SUMMARY: last, who and ps

From: Tom Linden (tom@kednos.com)
Date: Fri Nov 01 2002 - 11:09:53 EST

• Next message: Jim Kurtenbach: "Summary: HSG80 disk drives."
• Previous message: Kjell Andresen: "SUMMARY: kernel tuning; ulimit problem; tru64 v5.1a with bash (fwd)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Based on the explanation provided below, it appears that ftp exited
without cleaning up.

   On login (telnet/ssh), a record is written to each of /var/adm/utmp,
/var/adm/wtmp, and /var/adm/lastlog. utmp contains one record per
terminal, which gets emptied (zeroed-out) at logout. wtmp cotains one
record for each login and logout; this is cumulative. lastlog is only the
most recent login for each user (one record for every user, if user has
never logged-in, his/her record is empty).

  "last" reads wtmp, and displays the login and logout entries in a nice
readable format. If there is no logout entry for a session, then it says
"Still logged in".

  "finger" look at utmp, if an entry is found for the user, it is
displayed as "On since DATE on TTY from HOST", if a utmp ercord is not
found for the user, then lastlog is used and the output is "Last logged in
DATE on TTY from HOST"

  "who" and "w" look at utmp. idle times are generated by subtracting the
"last modified" timestamp of the terminal device from the current time.

  FTP is usually not considered an "active" login, it is passive.
Therefore Compaq's ftpd doesn't (shouldn't) write to utmp or lastlog; it
only writes to wtmp. This is why you can see ftp in "last" but not
"finger", "w", or "who".
  If you did a "ps ax | grep ftpd" or a "netstat -n | grep '\.22 '", I
think you'd find the ftp process in question. If not, then the process
exitted without cleaning-up (wrtting a logout rec to wtmp).

> On a 4.0d system, if I run 'last' I see the following:
>
> ftp ftp testarossa.intel Mon Oct 28 14:59 still logged in
>
> but neither 'who' nor 'ps' provide anymore information. Anybody
> have an expalantion?
>
> On a related note, 'lastcomm' complains that it can't find
> /var/adm/pacct, which indeed doesn't exist. Is it 'runacct' to turn on
> accounting?

mike caplin
____________________________________________________________________________
___
mcaplin@miami.edu

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.404 / Virus Database: 228 - Release Date: 10/15/2002

• Next message: Jim Kurtenbach: "Summary: HSG80 disk drives."
• Previous message: Kjell Andresen: "SUMMARY: kernel tuning; ulimit problem; tru64 v5.1a with bash (fwd)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:48:58 EDT