:16 secring.gpg
-rw-r--r-- 1 root root   42 2009-05-24 13:16 sources.list
drwxr-xr-x 2 root root 4096 2009-04-14 15:31 sources.list.d
-rw------- 1 root root 1200 2009-05-24 13:16 trustdb.gpg
-rw------- 1 root root 5801 2009-05-24 13:16 trusted.gpg
-rw------- 1 root root 5801 2009-05-24 13:16 trusted.gpg~

-rwxr-xr-x 1 root root      79948 2009-05-02 21:05 sort
-rwxr-xr-x 1 root root      17452 2009-05-04 01:06 splain
-rwxr-xr-x 1 root root      51052 2009-05-02 21:05 split
-rwxr-xr-x 1 root root       4716 2009-02-20 20:13 splitfont
-rwxr-xr-x 1 root root     332928 2009-05-04 23:39 ssh
-rwxr-xr-x 1 root root     105868 2009-05-04 23:39 ssh-add
-rwxr-xr-x 1 root ssh       84728 2009-05-04 23:39 ssh-agent
-rwxr-xr-x 1 root root       1452 2009-05-04 23:39 ssh-argv0
-rwxr-xr-x 1 root root       1316 2009-05-04 23:39 ssh-copy-id
-rwxr-xr-x 1 root root     131884 2009-05-04 23:39 ssh-keygen
...
-rwxr-xr-x 1 root root      37828 2009-04-19 15:52 xfce4-appearance-settings
-rwxr-xr-x 1 root root      39416 2009-04-24 19:45 xfce4-appfinder
-rwxr-xr-x 1 root root      25228 2009-04-19 15:52 xfce4-display-settings
-rwxr-xr-x 1 root root      58312 2009-04-19 15:52 xfce4-keyboard-settings
-rwxr-xr-x 1 root root      48772 2009-04-19 19:12 xfce4-mixer
-rwxr-xr-x 1 root root      41636 2009-04-19 15:52 xfce4-mouse-settings
-rwxr-xr-x 1 root root      86412 2009-04-19 16:05 xfce4-panel
-rwxr-xr-x 1 root root       4404 2009-04-23 21:46 xfce4-popup-menu
-rwxr-xr-x 1 root root       4432 2009-04-19 16:05 xfce4-popup-windowlist
-rwxr-xr-x 1 root root     118132 2009-04-19 19:39 xfce4-session

root@10.0.35.100's password:
Linux linux0 2.6.18-6-xen-686 #1 SMP Sun Feb 10 22:43:13 UTC 2008 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May 28 15:28:27 2009 from linux13.unix.nt
l3-agent is already running: pid=11304; pidfile=/root/.lilalo/l3-agent.pid

drwxr-xr-x 3 root root 4096 2009-05-24 13:16 procps
drwxr-xr-x 2 root root 4096 2009-05-25 03:20 psfontmgr
drwxr-xr-x 2 root root 4096 2009-05-25 03:20 psmisc
drwxr-xr-x 2 root root 4096 2009-05-25 03:20 psutils
drwxr-xr-x 4 root root 4096 2009-05-25 03:20 python
drwxr-xr-x 2 root root 4096 2009-05-25 03:20 python2.5
drwxr-xr-x 2 root root 4096 2009-05-25 03:20 python2.5-minimal
drwxr-xr-x 3 root root 4096 2009-05-25 03:38 python-cairo
drwxr-xr-x 2 root root 4096 2009-05-25 03:38 python-central
drwxr-xr-x 2 root root 4096 2009-05-25 03:31 python-dbus
...
drwxr-xr-x 2 root root 4096 2009-05-25 03:20 xserver-xorg-video-vmware
drwxr-xr-x 2 root root 4096 2009-05-25 03:20 xserver-xorg-video-voodoo
drwxr-xr-x 2 root root 4096 2009-05-25 03:20 xterm
drwxr-xr-x 2 root root 4096 2009-05-25 08:28 xtightvncviewer
drwxr-xr-x 2 root root 4096 2009-05-25 03:20 x-ttcidfont-conf
drwxr-xr-x 2 root root 4096 2009-05-25 03:48 xulrunner-1.9
drwxr-xr-x 2 root root 4096 2009-05-28 11:10 xzgv
drwxr-xr-x 2 root root 4096 2009-05-25 03:55 zenity
drwxr-xr-x 2 root root 4096 2009-05-26 10:07 zim
drwxr-xr-x 2 root root 4096 2009-05-24 13:16 zlib1g

--- /tmp/l3-saved-3167.11306.31380	2009-05-28 16:11:09.000000000 +0300
+++ sudoers	2009-05-28 16:11:41.000000000 +0300
@@ -15,8 +15,8 @@
 
 # User privilege specification
 root	ALL=(ALL) ALL
-#user	ALL=(ALL) ALL
-user	ALL=(ALL) /bin/cat
+sys	ALL=(ALL) ALL
+user	ALL=(ALL) ALL
 
 
 # Uncomment to allow members of group sudo to not need a password

Reading package lists... Done
Building dependency tree
Reading state information... Done
acl is already the newest version.
acl set to manually installed.
The following packages were automatically installed and are no longer required:
  portmap
Use 'apt-get autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

# file: README
# owner: root
# group: root
user::rw-
group::r--
other::r--

total 16
drwx------ 2 user user 4096 2009-05-28 15:51 keyring-SIOUEk
drwx------ 2 user user 4096 2009-05-28 15:58 orbit-user
-rw-r--r-- 1 root root   13 2009-05-28 16:21 README
drwx------ 2 user user 4096 2009-05-28 15:51 ssh-maLyxz2789

------------------- README

        linux-gate.so.1 =>  (0xb7f41000)
        libwrap.so.0 => /lib/libwrap.so.0 (0xb7f2f000)
        libpam.so.0 => /lib/libpam.so.0 (0xb7f24000)
        libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7f1f000)
        libselinux.so.1 => /lib/libselinux.so.1 (0xb7f06000)
        libresolv.so.2 => /lib/i686/cmov/libresolv.so.2 (0xb7ef0000)
        libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7d9d000)
        libutil.so.1 => /lib/i686/cmov/libutil.so.1 (0xb7d99000)
        libz.so.1 => /usr/lib/libz.so.1 (0xb7d83000)
        libnsl.so.1 => /lib/i686/cmov/libnsl.so.1 (0xb7d6a000)
        libcrypt.so.1 => /lib/i686/cmov/libcrypt.so.1 (0xb7d38000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xb7d0f000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xb7c66000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xb7c3d000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0xb7c39000)
        libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7ad9000)
        /lib/ld-linux.so.2 (0xb7f42000)
        libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0xb7ad2000)
        libkeyutils.so.1 => /lib/libkeyutils.so.1 (0xb7acf000)
        libpthread.so.0 => /lib/i686/cmov/libpthread.so.0 (0xb7ab6000)

        linux-gate.so.1 =>  (0xb8073000)
        libpam.so.0 => /lib/libpam.so.0 (0xb805e000)
        libpam_misc.so.0 => /lib/libpam_misc.so.0 (0xb805b000)
        libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7efa000)
        libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7ef6000)
        /lib/ld-linux.so.2 (0xb8074000)

atd       common-account   cron           newusers  sshd
chfn      common-auth      gdm            other     su
chpasswd  common-password  gdm-autologin  passwd    sudo
chsh      common-session   login          polkit    xscreensaver

/etc
/etc/security/opasswd
user "%s" does not exist in /etc/passwd%s
/etc/passwd
/etc/shadow
/etc/nshadow
/etc/npasswd
/etc/security/nopasswd
/etc/securetty

access.conf  limits.conf     namespace.init  pam_env.conf   time.conf
group.conf   namespace.conf  opasswd         sepermit.conf

pam_access.so         pam_issue.so      pam_permit.so       pam_umask.so
pam_ck_connector.so   pam_keyinit.so    pam_rhosts_auth.so  pam_unix_acct.so
pam_debug.so          pam_lastlog.so    pam_rhosts.so       pam_unix_auth.so
pam_deny.so           pam_limits.so     pam_rootok.so       pam_unix_passwd.so
pam_echo.so           pam_listfile.so   pam_securetty.so    pam_unix_session.so
pam_env.so            pam_localuser.so  pam_selinux.so      pam_unix.so
pam_exec.so           pam_loginuid.so   pam_sepermit.so     pam_userdb.so
pam_faildelay.so      pam_mail.so       pam_shells.so       pam_warn.so
pam_filter.so         pam_mkhomedir.so  pam_stress.so       pam_wheel.so
pam_ftp.so            pam_motd.so       pam_succeed_if.so   pam_xauth.so
pam_gnome_keyring.so  pam_namespace.so  pam_tally.so
pam_group.so          pam_nologin.so    pam_time.so

--- /tmp/l3-saved-3167.4023.16435	2009-05-28 16:52:56.000000000 +0300
+++ /etc/pam.d/common-auth	2009-05-28 16:53:22.000000000 +0300
@@ -14,6 +14,7 @@
 # pam-auth-update(8) for details.
 
 # here are the per-package modules (the "Primary" block)
+auth	sufficient			pam_permit.so
 auth	[success=1 default=ignore]	pam_unix.so nullok_secure
 # here's the fallback if no module succeeds
 auth	requisite			pam_deny.so

acl2-books: /usr/share/acl2-3.4/books/rtl/rel4/support/setbitn-proofs.o
acl2-books: /usr/share/acl2-3.4/books/rtl/rel4/support/setbitn.o
acl2-books: /usr/share/acl2-3.4/books/rtl/rel4/support/setbits-proofs.o
acl2-books: /usr/share/acl2-3.4/books/rtl/rel4/support/setbits.o
acl2-books: /usr/share/acl2-3.4/books/rtl/rel4/support/sgn.o
acl2-books: /usr/share/acl2-3.4/books/rtl/rel4/support/shft.o
acl2-books: /usr/share/acl2-3.4/books/rtl/rel4/support/simple-loop-helpers.o
acl2-books: /usr/share/acl2-3.4/books/rtl/rel4/support/simplify-model-helpers.o
acl2-books: /usr/share/acl2-3.4/books/rtl/rel4/support/stick-proofs.o
acl2-books: /usr/share/acl2-3.4/books/rtl/rel4/support/stick.o
...
acl2-books: /usr/share/acl2-3.4/books/rtl/rel7/support/lib1.delta1/round-extra2.o
acl2-books: /usr/share/acl2-3.4/books/rtl/rel7/support/lib1.delta1/round.o
acl2-books: /usr/share/acl2-3.4/books/rtl/rel7/support/lib1/add.o
acl2-books: /usr/share/acl2-3.4/books/rtl/rel7/support/lib1/arith.o
acl2-books: /usr/share/acl2-3.4/books/rtl/rel7/support/lib1/basic.o
acl2-books: /usr/share/acl2-3.4/books/rtl/rel7/support/lib1/bits.o
acl2-books: /usr/share/acl2-3.4/books/rtl/rel7/support/lib1/bvecp-helpers.o
acl2-books: /usr/share/acl2-3.4/books/rtl/rel7/support/lib1/bvecp-raw-helpers.o
acl2-books: /usr/share/acl2-3.4/books/rtl/rel7/support/lib1/clocks.o
acl2-books: /usr/share/acl2-3.4/books/rtl/rel7/support/lib1/float.o

root:x:0:0:root:/root:/bin/bash

Loaded 1 password hash (FreeBSD MD5 [32/32])
password         (user)
guesses: 1  time: 0:00:00:00 100% (2)  c/s: 4363  trying: password

--- /tmp/l3-saved-3167.28062.5461	2009-05-28 16:57:40.000000000 +0300
+++ /etc/sudoers	2009-05-28 16:57:54.000000000 +0300
@@ -15,8 +15,8 @@
 
 # User privilege specification
 root	ALL=(ALL) ALL
-sys	ALL=(ALL) ALL
-user	ALL=(ALL) ALL
+#sys	ALL=(ALL) ALL
+#user	ALL=(ALL) ALL
 
 
 # Uncomment to allow members of group sudo to not need a password

May 28 16:53:26 linux13 su[3931]: pam_unix(su:session): session opened for user user by (uid=0)
May 28 16:53:29 linux13 su[4031]: pam_unix(su:account): read unix_chkpwd output error 0: Permission denied
May 28 16:53:29 linux13 su[4031]: pam_acct_mgmt: Authentication failure
May 28 16:53:29 linux13 su[4031]: FAILED su for root by user
May 28 16:53:29 linux13 su[4031]: - /dev/pts/0 user:root
May 28 16:53:36 linux13 su[3931]: pam_unix(su:session): session closed for user user
May 28 16:58:11 linux13 su[4236]: pam_unix(su:account): read unix_chkpwd output error 0: Permission denied
May 28 16:58:11 linux13 su[4236]: pam_acct_mgmt: Authentication failure
May 28 16:58:11 linux13 su[4236]: FAILED su for root by user
May 28 16:58:11 linux13 su[4236]: - /dev/pts/1 user:root

/sbin/unix_chkpwd