freedman@mips2.cr.bull.com (Jerome Freedman) (06/29/90)
Could someone explain the uses and abuses of utmp/wtmp files.
I have found TFM less than informative. I am reading telnet and
rlogin source but anything would be helpful. Also
could someone point out the differences between sys5, bsd and
posix use/interpretation of these files.
Jerry Freedman,Jrjik@athena.mit.edu (Jonathan I. Kamens) (06/29/90)
Well, I won't go into the actual format of the utmp and wtmp files (they share the same format), because I'd say that's described adequately in utmp(5). I will, however, discuss the purpose of each file. /etc/utmp is used to keep track of who is logged into the system at any given time. When a user logs in, the program that does the logging in (usually /bin/login, but other programs (for example xterm) also do this) puts an entry in the utmp file indicating that the user has logged in. When the user logs out, this is indicated by the same program putting a NULL in the first character of the username field of the entry that it added to utmp. What this means is that it's possible for there to be garbage entries in utmp, that don't correspond to anyone who's actually logged in. When a program wants to add an entry to utmp, it scans it until it finds the first entry with a NULL name field, and adds it there. This way, it isn't necessary to shrink and grow the utmp file whenever an entry is deleted/added. Note that a program doesn't really *have to* look for the first empty entry -- stupid programs can just always add to the end of the utmp, although this is a bit anti-social. Note also that as far as I can tell from browsing sources, there's no file locking involved, so it's possible for two processes writing to the file to clash if they try to do so at the same time. /usr/adm/wtmp is a record of everyone who's been logged in at any time, and for when they've been logged in. When someone logs in, the log-in program adds an entry to wtmp similar to (if not identical to) the entry it added to utmp. However, when the user logs out, rather than deleting the entry in wtmp, it adds another entry to the file, with the same tty but no username, indicating the logout time. The programs which parse the wtmp file understand how to interpret matching entries to figure out login and logout times. I hope this helps. (And I hope I've got everything right! Then again, if I don't, I'm sure 300 people will correct me :-) Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8495 Home: 617-782-0710