I’m currently running ZimaOS version 1.4.1 on a generic x86 system.
While monitoring system logs, I noticed that the following command is executed repeatedly as root – approximately every 2 to 3 seconds:
sudo /usr/bin/getent shadow root
Each call opens and closes a full sudo session. These are visible in the logs like this:
Jul 17 23:05:28 ZimaOS sudo[PID]: root : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/getent shadow root
Jul 17 23:05:28 ZimaOS sudo[PID]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 17 23:05:28 ZimaOS sudo[PID]: pam_unix(sudo:session): session closed for user root
At the same time, I can see the following HTTP request from zimaos-user, consistently around the same timestamp:
GET /v1/users/status
User-Agent: Go-http-client/1.1
Status: 200
Based on the timing and correlation, it seems like the zimaos-user process is issuing the getent shadow root call as part of some recurring user or authentication check.
This behavior continues indefinitely and shows up every few seconds in the journal.
My question :
Is this frequent execution of sudo getent shadow root by zimaos-user the intended behavior?
It seems quite aggressive in terms of system access (repeated sudo sessions and shadow file reads), and I’m wondering if this is necessary or perhaps something that could be improved.
Thanks in advance – and also thanks for all the work you’re putting into ZimaOS. It’s been running very well overall on my setup!
Best regards,
Lukas