BSD DevCenter
oreilly.comSafari Books Online.Conferences.


FreeBSD Basics

Monitoring Unix Logins


In today's article, I'd like to take a look at utmp, wtmp, and lastlog. These three files are read and updated whenever a user logs in to your FreeBSD system. However, you can't read these files directly, so we'll also look at the various utilities you can use to garner the information contained within these files. We'll then finish off the article with some utilities that deal with logins and terminals.

Let's start with /var/log/lastlog. When a user logs in, the login utility reads this file to determine the last time that user logged in to your FreeBSD system; it will then make a new entry in this file to indicate the time of the new login. Let's see what happens when the user "genisis" logs into my FreeBSD system:

login: genisis
Warning: your password expires on Tue Feb 6 14:50:29 2001
Last login: Sat Feb 3 15:56:53 from biko
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.

Welcome to FreeBSD 4.2!!!
You have new mail.

You cannot kill time without injuring eternity.

Let's see what happened here. The login utility accepted the password for genisis and compared it to the encrypted hash stored in /etc/master.passwd. It also read /etc/login.conf to determine that the password was long enough, as we had previously set a minimum password length in Establishing Good Password Policies, and noticed that this user's password will expire on Tuesday. It then read /var/log/lastlog to determine the last time this user had logged in (it looks like the last login occurred on Saturday from a computer named "biko"), and then displayed the copyright notice, my customized message of the day, an alert that mail was waiting, and a nice fortune cookie courtesy of Henry David Thoreau before presenting the user with a shell prompt.

It is possible to bypass these messages at login time. As the user genisis, I'll create an empty file called .hushlogin in my home directory:

touch .hushlogin

I'll then logout and log back in again:


login: genisis

Alimony is a system by which, when two people make a mistake, one of them keeps paying for it.
-- Peggy Joyce

Notice that the only thing the user genisis received this time was the fortune cookie. Remember, that fortune cookies are invoked by the shell's configuration file, so it came courtesy of the user's shell. (see Customizing the Login Shell) However, this login may be a bit too quiet as the user won't receive the message regarding the pending password change or any messages the administrator may have included in the message of the day.

The second login record file is /var/run/utmp. This file contains information regarding users that are currently logged in and is read by the w, who, and users commands. Let's take a closer look at each of these utilities, starting with users:

genisis test1 test2 test3

The users command is useful if you just need to know which users are logged in and don't want to sort through all the details of where they are logged in and what they are doing. However, if you need to know who is logged into which terminals, use the w command:


5:01PM up 3:30, 7 users, load averages: 0.04, 0.06, 0.02
genisis v0 - 1:31PM 1 more
genisis v1 - 1:32PM - w
genisis v2 - 1:32PM 3:11 xinit /home/genisis/.x
genisis v3 - 1:46PM - pico utmp
test3 v4 - 4:51PM - -tcsh (tcsh)
test1 p0 biko 4:50PM 10 -tcsh (tcsh)
test2 p1 biko 4:51PM 1 -tcsh (tcsh)

There are currently seven active logins on my FreeBSD system. The user genisis is physically sitting at my FreeBSD box and has logged into the first four virtual terminals (v0-v3). The user "test3" is also logged on locally using virtual terminal number 5 (v4). The user "test1" has logged into the first network terminal (p0) from a computer named "biko" and the user "test2" has logged into the second network terminal (p1) from the computer named "biko".

The IDLE column shows how long it has been since a user typed anything at a terminal, and the WHAT column shows what process is currently running on each terminal. To find out all the processes running on each terminal, use the d switch like so:

w -d |more

5:10PM up 3:39, 7 users, load averages: 0.00, 0.00, 0.00
219 -csh (csh)
1085 _su (csh)
1107 man w
1108 sh -c /usr/bin/zcat /usr/share/man/cat1/w.1.gz | more
1110 more
genisis v0 - 1:31PM 10 more
220 -csh (csh)
1138 w -d
genisis v1 - 1:32PM - w -d
221 -csh (csh)
396 /bin/sh /usr/X11R6/bin/startx
401 xinit /home/genisis/.xinitrc --
403 xfce
408 /usr/local/lib/netscape-linux/navigator-linux-4.76.bin
409 (dns helper) (navigator-linux-)
genisis v2 - 1:32PM 3:20 xinit /home/genisis/.x
222 -csh (csh)
977 pico utmp
genisis v3 - 1:46PM - pico utmp
1074 -tcsh (tcsh)
test3 v4 - 4:51PM 9 -tcsh (tcsh)
1061 -tcsh (tcsh)
test1 p0 biko 4:50PM 19 -tcsh (tcsh)
1066 -tcsh (tcsh)
test2 p1 biko 4:51PM 7 -tcsh (tcsh)

I ran this command as a regular user; you don't have to be the superuser to know what is running on all of the terminals on your FreeBSD system. However, regular users will only be able to manipulate their own processes.

The who command gives output similar to the w command as it shows the user's login name, terminal name, time of login, and which computer the user logged in from.


genisis    ttyv0   Feb  3 13:31
genisis    ttyv1   Feb  3 13:32
genisis    ttyv2   Feb  3 13:32
genisis    ttyv3   Feb  3 13:46
test3      ttyv4   Feb  3 16:51
test1      ttyp0   Feb  3 16:50    (biko)
test2      ttyp1   Feb  3 16:51    (biko)

You'll receive different results if you run the who command with the am i option:

who am i
genisis    ttyv1   Feb  13:32

It looks like genisis ran the above command at the second virtual terminal.

Pages: 1, 2

Next Pagearrow

Sponsored by: