Successful SU For Nobody By Root?

Successful su for nobody by root?

If you are looking through you auth log files you may notice entries saying “session opened for user nobody”. What could this mean and is your server being compromised?

Feb 23 06:25:02 the-cave su[16451]: Successful su for nobody by root
Feb 23 06:25:02 the-cave su[16451]: + ??? root:nobody
Feb 23 06:25:02 the-cave su[16451]: pam_unix(su:session): session opened for user nobody by (uid=0)
Feb 23 06:25:02 the-cave su[16451]: pam_unix(su:session): session closed for user nobody
Feb 23 06:25:02 the-cave su[16453]: Successful su for nobody by root
Feb 23 06:25:02 the-cave su[16453]: + ??? root:nobody
Feb 23 06:25:02 the-cave su[16453]: pam_unix(su:session): session opened for user nobody by (uid=0)
Feb 23 06:25:03 the-cave su[16453]: pam_unix(su:session): session closed for user nobody

Session Opened For User Nobody

Any services that run as a daemon on the server need to be run by a user. Nobody is a system user that is used to run various services. Apache, MySQL, cron and other services will but run as the user nobody.

How Is It Initiated

When one of these services need to run a task, that task will be initiated and the process is then passed to user nobody which then completed the process.