64-bit HP/UX 11.00 wtmp corruption identified

Fri Jan 11 09:17:26 EST 2002

On Thu, 10 Jan 2002, Quentin Bracken wrote:
:Kevin, I tried re-implementing the wtmp writing routines to use utmpname(3),
:setutent(3), pututline(3), and so on.  If my understanding is correct, the
:wtmp and utmp files function differently.  When processing a logout with
:utmp, the routines will find the corresponding login record and update it
:with the logout information.  However, when working with wtmp, you always
:want to append information.  You do not actually want to update the login
:entry.  Instead you want to add a whole new logout entry.  That is why the
:wtmp grows so much faster than utmp.

yes, i understand now.  i was thinking pututline() could be used to append
to wtmp.

:After re-implementing the code in loginrec.c to use the getut(3) routines to
:write to wtmp, I noticed the following behavior.  After I log in, "last"
:shows an entry for my SSH login and lists it as "still logged in".  The wtmp
:file grows by 60 bytes.  When I logout, "last" no longer shows any record of
:my login.  In other words, the entry that said "still logged in" did not show
:my logout time as you would expect.  Rather, it simply no longer showed up.
:And, the wtmp file did not grow in size.  This leads me to believe the
:getut(3) routines updated the login entry.  That, and the man pages say they
:do.

that's my understanding as well.

:When working correctly, the wtmp file should grow by 60 bytes when I log in
:and again when I log out.  Two entries are actually recorded.  Using the
:pututline functions, the login entry is updated instead.
:
:I did read in some HP/UX 11 64-bit documents that use of the getut(3)
:functions has been deprecated in favor of the getutx(3) functions.  However,
:no other system utilities that ship with HP/UX update the wtmpx file.  It is
:normally blank.  In fact, the utmp.h and utmpx.h include files do not define
:WTMPX_FILE where they do define UTMP_FILE, UTMPX_FULE, and WTMP_FILE.  It is
:interesting that they indicate the getut(3) function should no longer be used
:when they (HP) still use them.

i believe that man pages that refer to wtmpx are wrong.  there is no wtmpx
file on HP-UX (up to 11.11 at least).  note also that we do DISABLE_UTMP
for HP-UX so loginrec will use pututxline(), which will write to utmpx
then utmp.

:Note that when using the pututline(3) routine, even if I pass it the 72 byte
:64-bit utmp structure, it casts it to the 60 byte 32-bit structure and
:records it.  This is good.  It does not corrupt the wtmp file.

i'm not sure how best to address this, other than to have a private
version of struct utmp, and that approach is really ugly.

are you certain that utmp/utmpx are updated correctly (finger -R, who -R,
etc. all showing good data)?  i thought i had seen corruption there too
when i tested this earlier last year.  that may have been related to some
socket issues though and fixed when we started using xopen_networking(7).

also, while this should be fixed, i don't see much benefit to building
openssh 64-bit on HP-UX particularly due to the lack of 64-bit libpam.