utmpx/wtmpx

Miles Goodhew mgoodhew at gmail.com
Wed Nov 24 11:51:14 UTC 2004 

Sean,

On Tue, 23 Nov 2004 22:41:10 -0800, Sean Bruno <sean.bruno at dsl-only.net> wrote:
> Does anyone know how to debug login record issues or who to talk to
> about login record issues?  I am experiencing a weird issue described in
> bugzilla 140297 and I would like to debug it myself, but I don't seem to
> be able to find anyone to assist me with it.

  Lets see what I can remember about utmp/wtmp (Sorry, I'm using a
desktop OS whose name starts with a "W", so all I can do is recall, I
can't look it up).

* I may have the relative meanings of "utmp" and "wtmp" swapped-over below.
* "Utmpx/wtmpx" is a Sun-originated extension of the "traditional"
utmp/wtmp files (Same purposes, just more information/fatter fields or
whatnot).
* Utmp and Wtmp use the same record structure, they just use them in
different ways (see next two points).
* Utmp is a running log of user login history ("last" reads this) -
everytime a log action (login/logout/reboot and a bunch of other odd
things) happens it gets appended here.
* Wtmp is a list of the current login state of each user and is read
by "Who"/"w". The records are indexed by UID (e.g. user "Fred" with
UID=1024 has their login state recorded at offset ( sizeof(
utmp_record ) * 1024 ).
* Utmp and wtmp use fixed-field-length strings (the kind of things
that the el-stupido "strncpy()" function exists to deal with - viva el
"strlcpy()"!). These have the perculiar property of being NUL-padded
('\0') if their content is smaller than the field and they are not
NUL-terminated if the content is as-long-as or longer than the field.
(This is probably an important clue).

If I were you, I'd work-up a program in language-of-your-choice (C,
Python or Perl can do it for sure) to scan-through one record at a
time and sanity-check the file that "who" reads (make sure it's wtmp -
remember my first point above). As I also indicated above, the
slightly anti-intuitive behaviour of strncpy() and the fields it
produces might be a factor in the problem. Something could be
inadvertantly adding an extra NUL character or overrunning a field
somewhere (right after your listed logged-in user possibly). Or it
could be the case that the ?tmp file is fine, but "who" is musjudging
the data.

Happy hacking,

Moles.

-- 
Miles Goodhew, Senior Hacker
TransACT communications

More information about the Fedora-desktop-list mailing list