wtmp/last weird behavior

David Rysdam david at rysdam.org
Fri Aug 15 21:41:48 EDT 2014 

You replied only to me. I hope it isn't too gauche to reply to the
list. I like these things to be searchable by others in the future. (Ob:
http://xkcd.com/979/)

Bill Freeman <ke1g.nh at gmail.com> writes:
> But you are probably talking about an Xdm (gdm, kdm, etc.) login.  I'll bet
> that code works pretty well too.

Yes, I am. That's what I thought as well. It looks like wtmp is a
"standard" of fairly long-standing, so I'd expect it to work right.

> So I can think of two possibilities:
>
>   1. One kid is letting another kid just go  ahead and use the logged in
> session, rather than logging out and making the other log in.

Definitely not happening. And even if it were, it can't be happening
100% of the time. 'last' reports that one of the children hasn't logged
in *even once* since the 1st, even though I've watched him do it.

>   2. Some of them are using switch user, rather than logging out and
> logging in.  I don't know what happens to wtmp when you switch back to an
> existing session. If it doesn't make a wtmp entry, that might b e construed
> as a gdm bug (or whoever it is that offers "switch users").  Or not.  A
> case could be made that suspending and resuming a user's session does not
> constitute a log out and in.  Even if this is what's going on.

This definitely has happened, but as above not 100% of the time for any
given child. Maybe 1% of the time (their computer is right next to our
computers, so we see the nominal behavior).

> I think that you want a tool that prints the file in human readable form,
> whose output you can pipe into tail, or look at in your favorite editor, so
> that you can see the sequence.  If you can't find such a tool, the utmp
> wtmp man page gives a C structure for the entries in the file.  If you have
> the missing kid turn up as logged in for days at a time, it's probably the
> switch users thing.

I saw the layout, but since 'strings /var/log/wtmp' doesn't show the
child, I'm skeptical that a program will find it. I can try it. Or at
least read the structure a little more closely and see if the UID could
be in there. For one particular child. This month only.

> Another interesting diagnostic would be a tool that captures the last entry
> in wtmp to a private log of your own that you arrange to have run when they
> log in - .bash_profile and the X equivalent.

Maybe wtmp is getting overwritten? I guess that could be. I have no idea
how it's getting captured in the first place...

More information about the gnhlug-discuss mailing list