From owner-freebsd-questions Wed Nov 11 00:38:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA21216 for freebsd-questions-outgoing; Wed, 11 Nov 1998 00:38:18 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from firewall.scitec.com.au (fgate.scitec.com.au [203.17.180.68]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA21204 for ; Wed, 11 Nov 1998 00:38:03 -0800 (PST) (envelope-from john.saunders@scitec.com.au) Received: by firewall.scitec.com.au; id TAA23608; Wed, 11 Nov 1998 19:37:46 +1100 (EST) Received: from mailhub.scitec.com.au(203.17.180.131) by fgate.scitec.com.au via smap (3.2) id xma023604; Wed, 11 Nov 98 19:37:28 +1100 Received: from saruman (saruman.scitec.com.au [203.17.182.108]) by mailhub.scitec.com.au (8.6.12/8.6.9) with SMTP id TAA17946; Wed, 11 Nov 1998 19:37:26 +1100 From: "John Saunders" To: "Oles' Hnatkevych" Cc: Subject: RE: wtmp Date: Wed, 11 Nov 1998 19:37:25 +1100 Message-ID: <004a01be0d4e$8200c010$6cb611cb@saruman.scitec.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-Mimeole: Produced By Microsoft MimeOLE V4.72.2106.4 Importance: Normal In-Reply-To: Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is probably what you want. I have a collection of wtmp tools I hacked up ages ago. Maybe I should make a formal release and a port for it? :-) cc zapwtmp.c -o zapwtmp If you want to test it not on your main wtmp file... cc -DDEBUG zapwtmp.c -o zapwtmp cp /var/log/wtmp . last -f wtmp | head -10 ./zapwtmp ttyp0 fred host.com YYYYMMDDHHMM last -f wtmp | head -10 I would also suggest using it during a quiet time as there is an unavoidable race condition which may cause lost entries. Although the wtmp file will not be corrupted. Enjoy... /* * zapwtmp.c: * * Possible bugs. * * There is never any locking done on the wtmp file. I could have added file * locking to this program, however it would not help as the other programs * that write to wtmp do not have file locking either. This means there is a * small window of possibility that a record can get lost. However this window * is much smaller than clnwtmp.c, and if used at a quiet period during the * day will reduce the risk to almost 0%. * * Example use. * * zapwtmp ttyp1 fred host.com 199604131014 */ #include #include #include #include #include #include #include /* * Make a copy of your wtmp file and play around with DEBUG enabled. */ #ifdef DEBUG #undef _PATH_WTMP #define _PATH_WTMP "wtmp" #endif static int convert_date(char *date_str, time_t *cvt_time); int main(int argc, char **argv) { struct utmp wtmp; time_t search_time; time_t time_delta; int fin, fout; int searching = 0; size_t length = 0; if (argc != 5) { fprintf(stderr, "usage: %s port user host YYYYMMDDHHMM\n", argv[0]); return (1); } if (! convert_date(argv[4], &search_time)) { fprintf(stderr, "Invalid time \"%s\" (e.g. YYYYMMDDHHMM)\n", argv[4]); return (1); } if ((fin = open(_PATH_WTMP, O_RDONLY)) < 0) { perror(_PATH_WTMP); return (1); } if ((fout = open(_PATH_WTMP, O_WRONLY)) < 0) { perror(_PATH_WTMP); close(fin); return (1); } /* * Read each wtmp record and sort based on the cutoff date. */ while (read(fin, &wtmp, sizeof(wtmp)) == sizeof(wtmp)) { if (searching == 0) { time_delta = (search_time > wtmp.ut_time ? search_time - wtmp.ut_time : wtmp.ut_time - search_time); /* Zap the login record */ if ((strncmp(wtmp.ut_line, argv[1], UT_LINESIZE) == 0) && (strncmp(wtmp.ut_name, argv[2], UT_NAMESIZE) == 0) && (strncmp(wtmp.ut_host, argv[3], UT_NAMESIZE) == 0) && (time_delta <= 60)) { #ifdef DEBUG printf("Found login record\n"); #endif searching = 1; } else { write(fout, &wtmp, sizeof(wtmp)); length += sizeof(wtmp); } } else if (searching == 1) { /* Zap the logout record */ if (strncmp(wtmp.ut_line, argv[1], UT_LINESIZE) == 0) { #ifdef DEBUG printf("Found logout record\n"); #endif searching = 2; } else { write(fout, &wtmp, sizeof(wtmp)); length += sizeof(wtmp); } } else /* searching == 2 */ { write(fout, &wtmp, sizeof(wtmp)); length += sizeof(wtmp); } } /* * The window mentioned in the bugs section is between the above * read (insde the while loop) and this call to ftruncate. */ ftruncate(fout, length); close(fout); close(fin); return (0); } /* * Dipy date conversion. Hopefully it will be OK if it's not provided * any "funny" dates. */ static int convert_date(char *date_str, time_t *cvt_time) { char string[5]; long date; int year, month, day, hour, min; struct tm cutdate; string[4] = '\0'; string[0] = *date_str; if (*date_str) ++date_str; string[1] = *date_str; if (*date_str) ++date_str; string[2] = *date_str; if (*date_str) ++date_str; string[3] = *date_str; if (*date_str) ++date_str; year = atoi(string); if (year < 1900) { return (0); } year -= 1900; string[2] = '\0'; string[0] = *date_str; if (*date_str) ++date_str; string[1] = *date_str; if (*date_str) ++date_str; month = atoi(string); if ((month < 1) || (month > 12)) { return (0); } string[0] = *date_str; if (*date_str) ++date_str; string[1] = *date_str; if (*date_str) ++date_str; day = atoi(string); if ((day < 1) || (day > 31)) { return (0); } string[0] = *date_str; if (*date_str) ++date_str; string[1] = *date_str; if (*date_str) ++date_str; hour = atoi(string); if (hour > 23) { return (0); } string[0] = *date_str; if (*date_str) ++date_str; string[1] = *date_str; if (*date_str) ++date_str; min = atoi(string); if (min > 59) { return (0); } cutdate.tm_sec = 0; cutdate.tm_min = min; cutdate.tm_hour = hour; cutdate.tm_mday = day; cutdate.tm_mon = month - 1; cutdate.tm_year = year; cutdate.tm_isdst = -1; /* * Check that mktime didn't find any problems. */ if ((*cvt_time = mktime(&cutdate)) == (time_t)(-1)) { return (0); } /* * If the month has changed, that means mktime detected a * day that is outside the allowable days for that month. * i.e. you specified the 31st of February! */ if (cutdate.tm_mon != (month - 1)) { return (0); } return (1); } -- . +-------------------------------------------------------+ ,--_|\ | John Saunders mailto:John.Saunders@scitec.com.au | / Oz \ | SCITEC LIMITED Phone +61294289563 Fax +61294289933 | \_,--\_/ | "By the time you make ends meet, they move the ends." | v +-------------------------------------------------------+ > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Oles' > Hnatkevych > Sent: Wednesday, 11 November 1998 18:30 > To: Jason C. Wells > Cc: freebsd-questions@FreeBSD.ORG > Subject: Re: wtmp > > > > > > OK. You erased the wtmp file. You want to know if there is > documentation. > > > > No. I have the file. I just want to remove a record that user XXX > logged in at the time A and logged out at the time B. To pretend that > he never did. > > > Best wishes, > > Oles Hnatkevych, http://gnut.kiev.ua > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message