Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 12 Jul 2004 17:09:31 -0700
From:      "Kyle Mott" <kyle@xraided.net>
To:        "'aardvark'" <aardvark@saintaardvarkthecarpeted.com>
Cc:        freebsd-questions@freebsd.org
Subject:   RE: Rebuilding wtmp
Message-ID:  <001d01c4686d$ac150840$150ba8c0@kyle>
In-Reply-To: <20040712234028.GC14633@hardesty.saintaardvarkthecarpeted.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

> -----Original Message-----
> From: aardvark [mailto:aardvark@saintaardvarkthecarpeted.com]
> Sent: Monday, July 12, 2004 4:40 PM
> To: Kyle Mott
> Cc: freebsd-questions@freebsd.org
> Subject: Re: Rebuilding wtmp
> 
> Kyle Mott disturbed my sleep to write:
> > I read a few manpages and did some google'ing, and couldn't find
much of
> > anything about rebuilding wtmp. I tried just moving wtmp to wtmp.old
and
> > then doing 'touch wtmp', then logging out and back in, but it still
> > reads 31Dec69. Is there some way to fix this? Thanks all.
> 
> It's possible that there's some process holding open wtmp.  (You could
> check this by adding lsof ("list open files") from ports -- *very*
handy
> to have around on general principle).  If this is the case, probably
> the easiest way to fix things would be to rename the file, touch wtmp,
> then reboot.
> 

Thank's for the lsof tip, though I couldn't find anything using wtmp.
I've tried rebooting with an empty wtmp plenty of times before, all to
no avail.


> Interestingly enough, a Google for "wtmp freebsd" turned up this
message
> from the FreeBSD-Security list:
> 
> 	http://archives.neohapsis.com/archives/freebsd/2001-07/0055.html
> 
> which suggests "cp /dev/null /var/log/wtmp" to fix things -- at least
on
> Solaris.
> 

I tried this already, and it didn't work. On a system that I have a
good, uncorrupted version of wtmp, I can do 'mv wtmp wtmp.old && touch
wtmp', then logout and log back in, and it reports the dates fine. I can
also write a bunch of gibberish to wtmp (via /dev/random), and then
logout and back in, and it still reports the dates correctly. I'm just
confused.




-Kyle Mott



> I am now blessing your keyboard...
> 
> --
> Saint Aardvark the Carpeted
> aardvark@saintaardvarkthecarpeted.com
> Because the plural of Anecdote is Myth.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001d01c4686d$ac150840$150ba8c0>