CS 355 - Systems Programming:
Unix/Linux with C
Unix Login Records
Reference: Molay, Understanding Unix/Linux Programming, Chapter 2.1-2.5
The who command
Our standard approach to studying a Unix system command:
The vast majority of system commands are programs written in C and located in one of the standard system directories, such as /bin, /usr/bin, or /usr/local/bin.
What does who do?
Run the who command:
$ who johnqdoe console Sep 17 08:59 janedoe ttys000 Sep 22 09:24
Read the manual:
$ man who WHO(1) BSD General Commands Manual WHO(1) NAME who -- display who is logged in SYNOPSIS who [-abdHlmpqrsTtu] [file] who am i DESCRIPTION The who utility displays a list of all users currently logged on, showing for each user the login name, tty name, the date and time of login, and hostname if not local. Available options: -a Same as -bdlprTtu. -b Time of last system boot. -d Print dead processes. -H Write column headings above the regular output. -l Print system login processes (unsupported). -m Only print information about the current terminal. This is the POSIX way of saying who am i. -p Print active processes spawned by launchd(8) (unsupported). -q ''Quick mode'': List only the names and the number of users cur- rently logged on. When this option is used, all other options are ignored. -r Print the current runlevel. This is meaningless on Mac OS X. -s List only the name, line and time fields. This is the default. -T Print a character after the user name indicating the state of the terminal line: '+' if the terminal is writable; '-' if it is not; and '?' if a bad line is encountered. -t Print last system clock change (unsupported). -u Print the idle time for each user, and the associated process ID. am I Returns the invoker's real user name. file By default, who gathers information from the file /var/run/utmpx. An alternative file may be specified. FILES /var/run/utmpx SEE ALSO last(1), mesg(1), users(1), getuid(2), utmpx(5) STANDARDS The who utility conforms to IEEE Std 1003.1-2001 (''POSIX.1''). HISTORY A who utility appeared in Version 6 AT&T UNIX. BSD January 17, 2007 BSD
How does who do it?
Search the manual:
$ man -k utmp utmp(5), wtmp(5), lastlog(5) - login records (DEPRECATED) utmpx(5) - user accounting database
$ man utmp UTMP(5) BSD File Formats Manual UTMP(5) NAME utmp, wtmp, lastlog -- login records (DEPRECATED) SYNOPSIS #includeDESCRIPTION The interfaces in file are all DEPRECATED and are only provided for compatibility with previous releases of Mac OS X. See pututxline(3) and utmpx(5) for the supported interfaces. declares the structures used to record information about current users in the file utmp, logins and logouts in the file wtmp, and last logins in the file lastlog. The time stamps of date changes, shutdowns and reboots are also logged in the wtmp file. These files can grow rapidly on busy systems, daily or weekly rotation is recommended. If any of these files do not exist, it is not created. These files must be created manually and are normally maintained in either the script /etc/daily or the script /etc/weekly. (See cron(8).) #define _PATH_UTMP "/var/run/utmp" #define _PATH_WTMP "/var/log/wtmp" #define _PATH_LASTLOG "/var/log/lastlog" #define UT_NAMESIZE 8 #define UT_LINESIZE 8 #define UT_HOSTSIZE 16 struct lastlog { time_t ll_time; char ll_line[UT_LINESIZE]; char ll_host[UT_HOSTSIZE]; }; struct utmp { char ut_line[UT_LINESIZE]; char ut_name[UT_NAMESIZE]; char ut_host[UT_HOSTSIZE]; time_t ut_time; }; Each time a user logs in, the login program looks up the user's UID in the file lastlog. If it is found, the timestamp of the last time the user logged in, the terminal line and the hostname are written to the standard output. (Providing the login is not quiet, see login(1).) The login pro- gram then records the new login time in the file lastlog. After the new lastlog record is written , the file utmp is opened and the utmp record for the user inserted. This record remains there until the user logs out at which time it is deleted. The utmp file is used by the programs rwho(1), users(1), w(1), and who(1). Next, the login program opens the file wtmp, and appends the user's utmp record. The same utmp record, with an updated time stamp is later appended to the file when the user logs out. (See launchd(8).) The wtmp file is used by the programs last(1) and ac(8). In the event of a date change, a shutdown or reboot, the following items are logged in the wtmp file. reboot shutdown A system reboot or shutdown has been initiated. The charac- ter `~' is placed in the field ut_line, and reboot or shutdown in the field ut_name. (See shutdown(8) and reboot(8).) date The system time has been manually or automatically updated. (See date(1).) The command name date is recorded in the field ut_name. In the field ut_line, the character `|' indi- cates the time prior to the change, and the character `{' indicates the new time. FILES (These files no longer exist in 10.5 or later.) /var/run/utmp The utmp file. /var/log/wtmp The wtmp file. /var/log/lastlog The lastlog file. SEE ALSO last(1), login(1), who(1), ac(8), launchd(8) HISTORY A utmp and wtmp file format appeared in Version 6 AT&T UNIX. The lastlog file format appeared in 3.0BSD. 4th Berkeley Distribution March 17, 1994 4th Berkeley Distribution
Read the .h files
$ more /usr/include/utmp.h ... struct utmp { char ut_user[256]; /* User login name */ char ut_id[14]; /* /etc/inittab id */ char ut_line[64]; /* device name (console, lnxx) */ pid_t ut_pid; /* process id */ short ut_type; /* type of entry */ time_t ut_time; /* time entry was made */ struct exit_status { short e_termination; /* Process termination status */ short e_exit; /* Process exit status */ } ut_exit; /* The exit status of a process * marked as DEAD_PROCESS. */ char ut_host[256]; /* host name */ int __dbl_word_pad; /* for double word alignment */ int __reservedA[2]; int __reservedV[6]; }; ...
The manual explains the basic operation of the who command:
open utmp repeat read record display record close utmp
Can I write who?
Use the open, read, and close system calls.
Note: use utmpx instead of utmp on OSX.
#include <stdio.h> #include <utmp.h> #include <fcntl.h> #include <unistd.h> #define SHOWHOST 1 /* * show info() * displays contents of the utmp struct in human readable form * *note* these sizes should not be hardwired */ void show_info( struct utmp *utbufp ) { printf("%-8.8s", utbufp->ut_name); /* the logname */ printf(" "); /* a space */ printf("%-8.8s", utbufp->ut_line); /* the tty */ printf(" "); /* a space */ printf("%10d", utbufp->ut_time); /* login time */ printf(" "); /* a space */ #ifdef SHOWHOST printf("(%s)", utbufp->ut_host); /* the host */ #endif printf("\n"); /* newline */ } int main() { struct utmp current_record; /* read info into here */ int utmpfd; /* read from this descriptor */ int reclen = sizeof(current_record); if ( (utmpfd = open(UTMP_FILE, O_RDONLY)) == -1 ){ perror( UTMP_FILE ); /* UTMP_FILE is in utmp.h */ return 1; } while ( read(utmpfd, ¤t_record, reclen) == reclen ) show_info(¤t_record); close(utmpfd); return 0; /* went ok */ }