SUMMARY: last gives wrong output

From: Granzow, Doug (NCI) <granzowd_at_mail.nih.gov>
Date: Fri Mar 01 2002 - 13:06:54 EST
Thanks to:

Steve Mickeler
Chintu
Casper Dik
Scott Davis

Basically the wtmpx file got corrupted.  Renaming the file and creating a
new one is the easiest solution.  How did it get corrupted?  Probably at
some point /var filled up and an incomplete entry was written to wtmpx.

Thanks,
Doug



-----
from Caspar Dik:


An overflow of /var which causes wtmpx to be truncated on a size that
is not a multiple of sizeof(wtmpx); the new records are added but last can't
find them.

Casper



-----
from Scott Davis:


On a SPARC / Solaris 2.5.1 system I had a similar problem.
This email that I sent to my colleagues explains what I
found and how I fixed it. I hope it's helpful to you.

Scott Davis

* * * * * * *

Has anyone issued the command 'last' on <hostname> and been surprised
to see a history ending Oct 26, claiming that <username> is still logged
in since Oct 25 (2000)?

I looked into it and this is what I found.

Four files in /var/adm are used to keep track of user activity:
utmp  - current activity (short form,     36 bytes/record)
wtmp  - history          (short form,     36 bytes/record)
utmpx - current activity (extended form, 372 bytes/record)
wtmpx - history          (extended form, 372 bytes/record)

Looking at the file sizes, I saw that wtmp was an even multiple
of 36 bytes, but that wtmpx was 48 bytes shy of the same multiple
of 372 bytes. I wrote a tiny ad hoc program to read wtmpx and
print each entry with a line number. After line 14203, it printed
garbage. So I fired up emacs on a copy of wtmpx, skipped ahead
14203 * 372 characters, and deleted 324 characters -- an incomplete
entry for something called "sac". Now 'last' can read the whole
file and give an up-to-date history. I saved the corrupted file
as /var/adm/bad_wtmpx.

This doesn't explain how the file got corrupted -- but the very
next entry after the incomplete one is for "shutdown". Maybe
somebody ran a job that filled up /var/tmp just as /var/adm/utmpx
was being updated, and noticed that the system was wedged and
rebooted it. Plausible?


> -----Original Message-----
> From: Granzow, Doug (NCI) 
> Sent: Friday, March 01, 2002 11:49 AM
> To: 'sunmanagers@sunmanagers.org'
> Subject: last gives wrong output
> 
> 
> I have a Solaris 8 SPARC system which is displaying outdated 
> info when I do
> a "last".
> 
> [ users and hosts sanitized ]
> 
> bash-2.03# last -10
> root      pts/1        12-34-567-89.mc. Sun Dec  2 20:49 - 
> 21:01  (00:12)
> root      pts/1        12-34-567-89.mc. Sun Dec  2 11:33 - 
> 14:56  (03:22)
> root      pts/2        hostname.nci.nih Thu Nov 29 15:20 - 
> 15:27  (00:07)
> root      pts/1        hostnam.nci.nih. Thu Nov 29 14:14 - 
> 16:19  (02:05)
> username  pts/1        hostn.nci.nih.go Thu Nov 29 12:55 - 
> 12:55  (00:00)
> username  pts/1        hostn.nci.nih.go Thu Nov 29 12:54 - 
> 12:54  (00:00)
> root      pts/1        hostnam.nci.nih. Wed Nov 28 14:30 - 
> 15:38  (01:08)
> root      pts/1        hostnam.nci.nih. Wed Nov 28 14:19 - 
> 14:22  (00:02)
> root      pts/1        hostname.nci.nih Tue Nov 27 13:25 - 
> 16:32  (03:07)
> root      pts/1        hostname.nci.nih Tue Nov 27 13:24 - 
> 13:24  (00:00)
> bash-2.03# date
> Fri Mar  1 11:45:28 EST 2002
> bash-2.03# ls -l /var/adm/wt*
> -rw-r--r--   1 root     other      55728 Mar  1 11:37 /var/adm/wtmp
> -rw-r--r--   1 adm      adm       939800 Mar  1 11:40 /var/adm/wtmpx
> 
> wtmp and wtmpx have current timestamps and are growing, but 
> "last" output is
> from last year.  Any ideas what might be causing this?
> _______________________________________________
> sunmanagers mailing list
> sunmanagers@sunmanagers.org
> http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Fri Mar 1 12:07:16 2002

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:35 EST