[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
AW: wrong output of "who" and "finger"
From: |
Burba, Viktor |
Subject: |
AW: wrong output of "who" and "finger" |
Date: |
Tue, 3 Nov 2009 12:07:05 +0100 |
Thank you very much, by the way I forgot to mention I have SuSE SLES10 x86_64.
But it does not matter, thanks a lot, now I have idea where to look for
Viktor Burba
-----Ursprüngliche Nachricht-----
Von: Bob Proulx [mailto:address@hidden
Gesendet: Montag, 2. November 2009 22:53
An: Burba, Viktor
Cc: address@hidden
Betreff: Re: wrong output of "who" and "finger"
Burba, Viktor wrote:
> I have a problem with output from "who" command. As you can see below
>
> busdm:~ # who -u
> root pts/0 Nov 2 15:56 . 21861 (192.168.0.20)
> root pts/6 Jun 18 13:04 ? 15579 (10.11.20.1)
>
> busdm:~ # uptime
> 4:06pm up 3 days 2:19, 2 users, load average: 0.42, 0.30, 0.16
> busdm:~ # date
> Mon Nov 2 16:07:04 CET 2009
>
> "who" shows me users logged in from Jun18, even so the host has been
> rebooted 3 days ago and today's date of the host is 2nd Nov. Also
> there is no PID 15579. Can you please explain this weird behaviour?
The who command reads the system's utmp file. This traditionally
existed at /etc/utmp but on modern systems has been moved to
/var/run/tmp. You can find the actual file on your system by running
who under strace or other system call tracing tool. Such as:
$ strace -e file -o /tmp/who.strace who
$ grep utmp /tmp/who.strace
When users log in, log out, create terminal windows in a graphical
terminal environment (e.g. start an xterm under X windows) the system
records this in the utmp file. This is a log by "dead-reckoning" and
may become out of sync with reality if the system doesn't track it
correctly. If a login entry is recorded but no corresponding logout
entry then who will report an entry which isn't really active. The
who command reports data from that file. If the data recorded doesn't
make sense then the result from who won't make sense. GIGO.
It is usually the job of system start up scripts (aka rc scripts) to
set up the utmp file properly at system boot time. Since the system
may have crashed previously the utmp file may contain stale
information. At boot time a system script truncates the file to zero,
sets the proper ownership and permissions and prepares it for use. On
my Debian system this is done in the /etc/init.d/bootmisc.sh script.
It appears that your system isn't properly clearing that file at boot
time. You didn't say what system you were using. But regardless the
problem appears to me with your report to be in a problem with the
boot time preparation of the utmp file.
Bob