Strange Idle User Listed in who, finger

Tom 'Needs A Hat' Mitchell mitch48 at sbcglobal.net
Mon May 3 18:10:53 UTC 2004 

On Mon, May 03, 2004 at 11:45:05AM -0400, David Collantes wrote:
> On 5/3/2004 11:26 AM, Clint Harshaw wrote:
> 
> [...]
> 
> >charshaw  Clint Harshaw  *:0             May  3 09:44
> >charshaw  Clint Harshaw   pts/1          May  3 11:18 (:0.0)
> >charshaw  Clint Harshaw   pts/5    123d  Apr 28 08:22 (:0.0)
> >[charshaw at mufasa charshaw]$ who -u
> >charshaw :0           May  3 09:44   ?         13153
> >charshaw pts/1        May  3 11:18   .         15142 (:0.0)
> >charshaw pts/5        Apr 28 08:22   ?         18655 (:0.0)
> 
> Post the results of "ps aux" if you could....

Have you looked in /proc/18655 ?

Also is the box current?  There was a bug fix with utempter
(wtmp/utmp) not too long ago.  Have you picked up the fix for this
(utempter-0.5.5-3) and have you rebooted since that bug fix was
installed?

If you run strace on who and w you can see what they look at to get
their data.  See: utmp, utmpx, wtmp, wtmpx....

This tells me that it is possibly a buggy application that is not
updating the [uw]tmp files correctly.  I need to look at xterm and
family, but anything that you kill -9 is given no opportunity to tidy
up.  Example:

If I strace xterm I see:
   # strace -f -o/tmp/watchxterm xterm
   # grep wtmp /tmp/watchxterm
   16730 access("/var/log/wtmpx", F_OK)    = -1 ENOENT (No such file or directory)
   16730 open("/var/log/wtmp", O_WRONLY)   = 6
   16763 access("/var/log/wtmpx", F_OK)    = -1 ENOENT (No such file or directory)
   16763 open("/var/log/wtmp", O_WRONLY)   = 6

If I do it again and kill -9 the xterm there no balanced access on
exit to wtmp.

   # strace -f -o/tmp/watchxterm-9 xterm
   # grep wtmp /tmp/watchxterm-9
   16780 access("/var/log/wtmpx", F_OK)    = -1 ENOENT (No such file or directory)
   16780 open("/var/log/wtmp", O_WRONLY)   = 6

There may be some additional clean up done by init and the kernel on exit
that I cannot see as a system call in strace.  But it is possible to have
confusing junk in the wtmp/utmp files.

Also watch how you get good time in the system.  If it boots with an
old date the first utmp entries will appear to be bogus after the time
of day is set correctly.


-- 
	T o m  M i t c h e l l 
	/dev/null the ultimate in secure storage.

More information about the fedora-list mailing list