Rebuilding wtmp

Kyle Mott kyle at xraided.net
Mon Jul 12 17:09:33 PDT 2004


> -----Original Message-----
> From: aardvark [mailto:aardvark at saintaardvarkthecarpeted.com]
> Sent: Monday, July 12, 2004 4:40 PM
> To: Kyle Mott
> Cc: freebsd-questions at freebsd.org
> Subject: Re: Rebuilding wtmp
> 
> Kyle Mott disturbed my sleep to write:
> > I read a few manpages and did some google'ing, and couldn't find
much of
> > anything about rebuilding wtmp. I tried just moving wtmp to wtmp.old
and
> > then doing 'touch wtmp', then logging out and back in, but it still
> > reads 31Dec69. Is there some way to fix this? Thanks all.
> 
> It's possible that there's some process holding open wtmp.  (You could
> check this by adding lsof ("list open files") from ports -- *very*
handy
> to have around on general principle).  If this is the case, probably
> the easiest way to fix things would be to rename the file, touch wtmp,
> then reboot.
> 

Thank's for the lsof tip, though I couldn't find anything using wtmp.
I've tried rebooting with an empty wtmp plenty of times before, all to
no avail.


> Interestingly enough, a Google for "wtmp freebsd" turned up this
message
> from the FreeBSD-Security list:
> 
> 	http://archives.neohapsis.com/archives/freebsd/2001-07/0055.html
> 
> which suggests "cp /dev/null /var/log/wtmp" to fix things -- at least
on
> Solaris.
> 

I tried this already, and it didn't work. On a system that I have a
good, uncorrupted version of wtmp, I can do 'mv wtmp wtmp.old && touch
wtmp', then logout and log back in, and it reports the dates fine. I can
also write a bunch of gibberish to wtmp (via /dev/random), and then
logout and back in, and it still reports the dates correctly. I'm just
confused.




-Kyle Mott



> I am now blessing your keyboard...
> 
> --
> Saint Aardvark the Carpeted
> aardvark at saintaardvarkthecarpeted.com
> Because the plural of Anecdote is Myth.



More information about the freebsd-questions mailing list