Miles Goodhew mgoodhew at gmail.com
Wed Nov 24 11:51:14 UTC 2004


On Tue, 23 Nov 2004 22:41:10 -0800, Sean Bruno <sean.bruno at dsl-only.net> wrote:
> Does anyone know how to debug login record issues or who to talk to
> about login record issues?  I am experiencing a weird issue described in
> bugzilla 140297 and I would like to debug it myself, but I don't seem to
> be able to find anyone to assist me with it.

  Lets see what I can remember about utmp/wtmp (Sorry, I'm using a
desktop OS whose name starts with a "W", so all I can do is recall, I
can't look it up).

* I may have the relative meanings of "utmp" and "wtmp" swapped-over below.
* "Utmpx/wtmpx" is a Sun-originated extension of the "traditional"
utmp/wtmp files (Same purposes, just more information/fatter fields or
* Utmp and Wtmp use the same record structure, they just use them in
different ways (see next two points).
* Utmp is a running log of user login history ("last" reads this) -
everytime a log action (login/logout/reboot and a bunch of other odd
things) happens it gets appended here.
* Wtmp is a list of the current login state of each user and is read
by "Who"/"w". The records are indexed by UID (e.g. user "Fred" with
UID=1024 has their login state recorded at offset ( sizeof(
utmp_record ) * 1024 ).
* Utmp and wtmp use fixed-field-length strings (the kind of things
that the el-stupido "strncpy()" function exists to deal with - viva el
"strlcpy()"!). These have the perculiar property of being NUL-padded
('\0') if their content is smaller than the field and they are not
NUL-terminated if the content is as-long-as or longer than the field.
(This is probably an important clue).

If I were you, I'd work-up a program in language-of-your-choice (C,
Python or Perl can do it for sure) to scan-through one record at a
time and sanity-check the file that "who" reads (make sure it's wtmp -
remember my first point above). As I also indicated above, the
slightly anti-intuitive behaviour of strncpy() and the fields it
produces might be a factor in the problem. Something could be
inadvertantly adding an extra NUL character or overrunning a field
somewhere (right after your listed logged-in user possibly). Or it
could be the case that the ?tmp file is fine, but "who" is musjudging
the data.

Happy hacking,


Miles Goodhew, Senior Hacker
TransACT communications

More information about the desktop mailing list