topic lost user in Operating System - HP-UX

lost user

Jeff Hagstrom — Mon, 24 Sep 2001 17:32:48 GMT

I have a user-id that I cannot find by using
"ps -fu login" or "ps -ef|grep login". However, in my user start-up script there is a command "who | grep -v "`who am i`" | grep $LOGNAME " that is finding the user. I did a "who -u|grep login" which gives me the process ID, but when I try to kill it, it doesn't find anything to kill.

Re: lost user

Santosh Nair_1 — Mon, 24 Sep 2001 17:41:38 GMT

Could this user be one that's used to run some application/script at startup, i.e. using su - $USER -c ? Check /var/adm/sulog and also check the last -R $USER command to see where the user logged in from.

Hope this helps.

-Santosh

Re: lost user

Santosh Nair_1 — Mon, 24 Sep 2001 17:43:07 GMT

Also, why are you ps -fu and grepping for login? The login process is a tempory one which exec the users' shell, so it never stays around for very long.

-Santosh

Re: lost user

someone_4 — Mon, 24 Sep 2001 17:45:12 GMT

what does
#who -l
or
#who -u
give you?
who if you
#who a
you will get a doesn't exist or isn't readable
Usage: who [-rbtpludAasHTqRm] [am i] [utmp_like_file]

r run level
b boot time
t time changes
p processes other than getty or users
l login processes
u useful information
d dead processes
A accounting information
a all (rbtpludA options)
s short form of who (no time since last output or pid)
H print header
T status of tty (+ writable, - not writable, x exclusive open, ? hung)
q quick who
R print host name

Here you get all the options for who.
Hope this helps

Richard

Re: lost user

James R. Ferguson — Mon, 24 Sep 2001 17:46:12 GMT

Hi Jeff:

From the syntax you present, I suspect that you have 'su'ed to another user and as that user are seeking to kill the process that existed before the 'su'. If you are not 'root' then you can't kill another user's process (task).

Regards!

...JRF...

Re: lost user

Bernie Vande Griend — Mon, 24 Sep 2001 17:46:55 GMT

Santosh, I think he is just doing that within the user login process. (user's .profile maybe)

It does seem like the user was just briefly logged in. I'd also take a look at:
last -R | grep login_name
This will tell you how long the user was on the system, when, and also what IP they came from. If it was a script of some kind like Santosh said, it probably won't have an IP associated with it.

Re: lost user

Sachin Patel — Mon, 24 Sep 2001 17:51:51 GMT

Hi Jeff,
"who" gets its information from /etc/utmp and /var/adm/wtmp. Sometimes when user logs out by unusual way and utmp still has that entry then you can't kill that PID because that PID is not exits but entry is still there in /etc/utmp.

Sachin

Re: lost user

Darrell Allen — Mon, 24 Sep 2001 20:52:12 GMT

Hi Jeff,

I presume when you say "grep login" you are actually grepping for the loginid (name).

Could this loginid have the same uid as another loginid that comes before it in the passwd file? "ps", "whoami", and "id" are going to show the first loginid found in /etc/passwd that matches the numeric uid. $LOGNAME and "who am i" will show the actual loginid used.

Darrell