Score:0

Server

not able to see user activity while being in sudo -i

catalin

11/6/22, 1:40 PM

I usually execute "watch -n0.1 w" to see what user is continuously doing. However, if the user executes "sudo -i", becomes root and executes something, I cannot see his activity anymore.

Take the following example: I have 3 sessions open. On first session, I am checking "watch -n1 w" to see what other users are doing. On second session, I'm executing "sudo -i", then "vim session2.txt". On third session, I'm executing "vim session3.txt"

Every 1.0s: w

15:31:37 up 63 days,  3:54,  3 users,  load average: 0.05, 0.29, 0.26
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
user1   pts/1    192.168.1.13     14:40    4.00s  0.50s  0.02s sshd: user1 [priv]
user1   pts/2    192.168.1.13     15:21    9:37   0.18s  0.02s sshd: user1 [priv]
user1   pts/3    192.168.1.13     15:24    7:21   0.14s  0.05s vim session3.txt

As you can see I cannot see that on session 2 the user is doing "vim session2.txt" (being in sudo -i), but I can see on session 3 that user is doing "vim session3.txt"

1 + 2

linux

vidarlo

11/6/22, 1:42 PM

If you want to monitor the actions of users, watch is probably the *very* wrong way to do it.

catalin

11/6/22, 1:44 PM

why? watch is a great command, it refreshes the activity every second, so I can just watch the screen and see how he switches the commands.

Score:0

Server

Arul Selvan

11/6/22, 2:10 PM

If you need to see anyone running privileged commands using sudo in watch you need to run your watch in sudo as well. Try the following, it should work

sudo -S watch -n1 w

Update: Sorry, this answer only works on BSD :(

0 + 5

catalin

11/6/22, 2:24 PM

I am already root, however I've tested it though, and I still cannot see what user on session 2 is doing. Also sudo -S means "-S, --stdin read password from standard input".

Arul Selvan

11/6/22, 2:33 PM

Interesting... I had no problem seeing everything when I tried... what OS/distro you are running? As per your comment, yes, you need to use -S to see the password prompt from sudo so you can enter your password, otherwise it is difficult if not impossible to enter your password.

catalin

11/6/22, 2:46 PM

I am using Ubuntu 18.04 bionic, but I know for sure this is happening on other distros as well, like CentOS. You can't see what one user is doing while he is in "sudo -i" bash process, using "w" command. You would only see "sshd: <user_name> [priv]" as the command executed by him.

Arul Selvan

11/6/22, 2:54 PM

You are right. I am on a mac (BSD unix) that shows everything but the same thing doesn't work on a Linux. It is probably watch implementation that is not displaying the command executed under privileged runs in Linux while BSD does.

catalin

11/7/22, 6:19 AM

It doesn't have anything to do with the "watch" command. Even if I type "w", I still cannot see what a user does while being in "sudo -i"

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: not able to see user activity while being in sudo -i

TH: ไม่สามารถดูกิจกรรมของผู้ใช้ในขณะที่อยู่ใน sudo -i

RO: nu pot vedea activitatea utilizatorului în timp ce se află în sudo -i

RU: не может видеть активность пользователя, находясь в sudo -i

VI: không thể thấy hoạt động của người dùng khi đang ở sudo -i

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.