"Successful su for user by root" - suspicious entries in my /var/log/auth.log?

Those warnings are when you switch from root to your user.

It doesn't appear that you have any problem.

These are not from when you run sudo. But they are not a problem, either.

The messages say:

Successful su for user by root

This happens whenever you log in. Whether you're logging in as a real user or as a guest user, the login screen runs as root, so it must change user identity from root to a non-root user as part of the login process.

This isn't user becoming root. This is root becoming user.

I think I may have found at least one of the culprits:

Aug 21 16:15:09 UbuntuSystem su[30135]: Successful su for user by root
Aug 21 16:15:09 UbuntuSystem su[30135]: + ??? root:user
Aug 21 16:15:09 UbuntuSystem su[30135]: pam_unix(su:session): session opened for user user by (uid=0)
Aug 21 16:15:09 UbuntuSystem su[30135]: pam_unix(su:session): session closed for user user
Aug 21 16:15:09 UbuntuSystem sudo: pam_unix(sudo:session): session closed for user root
Aug 21 16:15:12 UbuntuSystem sudo:      user : TTY=unknown ; PWD=/home/user ; USER=root ; COMMAND=/usr/lib/jupiter/scripts/cpu-control high
Aug 21 16:15:12 UbuntuSystem sudo: pam_unix(sudo:session): session opened for user root by (uid=1000)
Aug 21 16:15:12 UbuntuSystem su[30174]: Successful su for user by root
Aug 21 16:15:12 UbuntuSystem su[30174]: + ??? root:user
Aug 21 16:15:12 UbuntuSystem su[30174]: pam_unix(su:session): session opened for user user by (uid=0)
Aug 21 16:15:12 UbuntuSystem su[30174]: pam_unix(su:session): session closed for user user
Aug 21 16:15:12 UbuntuSystem sudo: pam_unix(sudo:session): session closed for user root

In this case the entries were connected to Jupiter power applet and specifically appeared when changing the CPU power mode. As there was no mention of Jupiter in any of the other instances, I cannot be sure whether they can be attributed to the same process.

I will keep monitoring my logs and post any further results here.