utmp, wtmp, lastlog -- login records
#include <sys/types.h>
#include <utmp.h>
The file <utmp.h> declares the structures used to record information
about current users in the file utmp, logins and logouts in the file
wtmp, and last logins in the file lastlog. The time stamps of date
changes, shutdowns and reboots are also logged in the wtmp file.
#define _PATH_UTMP "/var/run/utmp"
#define _PATH_WTMP "/var/log/wtmp"
#define _PATH_LASTLOG "/var/log/lastlog"
#define UT_NAMESIZE 16
#define UT_LINESIZE 8
#define UT_HOSTSIZE 16
struct lastlog {
int32_t ll_time; /* When user logged in */
char ll_line[UT_LINESIZE]; /* Terminal line name */
char ll_host[UT_HOSTSIZE]; /* Host user came from */
};
struct utmp {
char ut_line[UT_LINESIZE]; /* Terminal line name */
char ut_name[UT_NAMESIZE]; /* User's login name */
char ut_host[UT_HOSTSIZE]; /* Host user came from */
int32_t ut_time; /* When user logged in */
};
The lastlog file is a linear array of lastlog structures indexed by a
user's UID. The utmp file is a linear array of utmp structures indexed
by a terminal line number (see ttyslot(3)). The wtmp file consists of
utmp structures and is a binary log file, that is, grows linearly at its
end.
By default, each time a user logs in, the pam_lastlog(8) program looks up
the user's UID in the file lastlog. If it is found, the timestamp of the
last time the user logged in, the terminal line and the hostname are
written to the standard output. The pam_lastlog(8) program then records
the new login time in the file lastlog.
After the new lastlog record is written, the file utmp is opened and the
utmp record for the user is inserted. This record remains there until
the user logs out at which time it is deleted. The utmp file is used by
the programs rwho(1), users(1), w(1), and who(1).
Next, the pam_lastlog(8) program opens the file wtmp, and appends the
user's utmp record. The user's subsequent logout from the terminal line
is marked by a special utmp record with ut_line set accordingly, ut_time
updated, but ut_name and ut_host both empty (see init(8)). The wtmp file
is used by the programs last(1) and ac(8).
In the event of a date change, a shutdown or reboot, the following items
are logged in the wtmp file.
reboot
shutdown A system reboot or shutdown has been initiated. The character
`~' is placed in the field ut_line, and reboot or shutdown in
the field ut_name (see shutdown(8) and reboot(8)).
date The system time has been manually or automatically updated (see
date(1)). The command name date is recorded in the field
ut_name. In the field ut_line, the character `|' indicates the
time prior to the change, and the character `{' indicates the
new time.
The wtmp file can grow rapidly on busy systems, so daily or weekly rotation
is recommended. It is maintained by newsyslog(8).
If any one of these files does not exist, it is not created by
pam_lastlog(8). The files must be created manually.
The supplied login(3), logout(3), and logwtmp(3) utility functions should
be used to perform the standard actions on the utmp and wtmp files in
order to maintain the portability across systems with different formats
of those files.
/var/run/utmp The utmp file.
/var/log/wtmp The wtmp file.
/var/log/lastlog The lastlog file.
last(1), w(1), who(1), login(3), logout(3), logwtmp(3), ttyslot(3),
ac(8), init(8), pam_lastlog(8)
A utmp and wtmp file format appeared in Version 6 AT&T UNIX. The lastlog
file format appeared in 3.0BSD.
FreeBSD 5.2.1 November 14, 2001 FreeBSD 5.2.1 [ Back ] |
