NAME
utmp, wtmp - login records
SYNOPSIS
#include <utmp.h>
DESCRIPTION
The utmp file allows one to discover information about who
is currently using the system. There may be more users
currently using the system, because not all programs use
utmp logging. Warning: utmp must not be writable, because
many system programs depend on its integrity. You risk
faked system logfiles and modifications of system files if
you leave utmp writable to any user. The file is a
sequence of entries with the following structure declared
in the include file:
#define UT_UNKNOWN 0
#define RUN_LVL 1
#define BOOT_TIME 2
#define NEW_TIME 3
#define OLD_TIME 4
#define INIT_PROCESS 5
#define LOGIN_PROCESS 6
#define USER_PROCESS 7
#define DEAD_PROCESS 8
#define UT_LINESIZE 12
#define UT_NAMESIZE 8
#define UT_HOSTSIZE 16
struct utmp {
short ut_type; /* type of login */
pid_t ut_pid; /* pid of process */
char ut_line[UT_LINESIZE]; /* device name of tty - "/dev/" */
char ut_id[2]; /* init id or abbrev. ttyname */
time_t ut_time; /* login time */
char ut_user[UT_NAMESIZE]; /* user name */
char ut_host[UT_HOSTSIZE]; /* host name for remote login */
long ut_addr; /* IP addr of remote host */
};
This structure gives the name of the special file associ-
ated with the user's terminal, the user's login name, and
the time of login in the form of time(2). String fields
are terminated by '/0' if they are shorter than the size
of the field.
The wtmp file records all logins and logouts. Its format
is exactly like utmp except that a null user name indi-
cates a logout on the associated terminal. Furthermore,
the terminal name "~" with user name "shutdown" or
"reboot" indicates a system shutdown or reboot and the
pair of terminal names "|"/"}" logs the old/new system
time when date(1) changes it. wtmp is maintained by
login(1), and init(1) and some very of getty(1). Neither
of these programs creates the file, so if it is removed
record-keeping is turned off.
FILES
/var/adm/utmp
/var/adm/wtmp
CONFORMING TO
Linux utmp entries neither conform to v7/BSD nor to SYSV:
They are a mix of the two. v7/BSD has less fields, most
importantly it lacks ut_type, which causes native v7/BSD-
like programs to display for example dead or login
entries. SYSV has one more field to log the exit status
of dead processes. Linux uses the BSD conventions for
line contents, as documented above. SYSV only uses the
type field to mark them and logs informative messages such
as e.g. "new time" in the line field. UT_UNKNOWN seems to
be a Linux invention. There is no type ACCOUNTING in
Linux. SYSV has no ut_host or ut_addr fields.
RESTRICTIONS
The file format is machine dependent, so it is recommended
that it is processed only on the machine architecture
where it got created.
SEE ALSO
ac(1), date(1), last(1), login(1), who(1), getutent(3),
init(8)