HEADS UP: <utmp.h> gone. All welcome <utmpx.h>.
Vincent Poy
vincepoy at gmail.com
Thu Feb 4 01:04:29 UTC 2010
On Mon, Feb 1, 2010 at 3:32 PM, Ed Schouten <ed at 80386.nl> wrote:
Hello Ed:
> Hello Vincent,
>
> * Vincent Poy <vincepoy at gmail.com> wrote:
> > I just updated to a January 31, 2010 -CURRENT from a -CURRENT prior to
> the
> > above change and have a few questions and issues:
> >
> > 1) What's the correct way to use wtmpcvt(1) as the usage is wtmpcvt
> oldfile
> > newfile
> > out of the utmp, wtmp, lastlog, the utmp is not important as that's
> > basically the current logins. wtmp is not important either as that's
> just
> > the recent monthly logins. What is the correct procedure to convert
> lastlog
> > as that is basically the database that showed when the last time a user
> > logged on to the system so that when using lastlogin or finger, it will
> > showed when the person last logged in?
> >
> > I've tried wtmpcvt /var/log/lastlog /var/log/utx.lastlogin after backing
> up
> > /var/log/utx.lastlogin but when I ran lastlogin, it was all blank.
>
> Right now there is no way to convert lastlog files. The point is that
> unlike you mentioned, the wtmp is actually the only important log file.
> All information could in theory be derived from it. You could convert
> wtmp files and use last -f to scroll through history to figure out when
> someone logged in.
>
The problem with figuring out when someone last logged in is that newsyslog
with the default newsyslog.conf would rotate the wtmp files once a month so
that there would be one wtmp followed by wtmp.0, wtmp.1, wtmp.2, wtmp.3 so
it will only hold the last months worth of data so if the person logs in
anytime more than 5 months, they won't be in the wtmp.
> From an administrative point of view, you just want to be able to
> inspect log files in case it turns out a couple of months earlier
> something bad happened with your system (getting hacked, etc). lastlog
> is a nice feature, but it should just be considered being a bonus.
>
The thing with something bad happening with the system is usually looking at
data that far back will not really help since if it took a admin that long
to figure it out, then there is a bigger issue at hand because the system
probably is heavily compromised already as when we had hacks, usually we
have to get to it in real-time or atleast within a few hours or otherwise
the system will really be history. I just meant that traditionally, when
you finger a username, regardless if they are still in the wtmp/wtmp.* or
not, it will always showed when they last logged in even though it might be
a long time ago. last will only show whatever is in the wtmp and in this
case, anything in the current month. lastlogin probably would show their
last logged in timestamp.
> Using wtmpcvt(1) on non-wtmp files will indeed generate unreadable data
> files.
>
> > 2) I noticed that for last for ftp sessions, it will not show it as a ftp
> > session like how the previous utmp did even though w now shows the
> session
> > when it's still connected, not sure if this is really a bad thing unless
> ftp
> > isn't the only way to not use a tty. It seems finger now will report the
> > last login session which previously was only for tty sessions.
> >
> > <snip>
>
> I have been thinking about possibly extending the utmpx interface to
> include an application name string for login entries, like "sshd" or
> "ftpd".
>
Actually, from looking at the older last output using a example at
http://markmail.org/message/gbjgkwrwtt7s3spf:
It is in the format of:
user1 ftp 10.12.21.156 Fri Aug 20 13:17 - 13:17 (00:00)
user1 ttyp0 10.12.21.156 Fri Aug 20 13:16 - 13:17 (00:00)
while the new format is:
user1 10.12.21.156 Wed Feb 3 14:22 - 14:22
(00:00)
user1 pts/12 10.12.21.156 Tue Feb 2 20:47 - 20:48 (00:00)
So it seems like any connection that user a pty/vty was always listed with
the tty's name while ftp was only for ftp sessions. sshd would be listed as
the former. Speaking about ftp, anonymous ftp to be exact, it doesn't show
up in the last/lastlogin. In utmp, it looked like this:
ftp ftp 10.12.21.156 Wed Feb 3 16:18 - 16:18
(00:00)
> > 3) I noticed that it seems the system in the w, who, finger, last,
> > lastlogin output is not recognizing additional sessions of the same user
> on
> > a new tty if they are already logged in such as this example. I am
> already
> > logged in as vince on ptys/0 so I login again as vince on ptys/1:
> > <snip>
>
> This is very odd. Could you try debugging this a bit more? In order to
> ease debugging, I extended the getent command. You should be able to use
> the following commands:
>
> - getent utmpx active
> Get list of active sessions (`utmp')
> - getent utmpx log
> Get list of log entries (`wtmp')
> - getent utmpx lastlogin
> Get list of last login entries (`lastlog')
>
> When you log in, it should add a "user process" entry to the active
> sessions database, append the same entry to the log and overwrite the
> lastlogin entry for the corresponding user.
>
> An advantage of these commands is that they just perform a raw dump of
> the data on screen, instead of having many forms of unwanted processing
> on top.
>
I actually fixed the problem after I sup the latest -current of February 1,
2010 and then build/install world with a new kernel.
> > lastlogin shows only the last ftp session but not acknowledging that the
> > current ptys/1 session as the ptys/0 session is still active.
> > vince at bigbang [2:44pm][~] >> lastlogin
> > vince solar Mon Feb 1 14:20:03 2010
>
> No, but that's not what lastlogin is supposed to do. lastlogin will only
> print information about the last login, which means it will only list
> the FTP login.
>
The only thing was that I did a telnet session after the ftp login and that
one didn't show up but the problem has been solved now after I sup the
latest -current of February 1, 2010 and then build/install world with a new
kernel.
> > <snip>
> >
> > 4) the misc/screen port appears to be broken:
> > <snip>
>
> Are you sure your ports tree is up-to-date?
It was at that time but when I resup the ports tree again and noticed that
cy put in some patches so it compiles and installs with no problem except
that the tty's that screen creates are not showing up in w, who, finger,
last, lastlogin as basically I'm logged into pts/0 and run screen which
starts pts/1 but that one doesn't show up:
vince at bigbang [4:53pm][~] >> w
4:54PM up 2:43, 1 user, load averages: 0.01, 0.09, 0.07
USER TTY FROM LOGIN@ IDLE WHAT
vince pts/0 solar.dnalogic.net 2:17PM - screen
vince at bigbang [4:54pm][~] >> ps -agx
2174 0 Is 0:00.27 -tcsh (tcsh)
6986 0 S+ 0:00.03 screen
6989 1 Rs 0:00.08 /bin/tcsh
7023 1 R+ 0:00.00 ps -agx
Using your debugging instructions above:
vince at bigbang [4:55pm][~] >> getent utmpx active
[1265235448.137844 -- Wed Feb 3 14:17:28 2010] user process:
id="7074732f30000000" pid="2173" user="vince" line="pts/0" host="
solar.dnalogic.net"
[1265244775.030533 -- Wed Feb 3 16:52:55 2010] dead process:
id="7074732f31000000" pid="2214"
[1265243360.515028 -- Wed Feb 3 16:29:20 2010] dead process:
id="6363336674706400" pid="3267"
vince at bigbang [4:56pm][~] >> getent utmpx log
[1265235448.137844 -- Wed Feb 3 14:17:28 2010] user process:
id="7074732f30000000" pid="2173" user="vince" line="pts/0" host="
solar.dnalogic.net"
[1265244775.030533 -- Wed Feb 3 16:52:55 2010] dead process:
id="7074732f31000000" pid="2214"
vince at bigbang [DING!][~] >> getent utmpx lastlogin
[1265235448.137844 -- Wed Feb 3 14:17:28 2010] user process:
id="7074732f30000000" pid="2173" user="vince" line="pts/0" host="
solar.dnalogic.net"
[1265242798.149182 -- Wed Feb 3 16:19:58 2010] user process:
id="6363336674706400" pid="3267" user="vince" line="" host="localhost"
[1265234174.120127 -- Wed Feb 3 13:56:14 2010] user process:
id="016b68bfc68e7691" pid="2184" user="root" line="ttyv0" host=""
Cheers,
Vince
Vincent Poy, Ph.D. - Astrophysics
More information about the freebsd-current
mailing list