SUMMARY: spurious logins for netscape, oracle users

From: Sweth Chandramouli (sweth@astaroth.nit.gwu.edu)
Date: Wed Oct 21 1998 - 09:09:23 CDT


        Tim Pointing <Tim.Pointing@dciem.dnd.ca> quickly pointed out
the right answer, which is that finger uses lastlog for its information,
and lastlog references users by uid, and not login name. i recently
ran a big perl script to migrate all of the users and groups on the
machine in question to match those in our nis maps, so that this machine
could join in the nis fun; it was three different users, whose old ids
are now those of the daemons users, who had logged in.
        does anyone know the format of the lastlog file offhand? i'd
like to add a subroutine to that perl script of mine to update the lastlog
file to reflect the new, correct ids, but most of the characters in the
file seem non-printable. i'll summarize any responses i get to this, as
well.

        -- sweth.

On Tue, Oct 20, 1998 at 10:39:09PM -0400, Sweth Chandramouli wrote:
> occasionally, paranoia seems to pay off. on one of the machines that i
> maintain, i decided to run a script to finger all of the users in the
> /etc/passwd file, just to see what i could see; much to my surprise, three
> "daemon" users had last logins, even though (to my knowledge) none of them
> should ever have logged in at all. the user that i had created for the netscape
> web server on that machine was one of the accounts that showed up as having been
> logged in, even though that account doesn't have a valid password hash in
> /etc/shadow (which i thought meant logins were impossible). there were also two
> other daemon users showing last login times, both of which are used by software
> packages to run jobs against an oracle database on that machine (one being the
> user that actually owns the db); those jobs, however, shouldn't show up as
> logins, right?
> where, exactly, does finger get its login info from? last shows none of
> those three users every having logged in. (last _does_ say that the wtmp
> records start on a certain date (after the supposed last logins of the 3
> accounts in question), despite that fact that last shows records of logins from
> months before that date.)
> am i correct in my suspcions that something is very wrong here, and it
> is time to start reinstalling the os? or am i missing some very basic reason
> that these accounts would show up as having been logged in?
>
> tia,
> sweth.
>
> --
> Sweth Chandramouli
> IS Coordinator, The George Washington University
> <sweth@gwu.edu> / (202) 994 - 8521 (V) / (202) 994 - 0458 (F)
> *

-- 
Sweth Chandramouli
IS Coordinator, The George Washington University
<sweth@gwu.edu> / (202) 994 - 8521 (V) / (202) 994 - 0458 (F)
<a href="http://astaroth.nit.gwu.edu/~sweth/disc.html">*</a>



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:51 CDT