HPE Community
Operating System - HP-UX
1754803 Members
3490 Online
108825 Solutions
New Discussion юеВ

who -q and who -u reports logins that have no processes

 
SOLVED
Go to solution
Jack C. Mahaffey
Super Advisor

тАО05-21-2004 12:57 AM

тАО05-21-2004 12:57 AM

who -q and who -u reports logins that have no processes

I'm alittle confused. I run who -q and who -u and it reports logins that do not currently have any processes.

Server is a trusted server that contains copy of /etc/passwd, /etc/group and /tcb files from the primary server.

Any idea why it reports logins that do not currently have any processes. I want to terminate these active logins.

Jack...



0 Kudos
Reply
7 REPLIES 7
Jack C. Mahaffey
Super Advisor

тАО05-21-2004 01:00 AM

тАО05-21-2004 01:00 AM

Re: who -q and who -u reports logins that have no processes

Found a previous thread that may deal with the problem.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=499832
0 Kudos
Reply
Mark Grant
Honored Contributor

тАО05-21-2004 01:08 AM

тАО05-21-2004 01:08 AM

Solution

Re: who -q and who -u reports logins that have no processes

/var/adm/wtmp and /etc/utmp contain the information that "who" is using and they can easily get a bit upset and broken.

Sometimes the only thing to do is to clear them out.

"> /var/adm/wtmp" usually does the trick.
Never preceed any demonstration with anything more predictive than "watch this"
Reply
Jack C. Mahaffey
Super Advisor

тАО05-21-2004 01:22 AM

тАО05-21-2004 01:22 AM

Re: who -q and who -u reports logins that have no processes

Mark, problem with clearing out the file is who would then start returning nothing until folks start logging on.

Are there any guidlines for determining which entries should be saved when fwtmp is ran to create a temporary file?


jack

0 Kudos
Reply
John Carr_2
Honored Contributor

тАО05-21-2004 01:29 AM

тАО05-21-2004 01:29 AM

Re: who -q and who -u reports logins that have no processes

Jack

they are not active logins if the wtmp files are corrupt.

have you checked to see if they are real logins

ps -ef | grep username

if nothing is returned then there is no login present.

if there is a user logged in which you think should not be then you may wish to check any associated processes against the login Parent process ID

fuser -c PID

John.
0 Kudos
Reply
Mark Grant
Honored Contributor

тАО05-21-2004 01:32 AM

тАО05-21-2004 01:32 AM

Re: who -q and who -u reports logins that have no processes

Well, true, there is always that problem :)

One thing you could do is use fwtmp to out put the formatted ascii records and do a compare against the users that occur in a "ps" listing. Delete the records that have no processes and then build a new binary one. I'm sure a nice perl script is called for here.
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
Jack C. Mahaffey
Super Advisor

тАО05-21-2004 01:35 AM

тАО05-21-2004 01:35 AM

Re: who -q and who -u reports logins that have no processes

John, yes I did the ps -ef | grep username to determine the problem initially because only root should have been logged in. I needed to clean up the /etc/utmp file to remove the entries that had username's that had no processes.

I now only have three active root logins in the file that have login timestamps. I left the other entries alone.

jack
0 Kudos
Reply
Jack C. Mahaffey
Super Advisor

тАО05-21-2004 02:12 AM

тАО05-21-2004 02:12 AM

Re: who -q and who -u reports logins that have no processes

Here's what I eventually did to fix the problem:

who -q [ Record logins ]

for each login from who -q output determine if the login has any active processes. E.g. ps -ef | grep loginname


/usr/sbin/acct/fwtmp < /etc/utmp > /tmp/utmp.txt

vi /tmp/utmp.txt
g/ 2003$/d
g/ 2004$/d
The remaining enties in file will contain what 'who -q' thinks are the active logins.

for each login from who -q/ps -ef task from above that 'does not' have any active processes, delete them.

/usr/sbin/acct/fwtmp -ic < /tmp/utmp.txt > /tmp/utmp

mv /etc/utmp /etc/utmp-yyyymmdd
cp -p /tmp/utmp /etc/utmp
chown root:root /etc/utmp
chmod 622 /etc/utmp

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.