Overflowing wtmp

Chris Lewis clewis at ferret.ocunix.on.ca
Thu Jan 31 06:58:50 AEST 1991 

In article <1991Jan30.124501.6670 at mp.cs.niu.edu> rickert at mp.cs.niu.edu (Neil Rickert) writes:
>In article <120587 at uunet.UU.NET> rbj at uunet.UU.NET (Root Boy Jim) writes:
>>In article <338 at alchemy.UUCP> bbs at alchemy.UUCP (BBS Administration) writes:
>>>a copy of my "wsize" program...
>>>... I run it as a "root" crontask on the 1st and 15th

>>Tsk tsk, overkill. Howabout a range of 2000 to 3000 records? Try
>>
>>		#! /bin/sh
>>		cd /usr/adm
>>		split wtmp
>>		set x?? /dev/null /dev/null /dev/null /dev/null
>>		shift `expr $# - 3`
>>		cat $* > xxx
>>		mv xxx wtmp
>>		rm -f x??

> Hey.  That's neat.  But what do we do if we have a 'split' that wants to
>break the file based on lines, and a 'wtmp' that doesn't contain lines?

I wonder if he's tried this...

Nifty trick with the set's.  You must therefore have a version of
UNIX that keeps wtmps in ASCII format.  I didn't know that there was
one.  Another problem: on many systems where wtmp is held open all of
the time (System V), the "mv" will result in the new wtmp not being
written to at all, and /etc/init will continue to write to a file that's
been unlinked - so you can't see it, but it's still there and growing.
And finally, even if your version of split works on binaries (which I doubt),
you have to make sure that split cuts on a record boundary.

You can do the split with a loop using dd "skip" and "count" and "bs="
options.  "bs" has to be a multiple of the wtmp record size.  Grotty,
slow, but it works.  Unfortunately, you cannot replace the wtmp like
this on System V, you either have to tell init to reopen wtmp (there's
an accounting program that does this), or clobber it completely, ala:
	> wtmp
On System V, you can turn on the accounting sufficiently that the
wtmp pruner works properly, but the rest of the accounting (process
accounting records) isn't being done, so you don't get accounting
overhead.

In some software we've written commercially, we first try to run
the accounting stuff to clear the wtmp, only resorting to:
	cp /etc/wtmp /etc/wtmp.old
	> /etc/wtmp
If the accounting software is obviously not managing to keep wtmp
below a threshold (ie: accounting ain't there, or it ain't running).
Actually, if my memory serves, the UNIX accounting software cuts
it over like this, and arranges to process the old wtmps into more
useful (and compact) forms, but still completely wipes the existing
wtmp.
-- 
Chris Lewis, Phone: (613) 832-0541, Internet: clewis at ferret.ocunix.on.ca
UUCP: uunet!mitel!cunews!latour!ecicrl!clewis
Moderator of the Ferret Mailing List (ferret-request at eci386)
Psroff enquiries: psroff-request at eci386, current patchlevel is *7*.

More information about the Comp.unix.admin mailing list