UTMP

Section: Linux Programmer's Manual (5)
Updated: February 26, 1995
Index Return to Main Contents
 

NAME

utmp, wtmp - login records  

SYNOPSIS

#include <utmp.h>  

DESCRIPTION

The utmp file allows one to discover information about who is currently using the system. There may be more users currently using the system, because not all programs use utmp logging. Warning: utmp must not be writable, because many system programs depend on its integrity. You risk faked system logfiles and modifications of system files if you leave utmp writable to any user. The file is a sequence of entries with the following structure declared in the include file:


#define UT_UNKNOWN            0
#define RUN_LVL               1
#define BOOT_TIME             2
#define NEW_TIME              3
#define OLD_TIME              4
#define INIT_PROCESS          5
#define LOGIN_PROCESS         6
#define USER_PROCESS          7
#define DEAD_PROCESS          8

#define UT_LINESIZE           12
#define UT_NAMESIZE           8
#define UT_HOSTSIZE           16

struct utmp {
  short ut_type;              /* type of login */
  pid_t ut_pid;               /* pid of process */
  char ut_line[UT_LINESIZE];  /* device name of tty - "/dev/" */
  char ut_id[2];              /* init id or abbrev. ttyname */
  time_t ut_time;             /* login time */
  char ut_user[UT_NAMESIZE];  /* user name */
  char ut_host[UT_HOSTSIZE];  /* host name for remote login */
  long ut_addr;               /* IP addr of remote host */
};

This structure gives the name of the special file associated with the user's terminal, the user's login name, and the time of login in the form of time(2). String fields are terminated by '\0' if they are shorter than the size of the field.

The wtmp file records all logins and logouts. Its format is exactly like utmp except that a null user name indicates a logout on the associated terminal. Furthermore, the terminal name "~" with user name "shutdown" or "reboot" indicates a system shutdown or reboot and the pair of terminal names "|"/"}" logs the old/new system time when date(1) changes it. wtmp is maintained by login(1), and init(1) and some very of getty(1). Neither of these programs creates the file, so if it is removed record-keeping is turned off.  

FILES

/var/adm/utmp
/var/adm/wtmp  

CONFORMING TO

Linux utmp entries neither conform to v7/BSD nor to SYSV: They are a mix of the two. v7/BSD has less fields, most importantly it lacks ut_type, which causes native v7/BSD-like programs to display for example dead or login entries. SYSV has one more field to log the exit status of dead processes. Linux uses the BSD conventions for line contents, as documented above. SYSV only uses the type field to mark them and logs informative messages such as e.g. "new time" in the line field. UT_UNKNOWN seems to be a Linux invention. There is no type ACCOUNTING in Linux. SYSV has no ut_host or ut_addr fields.  

RESTRICTIONS

The file format is machine dependent, so it is recommended that it is processed only on the machine architecture where it got created.  

SEE ALSO

ac(1), date(1), last(1), login(1), who(1), getutent(3), init(8)


 

Index

NAME
SYNOPSIS
DESCRIPTION
FILES
CONFORMING TO
RESTRICTIONS
SEE ALSO

This document was created by man2html, using the manual pages.
Time: 12:22:47 GMT, March 22, 2025