64-bit HP/UX 11.00 wtmp corruption identified

Quentin Bracken quentin.bracken at eds.com
Fri Jan 11 04:46:09 EST 2002 

Kevin, I tried re-implementing the wtmp writing routines to use utmpname(3),
setutent(3), pututline(3), and so on.  If my understanding is correct, the
wtmp and utmp files function differently.  When processing a logout with
utmp, the routines will find the corresponding login record and update it
with the logout information.  However, when working with wtmp, you always
want to append information.  You do not actually want to update the login
entry.  Instead you want to add a whole new logout entry.  That is why the
wtmp grows so much faster than utmp.

After re-implementing the code in loginrec.c to use the getut(3) routines to
write to wtmp, I noticed the following behavior.  After I log in, "last"
shows an entry for my SSH login and lists it as "still logged in".  The wtmp
file grows by 60 bytes.  When I logout, "last" no longer shows any record of
my login.  In other words, the entry that said "still logged in" did not show
my logout time as you would expect.  Rather, it simply no longer showed up.
And, the wtmp file did not grow in size.  This leads me to believe the
getut(3) routines updated the login entry.  That, and the man pages say they
do.

When working correctly, the wtmp file should grow by 60 bytes when I log in
and again when I log out.  Two entries are actually recorded.  Using the
pututline functions, the login entry is updated instead.

I did read in some HP/UX 11 64-bit documents that use of the getut(3)
functions has been deprecated in favor of the getutx(3) functions.  However,
no other system utilities that ship with HP/UX update the wtmpx file.  It is
normally blank.  In fact, the utmp.h and utmpx.h include files do not define
WTMPX_FILE where they do define UTMP_FILE, UTMPX_FULE, and WTMP_FILE.  It is
interesting that they indicate the getut(3) function should no longer be used
when they (HP) still use them.

Note that when using the pututline(3) routine, even if I pass it the 72 byte
64-bit utmp structure, it casts it to the 60 byte 32-bit structure and
records it.  This is good.  It does not corrupt the wtmp file.


Kevin Steves wrote:

> On Wed, 9 Jan 2002, Quentin Bracken wrote:
> :I do not know what a good work around could be.  I temporarily modified
> :the /usr/include/utmp.h structure to use int32_t as the type for ut_time
> :instead of long and rebuilt loginrec.o and relinked sshd.  OpenSSH
> :performed correctly, updating wtmp like a champ.  I thought that we
> :could use utmpname and the pututline tools (which will convert the 72
> :byte structure to a 60 byte structure somehow), but their behavior is
> :not actually compatible with wtmp.  I also thought about defining a
> :custom utmp structure when building on HP-UX 64-bit, but that really
> :seems like a bad way of doing it.
>
> ah, thanks for dealing with problems in TODO.
>
> we use getutx(3C) and getut(3C) for get* and put* (i think that is correct
> for hp-ux).  would this be a defect in the 64-bit versions of those
> interfaces?  i don't understand "not actually compatible with wtmp".

--
Quentin Bracken
Infrastructure Specialist
EDS


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020110/24fc465b/attachment.html

More information about the openssh-unix-dev mailing list