UTMP
Section: Linux Programmer's Manual (5)
Updated: February 26, 1995
Index
Return to Main Contents
NAME
utmp, wtmp - login records
SYNOPSIS
#include <utmp.h>
DESCRIPTION
The
utmp
file allows one to discover information about who is currently using the
system. There may be more users currently using the system, because
not all programs use utmp logging. Warning: utmp must not
be writable, because many system programs depend on its integrity. You
risk faked system logfiles and modifications of system files if you
leave utmp writable to any user. The file is a sequence of
entries with the following structure declared in the include file:
-
#define UT_UNKNOWN 0
#define RUN_LVL 1
#define BOOT_TIME 2
#define NEW_TIME 3
#define OLD_TIME 4
#define INIT_PROCESS 5
#define LOGIN_PROCESS 6
#define USER_PROCESS 7
#define DEAD_PROCESS 8
#define UT_LINESIZE 12
#define UT_NAMESIZE 8
#define UT_HOSTSIZE 16
struct utmp {
short ut_type; /* type of login */
pid_t ut_pid; /* pid of process */
char ut_line[UT_LINESIZE]; /* device name of tty - "/dev/" */
char ut_id[2]; /* init id or abbrev. ttyname */
time_t ut_time; /* login time */
char ut_user[UT_NAMESIZE]; /* user name */
char ut_host[UT_HOSTSIZE]; /* host name for remote login */
long ut_addr; /* IP addr of remote host */
};
This structure gives the name of the special file associated with the
user's terminal, the user's login name, and the time of login in the form
of
time(2).
String fields are terminated by '\0' if they are shorter than the size
of the field.
The wtmp file records all logins and logouts. Its format is
exactly like utmp except that a null user name indicates a logout
on the associated terminal. Furthermore, the terminal name "~"
with user name "shutdown" or "reboot" indicates a system
shutdown or reboot and the pair of terminal names "|"/"}"
logs the old/new system time when date(1) changes it. wtmp
is maintained by login(1), and init(1) and some very of
getty(1). Neither of these programs creates the file, so if it is
removed record-keeping is turned off.
FILES
/var/adm/utmp
/var/adm/wtmp
CONFORMING TO
Linux utmp entries neither conform to v7/BSD nor to SYSV: They are a
mix of the two. v7/BSD has less fields, most importantly it lacks
ut_type, which causes native v7/BSD-like programs to display for
example dead or login entries. SYSV has one more field to log the exit
status of dead processes. Linux uses the BSD conventions for line
contents, as documented above. SYSV only uses the type field to mark
them and logs informative messages such as e.g. "new time" in
the line field. UT_UNKNOWN seems to be a Linux invention.
There is no type ACCOUNTING in Linux. SYSV has no ut_host
or ut_addr fields.
RESTRICTIONS
The file format is machine dependent, so it is recommended that it is
processed only on the machine architecture where it got created.
SEE ALSO
ac(1),
date(1),
last(1),
login(1),
who(1),
getutent(3),
init(8)
Index
- NAME
-
- SYNOPSIS
-
- DESCRIPTION
-
- FILES
-
- CONFORMING TO
-
- RESTRICTIONS
-
- SEE ALSO
-
This document was created by
man2html,
using the manual pages.
Time: 12:22:47 GMT, March 22, 2025