HPE Community
Operating System - HP-UX
1756974 Members
1804 Online
108857 Solutions
New Discussion юеВ

Re: The "who" command is not reporting who is on the system

 
Kathy McGohan_1
Frequent Advisor

тАО08-02-2006 08:49 AM

тАО08-02-2006 08:49 AM

The "who" command is not reporting who is on the system

The "who" command reports some users, but not all users who are on the system. I can log into this server and type in who, but it does not show that I am logged into this server. I did start a new wtmp file, but it still does not report all those who are on the system.
0 Kudos
Reply
9 REPLIES 9
A. Clay Stephenson
Acclaimed Contributor

тАО08-02-2006 08:59 AM

тАО08-02-2006 08:59 AM

Re: The "who" command is not reporting who is on the system

When you created the new wtmp file, you threw away data. Basically you replaced one incomplete data set with another. You should have used fwtmp to read the old file out in ASCII format, removed any spurious entries, and then used fwtmp to rewrite the file in binary format.
If it ain't broke, I can fix that.
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО08-02-2006 09:00 AM

тАО08-02-2006 09:00 AM

Re: The "who" command is not reporting who is on the system

Hi Kathy:

If you login as one user and switch to another ('su newuser') then then only the original user login will be reflected in the 'who' output. You will need to examine '/var/adm/sulog' to see the switch.

If the above doesn't help it would be useful to post the release that you are running.

Regards!

...JRF...
0 Kudos
Reply
G. Vrijhoeven
Honored Contributor

тАО08-02-2006 09:04 AM

тАО08-02-2006 09:04 AM

Re: The "who" command is not reporting who is on the system

Hi Kathy,

You could use the ps -uef | grep sh command, to get an overwiew of who is currently on the system.

HTH,

Gideon
0 Kudos
Reply
Yogeeraj_1
Honored Contributor

тАО08-02-2006 04:26 PM

тАО08-02-2006 04:26 PM

Re: The "who" command is not reporting who is on the system

hi kathy,

did you try to run finger?

For telnet sessions, it should work. Note that if you want to get information on " users who are on the system", you cannot just rely on who and finger. There are many other protocols through which users can connect to the server.

You may also wish to run netstat (displays statistics for network interfaces and protocols, as well as the contents of various network-related data structures.)

hope this helps too!

kind regards
yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО08-02-2006 05:44 PM

тАО08-02-2006 05:44 PM

Re: The "who" command is not reporting who is on the system

The who command uses the utmp file which can be corrupted by bad applications. utmp is rebuilt at bootup which will solve your problem, but because that file is not well protected and because users trash their sessions rather than properly logging out, utmp corruption is unavoidable. The ps command is the most reliable method to find users on the system.


Bill Hassell, sysadmin
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО08-02-2006 06:39 PM

тАО08-02-2006 06:39 PM

Re: The "who" command is not reporting who is on the system

Shalom,

A system restart will clear this issue.

Any time you clear out the information that who uses e.g. wtmp you are going to have this issue.

I try and schedule my > /var/adm/syslog/wtmp for a time when the system has no users.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Marvin Strong
Honored Contributor

тАО08-02-2006 11:50 PM

тАО08-02-2006 11:50 PM

Re: The "who" command is not reporting who is on the system

if you need to clean wtmp because it is becoming huge use the fwtmp command as suggested by Mr. Clay it is the clean way to do it.

Depending on system activity, I have a little script that uses fwtmp and runs from cron every 90 or so days. And I keep the last 500 lines or so from the ascii file it created. Then convert that back to wtmp.
0 Kudos
Reply
Kathy McGohan_1
Frequent Advisor

тАО08-03-2006 01:33 AM

тАО08-03-2006 01:33 AM

Re: The "who" command is not reporting who is on the system

Thanks everyone for all your replies. I was just currious about this problem because one of my coworkers here told me that the Itaniums seem to have this problem right after they get them set up. It doesn't make since to me that they are noted for this.

Our OS version is B.11.23 and we are using SSH Tectia Server 4.4.2.

Finger does not report the right information for everyone. It's way off, but I'll check it out after the server gets rebooted, hopefully someday soon.

Again, thanks for all the replies. Points are coming.
0 Kudos
Reply
Douglas Cameron
New Member

тАО08-04-2006 03:40 AM

тАО08-04-2006 03:40 AM

Re: The "who" command is not reporting who is on the system

Kathy,

If you are a rightfully-so paranoid sysadmin, or have reasonable doubt that there is a security issue, than pull the plug (LAN cable) on the system, reboot in single user mode, and carefully look at the wtmp, utmp, sulog, syslog, maillog, last output, who -b, whodo, and finger output to see who was there and was doing what. If you jave a trusted system with pacct installed, then look at the accounting file and audit trail output as well. Look at your networking and authentication files and compare to backup files to note any and what differences, compare system binaries to MD-5 information, too.

If it is just a general issue, then reboot and look at the general information above without yanking any cables.

Just my opinions.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.