What is nobody doing?

Julian Field MailScanner at ecs.soton.ac.uk
Fri Mar 3 16:35:55 GMT 2006


On 3 Mar 2006, at 16:12, Kevin Miller wrote:

> I posted the following a month ago, but didn't receive any  
> responses so
> thought I'd try again.  Is anyone else seeing this behavior?  I'd  
> hazard
> a guess that it's something in the bayes cache mechanism.
> Thanks.
> Kevin Miller wrote:
>> Since I upgraded one of my machines the other day (from 4.33 to  
>> 4.50.?
>> beta) my /var/log/messages has been filling up with the messages
>> below. I opened two term windows, one running 'tail -f /var/log/mail'
>> and the other running 'tail -f /var/log/messges' then watched to see
>> what it was happening.
>> /var/log/messages:
>> ==================
>> Feb  2 08:18:23 mail3 su: (to nobody) root on none
>> Feb  2 08:18:23 mail3 su: pam_unix2: session started for user nobody,
>> service su
>> Feb  2 08:18:23 mail3 su: pam_unix2: session finished for user  
>> nobody,
>> service su
>> /var/log/mail:
>> ==============
>> Feb  2 08:18:21 mail3 sendmail-in[6185]: k12HIK0g006185:
>> to=<AStubblefield at juneaupolice.com>, delay=00:00:00, mailer=esmtp,
>> pri=33805, stat=queued
>> Feb  2 08:18:22 mail3 MailScanner[5160]: New Batch: Scanning 1
>> messages, 4424 bytes
>> Normally I see a few 'session started for user nobody' when updatedb
>> runs, but these are happening everytime new mail arrives.  The su
>> seems to happen just after the message is queued, that is between the
>> first and second lines in the mail log.  Is this expected behavior?
>> Why does root need to su to nobody to do whatever it's doing, when it
>> never had to before?

This may be caused by sendmail changing its username when it tries to  
deliver mail, but I've never seen this before. MailScanner doesn't  
change its username when running sendmail at all, so I don't see how  
this is connected.

As for the /var/log/mail extract, this is perfectly normal. Sendmail  
queues 1 incoming message into /var/spool/mqueue.in, which  
MailScanner is then picking up as a new batch (a batch of 1 message  
because there was only 1 message ready for processing when  
MailScanner looked at the queue). You would expect to see this for  
every new message that comes into your system.

- -- 
Julian Field
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

Version: PGP Desktop 9.0.5 (Build 5050)


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list