Dennis Handly wrote
> You can use fwtmp(1M) to format the /etc/utmp file but after you restart utmpd, it says it reads utmps. So you'll have to write a program like fwtmp to work on utmps(4) formats.
...
> This is a broken design and basically says this info isn't important. There should be a system demon that makes sure this works correctly. That's probably why there is now utmpd(1M).
As far as I can tell from 2 days of investigation you are absolutely right on both accounts.
Reality as of 11v3 aka B.11.31 seems to be like this:
- there are utmpd + bunch of files
- /etc/utmp: good old legacy utmp
- /var/adm/wtmps: utmp log, updated (by utmpd?) too
- /var/adm/btmps: btmp log, updated (by utmpd?) too
- /etc/utmpx: newest utmp, reads deprecated (only if utmpd is not running); updated by utmpd
- /etc/utmps: utmpd saves state here on exit
- plus in-memory utmpd database, which is currently Right Way to access
- different programs use different DBs
- who uses utmpd, but 'who /etc/utmp' is ok too
- last/lastb use wtmps/btmps, last -f use /var/awm/wtmp
- utmpd is good but not fully reliable solution
- if shell is killed with -9, its tty record is forever in utmpd database
- restarting utmpd (whith /sbin/init.d/utmpd stop/start) does not help -- all is saved
in utmps and read back
- it would be good if HP added periodic check for dead PIDs of process leaders or at least
some cleanup at restart
- current crop of tools are unable to fix utmpd-related things
- fwtmp -X < /var/adm/wtmps is ok, fwtmp < /etc/utmp is ok too, but utmps and utmpx are
not accessible with fwtmp (different format)
- ./fwtmp < /etc/utmpx seems to work but resuls are total and obvious crap
- so there is no way to get rid of stale entries in utmpd DB except reload
- or maybe stopping utmpd and 'echo > /etc/utmps' before start, loosing current logins
I wrote 2 small tools to fix utmpd DB without reboot. Maybe they'll be userful to someone.
- read_utmps.c
#include
#include
int main()
{
// see /usr/include/utmps.h
struct utmps *wtmps;
// read in-memory utmpd DB
while ((wtmps = getutsent(sizeof(struct utmps))) != NULL) {
printf("%-16.16s %-8.8s %-12.12s %5ld %2hd %lu %s\n",
wtmps->ut_id, // unique ID
wtmps->ut_user,
wtmps->ut_line,
wtmps->ut_pid,
wtmps->ut_type, // 7 USER_PROCESS, 8 DEAD_PROCESS
wtmps->ut_tv.tv_sec,
wtmps->ut_host
);
}
}
- write_utmps.c
#include
#include
int main(int argc, char **argv)
{
// see /usr/include/utmps.h
struct utmps *wtmps;
if (! argv[1]) {
fprintf(stderr, "ERROR: pleas give ut_id of stale session as argument\n\n");
fprintf(stderr, "procedure is usually as follows:\n");
fprintf(stderr, "- find dead sessions like 'who -u | grep old'\n");
fprintf(stderr, " - ensure they're really dead with 'ps -xp '\n");
fprintf(stderr, "- find ut_id with read_utmps\n");
fprintf(stderr, " - 1st field, usually == or pts/\n");
fprintf(stderr, "- end session with write_utmps \n");
fprintf(stderr, " - requires root privs\n");
return(1);
}
// read in-memory utmpd DB
while ((wtmps = getutsent(sizeof(struct utmps))) != NULL) {
if (strcmp(wtmps->ut_id, argv[1]) == 0) {
printf("bingo, %s found\n", argv[1]);
printf("%-15.15s %-8.8s %-12.12s %5ld %2hd %lu %s\n",
wtmps->ut_id, // unique ID
wtmps->ut_user,
wtmps->ut_line,
wtmps->ut_pid,
wtmps->ut_type, // 7 USER_PROCESS, 8 DEAD_PROCESS
wtmps->ut_tv.tv_sec,
wtmps->ut_host
);
// mark it as DEAD to end session
if (wtmps->ut_type == USER_PROCESS) {
wtmps->ut_type = DEAD_PROCESS;
time(&wtmps->ut_tv.tv_sec);
pututsline(wtmps, sizeof(struct utmps));
}
}
}
}
