CS 355 - Systems Programming:
Unix/Linux with C
Unix Login Records
Reference: Molay, Understanding Unix/Linux Programming, Chapter 2.1-2.5
The who command
Our standard approach to studying a Unix system command:
The vast majority of system commands are programs written in C and located in one of the standard system directories, such as /bin, /usr/bin, or /usr/local/bin.
What does who do?
Run the who command:
$ who johnqdoe console Sep 17 08:59 janedoe ttys000 Sep 22 09:24
Read the manual:
$ man who
WHO(1) BSD General Commands Manual WHO(1)
NAME
who -- display who is logged in
SYNOPSIS
who [-abdHlmpqrsTtu] [file]
who am i
DESCRIPTION
The who utility displays a list of all users currently logged on, showing
for each user the login name, tty name, the date and time of login, and
hostname if not local.
Available options:
-a Same as -bdlprTtu.
-b Time of last system boot.
-d Print dead processes.
-H Write column headings above the regular output.
-l Print system login processes (unsupported).
-m Only print information about the current terminal. This is the
POSIX way of saying who am i.
-p Print active processes spawned by launchd(8) (unsupported).
-q ''Quick mode'': List only the names and the number of users cur-
rently logged on. When this option is used, all other options are
ignored.
-r Print the current runlevel. This is meaningless on Mac OS X.
-s List only the name, line and time fields. This is the default.
-T Print a character after the user name indicating the state of the
terminal line: '+' if the terminal is writable; '-' if it is not;
and '?' if a bad line is encountered.
-t Print last system clock change (unsupported).
-u Print the idle time for each user, and the associated process ID.
am I Returns the invoker's real user name.
file By default, who gathers information from the file /var/run/utmpx.
An alternative file may be specified.
FILES
/var/run/utmpx
SEE ALSO
last(1), mesg(1), users(1), getuid(2), utmpx(5)
STANDARDS
The who utility conforms to IEEE Std 1003.1-2001 (''POSIX.1'').
HISTORY
A who utility appeared in Version 6 AT&T UNIX.
BSD January 17, 2007 BSD
How does who do it?
Search the manual:
$ man -k utmp utmp(5), wtmp(5), lastlog(5) - login records (DEPRECATED) utmpx(5) - user accounting database
$ man utmp
UTMP(5) BSD File Formats Manual UTMP(5)
NAME
utmp, wtmp, lastlog -- login records (DEPRECATED)
SYNOPSIS
#include
DESCRIPTION
The interfaces in file are all DEPRECATED and are only provided
for compatibility with previous releases of Mac OS X. See pututxline(3)
and utmpx(5) for the supported interfaces.
declares the structures used to record information about current
users in the file utmp, logins and logouts in the file wtmp, and last
logins in the file lastlog. The time stamps of date changes, shutdowns
and reboots are also logged in the wtmp file.
These files can grow rapidly on busy systems, daily or weekly rotation is
recommended. If any of these files do not exist, it is not created.
These files must be created manually and are normally maintained in
either the script /etc/daily or the script /etc/weekly. (See cron(8).)
#define _PATH_UTMP "/var/run/utmp"
#define _PATH_WTMP "/var/log/wtmp"
#define _PATH_LASTLOG "/var/log/lastlog"
#define UT_NAMESIZE 8
#define UT_LINESIZE 8
#define UT_HOSTSIZE 16
struct lastlog {
time_t ll_time;
char ll_line[UT_LINESIZE];
char ll_host[UT_HOSTSIZE];
};
struct utmp {
char ut_line[UT_LINESIZE];
char ut_name[UT_NAMESIZE];
char ut_host[UT_HOSTSIZE];
time_t ut_time;
};
Each time a user logs in, the login program looks up the user's UID in
the file lastlog. If it is found, the timestamp of the last time the user
logged in, the terminal line and the hostname are written to the standard
output. (Providing the login is not quiet, see login(1).) The login pro-
gram then records the new login time in the file lastlog.
After the new lastlog record is written , the file utmp is opened and the
utmp record for the user inserted. This record remains there until the
user logs out at which time it is deleted. The utmp file is used by the
programs rwho(1), users(1), w(1), and who(1).
Next, the login program opens the file wtmp, and appends the user's utmp
record. The same utmp record, with an updated time stamp is later
appended to the file when the user logs out. (See launchd(8).) The wtmp
file is used by the programs last(1) and ac(8).
In the event of a date change, a shutdown or reboot, the following items
are logged in the wtmp file.
reboot
shutdown A system reboot or shutdown has been initiated. The charac-
ter `~' is placed in the field ut_line, and reboot or
shutdown in the field ut_name. (See shutdown(8) and
reboot(8).)
date The system time has been manually or automatically updated.
(See date(1).) The command name date is recorded in the
field ut_name. In the field ut_line, the character `|' indi-
cates the time prior to the change, and the character `{'
indicates the new time.
FILES
(These files no longer exist in 10.5 or later.)
/var/run/utmp The utmp file.
/var/log/wtmp The wtmp file.
/var/log/lastlog The lastlog file.
SEE ALSO
last(1), login(1), who(1), ac(8), launchd(8)
HISTORY
A utmp and wtmp file format appeared in Version 6 AT&T UNIX. The lastlog
file format appeared in 3.0BSD.
4th Berkeley Distribution March 17, 1994 4th Berkeley Distribution
Read the .h files
$ more /usr/include/utmp.h
...
struct utmp
{
char ut_user[256]; /* User login name */
char ut_id[14]; /* /etc/inittab id */
char ut_line[64]; /* device name (console, lnxx) */
pid_t ut_pid; /* process id */
short ut_type; /* type of entry */
time_t ut_time; /* time entry was made */
struct exit_status
{
short e_termination; /* Process termination status */
short e_exit; /* Process exit status */
}
ut_exit; /* The exit status of a process
* marked as DEAD_PROCESS.
*/
char ut_host[256]; /* host name */
int __dbl_word_pad; /* for double word alignment */
int __reservedA[2];
int __reservedV[6];
};
...
The manual explains the basic operation of the who command:
open utmp repeat read record display record close utmp
Can I write who?
Use the open, read, and close system calls.
Note: use utmpx instead of utmp on OSX.
#include <stdio.h>
#include <utmp.h>
#include <fcntl.h>
#include <unistd.h>
#define SHOWHOST 1
/*
* show info()
* displays contents of the utmp struct in human readable form
* *note* these sizes should not be hardwired
*/
void show_info( struct utmp *utbufp )
{
printf("%-8.8s", utbufp->ut_name); /* the logname */
printf(" "); /* a space */
printf("%-8.8s", utbufp->ut_line); /* the tty */
printf(" "); /* a space */
printf("%10d", utbufp->ut_time); /* login time */
printf(" "); /* a space */
#ifdef SHOWHOST
printf("(%s)", utbufp->ut_host); /* the host */
#endif
printf("\n"); /* newline */
}
int main()
{
struct utmp current_record; /* read info into here */
int utmpfd; /* read from this descriptor */
int reclen = sizeof(current_record);
if ( (utmpfd = open(UTMP_FILE, O_RDONLY)) == -1 ){
perror( UTMP_FILE ); /* UTMP_FILE is in utmp.h */
return 1;
}
while ( read(utmpfd, ¤t_record, reclen) == reclen )
show_info(¤t_record);
close(utmpfd);
return 0; /* went ok */
}