Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Problem with WHO command [SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
njcwotx
Guru
Guru


Joined: 25 Feb 2005
Posts: 564
Location: Texas

PostPosted: Thu Oct 07, 2010 3:21 pm    Post subject: Problem with WHO command [SOLVED] Reply with quote

I have an interesting Linux issue in general. I have a dba that comes to me with Linux issues from time to time. Most of the time its a basic educational thing, but this one has me a bit scratching my head too.

The dba uses the 'who' command a lot to determin who is logged in and how many users there are e.g. "who | wc -l".

The strange thing is after a reboot, he can run "who |wc -l" and get 320 users showing up, but after a few days, the "who |wc -l" only shows 20 users when there are really more than that logged in.

What would cause the "who" command to not report all users?

I know a lot of these commands look in proc for the information to make these reports, but I am not familiar with how "who" actually works. Thought someone here might have a better idea how to explain the command and why I might have to reboot to get who to properly report users.
_________________
Drinking from the fountain of knowldege.
Sometimes sipping.
Sometimes gulping.
Always thirsting.


Last edited by njcwotx on Thu Oct 14, 2010 10:31 pm; edited 1 time in total
Back to top
View user's profile Send private message
ShadowCat8
Apprentice
Apprentice


Joined: 07 Oct 2008
Posts: 161
Location: San Bernardino, CA, USA

PostPosted: Thu Oct 07, 2010 6:20 pm    Post subject: Reply with quote

Well,

A guesstimate would be that, as is pointed out in 'man who':
Code:
...<snip>...
       If  FILE is not specified, use /var/run/utmp.  /var/log/wtmp as FILE is
       common.  ...

if your friend is running a default logrotate configuration, then one of the possibilities is from /etc/logrotate.conf:
Code:
# no packages own lastlog or wtmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
    rotate 1
}


Not sure it's the right answer, but I think it's heading in the right direction. Looking at 'man utmp' had me a bit concerned as I read:
man utmp wrote:
...<snip>...
Note that the utmp struct from libc5 has changed in libc6. Because of
this, binaries using the old libc5 struct will corrupt /var/run/utmp
and/or /var/log/wtmp.

BUGS
This man page is based on the libc5 one, things may work differently
now.


Just my 2¢. HTH.
_________________
________________________

"As far as the laws of mathematics refer to reality, they are not
certain, and as far as they are certain, they do not refer to reality."

-- Albert Einstein
Back to top
View user's profile Send private message
njcwotx
Guru
Guru


Joined: 25 Feb 2005
Posts: 564
Location: Texas

PostPosted: Thu Oct 14, 2010 7:03 pm    Post subject: Reply with quote

ok. i read the man pages...i see that who is reading utmp by default. Been looking for a reason it stops reporting after a week, but so far no luck.

who /var/log/wtmp produces different results, but lots of duplicate login names.

I read the diff between utmp and wtmp is wtmp logs logins and outs. and utmp is currently logged in. Is this correct?

Any way to track who is updateing utmp?

-------in my logrotate.conf-----------------
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
minsize 1M
create 0664 root utmp
rotate 1
}

----the utmp file perms are -------------

-rw-rw-r-- 1 root utmp 14K Oct 14 11:24 /var/run/utmp



every time we reboot the system, it runs ok for a few days then stops reporting logins.
_________________
Drinking from the fountain of knowldege.
Sometimes sipping.
Sometimes gulping.
Always thirsting.
Back to top
View user's profile Send private message
njcwotx
Guru
Guru


Joined: 25 Feb 2005
Posts: 564
Location: Texas

PostPosted: Thu Oct 14, 2010 9:53 pm    Post subject: Reply with quote

interesting....

the utmp file appears to have stopped getting logged at the same time the error starts up in the logs.

[root@SERVER run]# ls -alh utmp
-rw-rw-r-- 1 root utmp 2.5M Oct 11 08:24 utmp ===== utmp stops updating at 8:24
[root@SERVER run]#



Oct 11 08:25:22 SERVER sshd[30825]: syslogin_perform_logout: logout() returned an error = first entry of this error…..
Oct 11 08:42:55 SERVER sshd[9900]: syslogin_perform_logout: logout() returned an error
Oct 11 08:43:07 SERVER sshd[31408]: syslogin_perform_logout: logout() returned an error
Oct 11 08:43:18 SERVER sshd[21018]: syslogin_perform_logout: logout() returned an error
Oct 11 08:43:24 SERVER sshd[16231]: syslogin_perform_logout: logout() returned an error


Is there any way to reset this file without rebooting?
_________________
Drinking from the fountain of knowldege.
Sometimes sipping.
Sometimes gulping.
Always thirsting.
Back to top
View user's profile Send private message
njcwotx
Guru
Guru


Joined: 25 Feb 2005
Posts: 564
Location: Texas

PostPosted: Thu Oct 14, 2010 10:30 pm    Post subject: Reply with quote

SOLVED!!

found a process holding utmp open with the lsof command. tracked it to a strange telnet session from a place that should not have it open. killed process and who now updates.

Giving issue to my dba to find out why user telneted into a process that is for another server to talk on.

** dont spam me about using telnet and being unsecure....I have been harping on that stupid process since day one it got setup. I pleaded with dba to let me tunnel the session to hide it and keep it from being publicly available. The process between the servers 'appearently' only uses telnet. But when I ask to look at it to secure it im told no. person is territorial, unless something breaks.... **
_________________
Drinking from the fountain of knowldege.
Sometimes sipping.
Sometimes gulping.
Always thirsting.
Back to top
View user's profile Send private message
ShadowCat8
Apprentice
Apprentice


Joined: 07 Oct 2008
Posts: 161
Location: San Bernardino, CA, USA

PostPosted: Mon Oct 18, 2010 5:15 pm    Post subject: Reply with quote

Well, taking it as a given that you are one of the (if not the only) admin(s) for your network, then I would suggest you do a bit of sniffing on the interface that they are telnetting into and later go back to them with their passwd and complete list of commands they issued. :P (As a note, do not do this if you are not a network admin. Network security is the admin's job and companies tend to frown on anyone other than the network admin testing the network in this fashion.)

But, after they have the direct realization that whatever they write into telnet can, and usually will be, listened to on any network by anyone who can, they generally start thinking of really securing their usage and then are not as reticent to use ssh.

HTH. Let us know.
_________________
________________________

"As far as the laws of mathematics refer to reality, they are not
certain, and as far as they are certain, they do not refer to reality."

-- Albert Einstein
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum