From owner-freebsd-questions@FreeBSD.ORG Wed Feb 18 08:09:00 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A3C771065750 for ; Wed, 18 Feb 2009 08:09:00 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id 00DC68FC1A for ; Wed, 18 Feb 2009 08:08:59 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id n1I88gTf038857; Wed, 18 Feb 2009 19:08:42 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 18 Feb 2009 19:08:41 +1100 (EST) From: Ian Smith To: Anton Shterenlikht In-Reply-To: <20090218013633.3309810656EC@hub.freebsd.org> Message-ID: <20090218175824.X38905@sola.nimnet.asn.au> References: <20090218013633.3309810656EC@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-questions@freebsd.org Subject: Re: w(5) shows non-existent or lost process? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Feb 2009 08:09:02 -0000 On Tue, 17 Feb 2009 13:43:30 +0000 Anton Shterenlikht wrote: > The who (or w, or finger) command shows that I'm still logged into ttyp5, > even though I have rebooted the box many times since. Does this mean > the corresponding entry in /var/run/utmp is wrong and shouldn't be there, or is there > still some process attached to ttyp5? Certainly the former, given you've rebooted. I've had occasions when utmp gets silly, though not for ages. Abrupt shutdown / power loss? > ouput of w: > > USER TTY FROM LOGIN@ IDLE WHAT > mexas p4 1:32pm - w > mexas p5 :0. 26Jan09 21days - > > ps ax | grep ttyp5 > shows no process ps would only list it as 'p5' anyway. 'w -d' may be a bit more informative: % w -d 6:00PM up 68 days, 15:22, 1 user, load averages: 0.58, 0.23, 0.13 USER TTY FROM LOGIN@ IDLE WHAT 3733 login [pam] (login) 3734 -csh (csh) 7333 /bin/sh /usr/X11R6/bin/startx 7351 /usr/X11R6/bin/xinit /home/smithi/.xinitrc -- -auth /home/smithi/.serverauth.7333 -nolisten tcp 7352 X :0 -auth /home/smithi/.serverauth.7333 -nolisten tcp (Xorg) 7356 /bin/sh /usr/local/bin/startkde 7421 kwrapper ksmserver smithi v7 - 12Dec08 68days /usr/X11R6/bin/xinit /home/smithi/.xinitrc -- -auth / > Looking at w(1) man page it seems that "-" in WHAT can be an indication > that the process failed but not cleanly and that there could be some forked > sub-process still alive. Does this make sense? Which other commands I can use > to see what's going on? utmp(5) makes good bedtime reading :) /var/log/wtmp can get messed up sometimes too, especially if you're logged in when periodic(8) monthly rotates it, but tools include: % last smithi ttyp5 dolores Mon Feb 2 15:52 - 15:57 (00:05) wtmp begins Mon Feb 2 15:52:27 EST 2009 !last -f /var/log/wtmp.0 smithi ttyp5 rock.-----.org Mon Jan 26 19:37 - 23:17 (03:40) smithi ttyp5 rock.-----.org Thu Jan 15 21:30 - 21:45 (00:14) smithi ttyp5 rock.-----.org Thu Jan 15 18:04 - 18:05 (00:00) smithi ttyp5 rock.-----.org Thu Jan 15 18:01 - 18:03 (00:01) somebody ftp ww.xxx.yyy.zz Thu Jan 1 10:47 - 10:50 (00:03) [..] % who smithi ttyv7 Dec 12 02:39 % who /var/log/wtmp.0 [..] somebody ftp61687 Jan 1 10:47 (ww.xxx.yyy.zz) smithi ttyp5 Jan 15 18:01 (rock.-----.org) smithi ttyp5 Jan 15 18:04 (rock.-----.org) smithi ttyp5 Jan 15 21:30 (rock.-----.org) smithi ttyp5 Jan 26 19:37 (rock.-----.org) % who am i smithi ttyp4 Feb 18 18:16 % tty /dev/ttyp4 you could try opening enough xterms (ono) so your ttyp5 is used, then exit them cleanly? Failing that, you can boot single user, mount /var, rm /var/run/utmp, hit ^D (or reboot) .. IIRC I had to do that once; not sure what happens if you rm /var/run/utmp while running multi-user! :) cheers, Ian