Login and logout time of a session

sharif · March 10, 2008, 5:03am

Hi,
How can I find out the login and logout time of the old UNIX session/user?.

ramen_noodle · March 10, 2008, 5:10am

man wtmp/utmp. Most systems give you a 'last' or 'lastlog' userspace tool.

[utmp\(4\)](https://www.unix.com/man-page/opensolaris/4/utmp/)                    File Formats                   [utmp\(4\)](https://www.unix.com/man-page/opensolaris/4/utmp/)

NAME utmp, wtmp - utmp and wtmp database entry formats

SYNOPSIS #include <utmp.h> /var/adm/utmp /var/adm/wtmp

DESCRIPTION The utmp and wtmp database files are obsolete and are no longer present on the system. They have been superseded by the extended database contained in the utmpx and wtmpx data- base files. See utmpx(4). It is possible for /var/adm/utmp to reappear on the system. This would most likely occur if a third party application that still uses utmp recreates the file if it finds it miss- ing. This file should not be allowed to remain on the system. The user should investigate to determine which application is recreating this file.

SEE ALSO utmpx(4) SunOS 5.11

22 Feb 1999 utmp(4)

OR

UTMP(5) Linux Programmer's Manual UTMP(5)

NAME utmp, wtmp - login records

SYNOPSIS #include <utmp.h>

DESCRIPTION The utmp file allows one to discover information about who is currently using the system. There may be more users currently using the system, because not all programs use utmp log- ging. Warning: utmp must not be writable by the user class "other", because many system programs (foolishly) depend on its integrity. You risk faked system logfiles and modifications of system files if you leave utmp writable to any user other than the owner and group owner of the file. The file is a sequence of utmp structures, declared as follows in <utmp.h> (note that this is only one of several definitions around; details depend on the version of libc): /* Values for ut_type field, below */

#define EMPTY 0 /* Record does not contain valid info (formerly known as UT_UNKNOWN on Linux) / #define RUN_LVL 1 / Change in system run-level (see init(8)) / #define BOOT_TIME 2 / Time of system boot (in ut_tv) / #define NEW_TIME 3 / Time after system clock change (in ut_tv) / #define OLD_TIME 4 / Time before system clock change (in ut_tv) / #define INIT_PROCESS 5 / Process spawned by init(8) / #define LOGIN_PROCESS 6 / Session leader process for user login / #define USER_PROCESS 7 / Normal process / #define DEAD_PROCESS 8 / Terminated process / #define ACCOUNTING 9 / Not implemented / #define UT_LINESIZE 32 #define UT_NAMESIZE 32 #define UT_HOSTSIZE 256 struct exit_status { / Type for ut_exit, below / short int e_termination; / Process termination status / short int e_exit; / Process exit status / }; struct utmp { short ut_type; / Type of record / pid_t ut_pid; / PID of login process / char ut_line[UT_LINESIZE]; / Device name of tty - "/dev/" / char ut_id[4]; / Terminal name suffix, or inittab(5) ID / char ut_user[UT_NAMESIZE]; / Username / char ut_host[UT_HOSTSIZE]; / Hostname for remote login, or kernel version for run-level messages / struct exit_status ut_exit; / Exit status of a process marked as DEAD_PROCESS; not used by Linux init(8) / / The ut_session and ut_tv fields must be the same size when compiled 32- and 64-bit. This allows data files and shared memory to be shared between 32- and 64-bit applications. / #if __WORDSIZE == 64 && defined __WORDSIZE_COMPAT32 int32_t ut_session; / Session ID (getsid(2)), used for windowing / struct { int32_t tv_sec; / Seconds / int32_t tv_usec; / Microseconds / } ut_tv; / Time entry was made / #else long ut_session; / Session ID / struct timeval ut_tv; / Time entry was made / #endif int32_t ut_addr_v6[4]; / Internet address of remote host; IPv4 address uses just ut_addr_v6[0] / char __unused[20]; / Reserved for future use / }; / Backward compatibility hacks */ #define ut_name ut_user #ifndef _NO_UT_TIME #define ut_time ut_tv.tv_sec #endif #define ut_xtime ut_tv.tv_sec #define ut_addr

ut_addr_v6[0] This structure gives the name of the special file associated with the user's terminal, the user's login name, and the time of login in the form of time(2). String fields are termi- nated by a null byte ('\0') if they are shorter than the size of the field. The first entries ever created result from init(8) processing inittab(5). Before an entry is processed, though, init(8) cleans up utmp by setting ut_type to DEAD_PROCESS, clearing ut_user, ut_host, and ut_time with null bytes for each record which ut_type is not DEAD_PROCESS or RUN_LVL and where no process with PID ut_pid exists. If no empty record with the needed ut_id can be found, init(8) creates a new one. It sets ut_id from the inittab, ut_pid and ut_time to the current values, and ut_type to INIT_PROCESS. mingetty(8) (or agetty(8)) locates the entry by the PID, changes ut_type to LOGIN_PROCESS, changes ut_time, sets ut_line, and waits for connection to be established. login(1), after a user has been authenticated, changes ut_type to USER_PROCESS, changes ut_time, and sets ut_host and ut_addr. Depending on mingetty(8) (or agetty(8)) and login(1), records may be located by ut_line instead of the preferable ut_pid. When init(8) finds that a process has exited, it locates its utmp entry by ut_pid, sets ut_type to DEAD_PROCESS, and clears ut_user, ut_host and ut_time with null bytes. xterm(1) and other terminal emulators directly create a USER_PROCESS record and generate the ut_id by using the string that suffix part of the terminal name (the characters fol- lowing /dev/[pt]ty). If they find a DEAD_PROCESS for this ID, they recycle it, otherwise they create a new entry. If they can, they will mark it as DEAD_PROCESS on exiting and it is advised that they null ut_line, ut_time, ut_user, and ut_host as well. telnetd(8) sets up a LOGIN_PROCESS entry and leaves the rest to login(1) as usual. After the telnet session ends, telnetd(8) cleans up utmp in the described way. The wtmp file records all logins and logouts. Its format is exactly like utmp except that a null username indicates a logout on the associated terminal. Furthermore, the terminal name ~ with username shutdown or reboot indicates a system shutdown or reboot and the pair of terminal names |/} logs the old/new system time when date(1) changes it. wtmp is main- tained by login(1), init(8), and some versions of getty(8) (e.g., mingetty(8) or agetty(8)). None of these programs creates the file, so if it is removed, record-keeping is turned off.

FILES /var/run/utmp /var/log/wtmp

CONFORMING TO POSIX.1 does not specify a utmp structure, but rather one named utmpx, with specifications for the fields ut_type, ut_pid, ut_line, ut_id, ut_user, and ut_tv. POSIX.1 does not specify the lengths of the ut_line and ut_user fields. Linux defines the utmpx structure to be the same as the utmp structure. Comparison with historical systems Linux utmp entries conform neither to v7/BSD nor to System V; they are a mix of the two. v7/BSD has fewer fields; most importantly it lacks ut_type, which causes native v7/BSD- like programs to display (for example) dead or login entries. Further, there is no con- figuration file which allocates slots to sessions. BSD does so because it lacks ut_id fields. In Linux (as in System V), the ut_id field of a record will never change once it has been set, which reserves that slot without needing a configuration file. Clearing ut_id may result in race conditions leading to corrupted utmp entries and potential security holes. Clearing the abovementioned fields by filling them with null bytes is not required by Sys- tem V semantics, but makes it possible to run many programs which assume BSD semantics and which do not modify utmp. Linux uses the BSD conventions for line contents, as documented above. System V has no ut_host or ut_addr_v6 fields.

NOTES Unlike various other systems, where utmp logging can be disabled by removing the file, utmp must always exist on Linux. If you want to disable who(1) then do not make utmp world readable. The file format is machine-dependent, so it is recommended that it be processed only on the machine architecture where it was created. Note that on biarch platforms, that is, systems which can run both 32-bit and 64-bit applications (x86-64, ppc64, s390x, etc.), ut_tv is the same size in 32-bit mode as in 64-bit mode. The same goes for ut_session and ut_time if they are present. This allows data files and shared memory to be shared between 32-bit and 64-bit applications. This is achieved by changing the type of ut_session to int32_t, and that of ut_tv to a struct with two int32_t fields tv_sec and tv_usec. Since ut_tv may not be the same as struct timeval, then instead of the call: gettimeofday((struct timeval *) &ut.ut_tv, NULL); the following method of setting this field is recommended: struct utmp ut; struct timeval tv; gettimeofday(&tv, NULL); ut.ut_tv.tv_sec = tv.tv_sec; ut.ut_tv.tv_usec = tv.tv_usec; Note that the utmp struct from libc5 has changed in libc6. Because of this, binaries using the old libc5 struct will corrupt /var/run/utmp and/or /var/log/wtmp.

BUGS This man page is based on the libc5 one, things may work differently now.

SEE ALSO ac(1), date(1), last(1), login(1), utmpdump(1), who(1), getutent(3), getutmp(3), login(3), logout(3), logwtmp(3), updwtmp(3), init(8)

COLOPHON This page is part of release 3.55 of the Linux man-pages project. A description of the project, and information about reporting bugs, can be found at The Linux man-pages project.

Neo · September 24, 2018, 9:59am

See also:

LOGIN(1) User Commands LOGIN(1)

NAME login - begin session on the system

SYNOPSIS login [-p] [-h host] [username] [ENV=VAR...] login [-p] [-h host] -f username login [-p] -r host

DESCRIPTION The login program is used to establish a new session with the system. It is normally invoked automatically by responding to the login: prompt on the user's terminal. login may be special to the shell and may not be invoked as a sub-process. When called from a shell, login should be executed as exec login which will cause the user to exit from the current shell (and thus will prevent the new logged in user to return to the session of the caller). Attempting to execute login from any shell but the login shell will produce an error message. The user is then prompted for a password, where appropriate. Echoing is disabled to prevent revealing the password. Only a small number of password failures are permitted before login exits and the communications link is severed. If password aging has been enabled for your account, you may be prompted for a new password before proceeding. You will be forced to provide your old password and the new password before continuing. Please refer to passwd(1) for more information. Your user and group ID will be set according to their values in the /etc/passwd file. The value for $HOME, $SHELL, $PATH, $LOGNAME, and $MAIL are set according to the appropriate fields in the password entry. Ulimit, umask and nice values may also be set according to entries in the GECOS field. On some installations, the environmental variable $TERM will be initialized to the terminal type on your tty line, as specified in /etc/ttytype. An initialization script for your command interpreter may also be executed. Please see the appropriate manual section for more information on this function. A subsystem login is indicated by the presence of a "*" as the first character of the login shell. The given home directory will be used as the root of a new file system which the user is actually logged into. The login program is NOT responsible for removing users from the utmp file. It is the responsibility of getty(8) and init(8) to clean up apparent ownership of a terminal session. If you use login from the shell prompt without exec, the user you use will continue to appear to be logged in even after you log out of the "subsession".

OPTIONS -f Do not perform authentication, user is preauthenticated. Note: In that case, username is mandatory. -h Name of the remote host for this login. -p Preserve environment. -r Perform autologin protocol for rlogin. The -r, -h and -f options are only used when login is invoked by root.

CAVEATS This version of login has many compilation options, only some of which may be in use at any particular site. The location of files is subject to differences in system configuration. The login program is NOT responsible for removing users from the utmp file. It is the responsibility of getty(8) and init(8) to clean up apparent ownership of a terminal session. If you use login from the shell prompt without exec, the user you use will continue to appear to be logged in even after you log out of the "subsession". As with any program, login's appearance can be faked. If non-trusted users have physical access to a machine, an attacker could use this to obtain the password of the next person coming to sit in front of the machine. Under Linux, the SAK mechanism can be used by users to initiate a trusted path and prevent this kind of attack.

CONFIGURATION The following configuration variables in /etc/login.defs change the behavior of this tool: CONSOLE_GROUPS (string) List of groups to add to the user's supplementary groups set when logging in on the console (as determined by the CONSOLE setting). Default is none. Use with caution - it is possible for users to gain permanent access to these groups, even when not logged in on the console. DEFAULT_HOME (boolean) Indicate if login is allowed if we can't cd to the home directory. Default in no. If set to yes, the user will login in the root (/) directory if it is not possible to cd to her home directory. ENV_PATH (string) If set, it will be used to define the PATH environment variable when a regular user login. The value can be preceded by PATH=, or a colon separated list of paths (for example /bin:/usr/bin). The default value is PATH=/bin:/usr/bin. ENV_SUPATH (string) If set, it will be used to define the PATH environment variable when the superuser login. The value can be preceded by PATH=, or a colon separated list of paths (for example /sbin:/bin:/usr/sbin:/usr/bin). The default value is PATH=/sbin:/bin:/usr/sbin:/usr/bin. ERASECHAR (number) Terminal ERASE character (010 = backspace, 0177 = DEL). The value can be prefixed "0" for an octal value, or "0x" for an hexadecimal value. FAIL_DELAY (number) Delay in seconds before being allowed another attempt after a login failure. FAKE_SHELL (string) If set, login will execute this shell instead of the users' shell specified in /etc/passwd. HUSHLOGIN_FILE (string) If defined, this file can inhibit all the usual chatter during the login sequence. If a full pathname is specified, then hushed mode will be enabled if the user's name or shell are found in the file. If not a full pathname, then hushed mode will be enabled if the file exists in the user's home directory. KILLCHAR (number) Terminal KILL character (025 = CTRL/U). The value can be prefixed "0" for an octal value, or "0x" for an hexadecimal value. LOGIN_RETRIES (number) Maximum number of login retries in case of bad password. This will most likely be overridden by PAM, since the default pam_unix module has it's own built in of 3 retries. However, this is a safe fallback in case you are using an authentication module that does not enforce PAM_MAXTRIES. LOGIN_TIMEOUT (number) Max time in seconds for login. LOG_OK_LOGINS (boolean) Enable logging of successful logins. LOG_UNKFAIL_ENAB (boolean) Enable display of unknown usernames when login failures are recorded. Note: logging unknown usernames may be a security issue if an user enter her password instead of her login name. TTYGROUP (string), TTYPERM (string) The terminal permissions: the login tty will be owned by the TTYGROUP group, and the permissions will be set to TTYPERM. By default, the ownership of the terminal is set to the user's primary group and the permissions are set to 0600. TTYGROUP can be either the name of a group or a numeric group identifier. If you have a write program which is "setgid" to a special group which owns the terminals, define TTYGROUP to the group number and TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign TTYPERM to either 622 or 600. TTYTYPE_FILE (string) If defined, file which maps tty line to TERM environment parameter. Each line of the file is in a format something like "vt100 tty01". USERGROUPS_ENAB (boolean) If set to yes, userdel will remove the user's group if it contains no more members, and useradd will create by default a group with the name of the user.

FILES /var/run/utmp List of current login sessions. /var/log/wtmp List of previous login sessions. /etc/passwd User account information. /etc/shadow Secure user account information. /etc/motd System message of the day file. /etc/nologin Prevent non-root users from logging in. /etc/ttytype List of terminal types. $HOME/.hushlogin Suppress printing of system messages. /etc/login.defs Shadow password suite configuration.

SEE ALSO mail(1), passwd(1), sh(1), su(1), login.defs(5), nologin(5), passwd(5), securetty(5), getty(8).