On Sat, 19 Feb 2022 19:09:15 +0100
"dng@???" <dng@???> wrote:
>
> Probably not helpful too but does auth.log show something from the
> use of exec=¨/bin/su" ?

Yes, as my standard user is not a "sudoer", I use to get a root shell by
'su'ing into the admin account and then 'sudo su -' from there, so I
have numerous sets like the following in the auth.log:

# cat /var/log/auth.log | grep -B2 -A5 '/bin/su'

Feb 19 20:15:24 nulldevice su: (to administrator) florian on pts/1
Feb 19 20:15:24 nulldevice su: pam_unix(su:session): session opened for user administrator(uid=1000) by (uid=1001)
Feb 19 20:15:30 nulldevice sudo: administrator : TTY=pts/1 ; PWD=/home/florian ; USER=root ; COMMAND=/bin/su -
Feb 19 20:15:30 nulldevice sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000)
Feb 19 20:15:30 nulldevice su: (to root) florian on pts/1
Feb 19 20:15:30 nulldevice su: pam_unix(su-l:session): session opened for user root(uid=0) by (uid=0)
Feb 19 20:17:01 nulldevice CRON[4512]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 19 20:17:01 nulldevice CRON[4512]: pam_unix(cron:session): session closed for user root