\u56e0\u4e3a\u6700\u8fd1\u5bf9Linux\u7cfb\u7edf\u7684\u5ba1\u8ba1\u611f\u5174\u8da3\uff08\u5176\u5b9e\u4e5f\u56e0\u4e3a\u4efb\u52a1\u5728\u8eab\uff09\uff0c\u6240\u4ee5\u9700\u8981\u4e86\u89e3\u5982\u4f55\u5b9a\u4f4d\u201c\u51f6\u624b\u201d\u2014\u2014\u4ece\u4f17\u591a\u7684\u767b\u5f55\u7528\u6237\u4e2d\u627e\u51fa\u6267\u884c\u4e86\u6076\u610f\/\u975e\u6cd5\u547d\u4ee4\u7684\u90a3\u4e2a\u4eba\u3002<\/p>\n
\u9664\u4e86\u5bf9Bash\u7684history\u505a\u5ba1\u8ba1\u4e4b\u5916\uff08\u91cd\u65b0\u7f16\u8bd1Bash\uff0c\u542f\u7528syslog\u529f\u80fd\uff09\uff0c\u8fd8\u8981\u80fd\u627e\u51fa\u5177\u4f53\u7684\u90a3\u4e2a\u4eba\u2014\u2014\u5728\u6267\u884csudo\/su\u547d\u4ee4\u4e4b\u524d\u7684\u90a3\u4e2a\u7528\u6237\uff0c\u6d89\u53ca\u5230\u4e86\u4e24\u4e2a\u547d\u4ee4\uff1a(logname)\u548c(who am i)\u3002\u53c8\u626f\u51fa\u4e86utmp\u548cwtmp\u8fd9\u4e24\u4e2a\u6587\u4ef6\uff0c\u5c31\u6709\u4e86\u4e0b\u9762\u7684\u5185\u5bb9\u3002<\/p>\n
http:\/\/search.aol.com\/aol\/search?q=linux+utmp+wtmp+difference<\/a><\/p>\n Logging is an essential part of the Linux based operating systems. The system maintains loga for activities on the system. Logs of users logged in and logged out are also maintained by the system. The files \/var\/run\/utmp and \/var\/log\/wtmp contains logs for logins and logouts. These two files are binary files. You cannot see them with any text editor or pager like ‘less’. Some commands use these files for their output.<\/p>\n This file contains information about the users who are currently logged onto the system.<\/span> ‘who’ command uses this file to display the logged in users:<\/p>\n According to the utmp manual page<\/p>\n The utmp file allows one to discover information about who is currently using the system. There may be more users currently using the system, because not all programs use utmp logging.<\/p>\n This file is like history for utmp file, i.e. it maintains the logs of all logged in and logged out users (in the past).<\/span> The ‘last’ command uses this file to display listing of last logged in users.<\/p>\n According to the wtmp manual page<\/p>\n The wtmp file records all logins and logouts. Its format is exactly like utmp except that a null username indicates a logout on the associated terminal. Furthermore, the terminal name ~ with username shutdown or reboot indicates a system shutdown or reboot and the pair of terminal names |\/} logs the old\/new system time when date(1) changes it. wtmp is maintained by login(1), init(8), and some versions of getty(8) (e.g., mingetty(8) or agetty(8)). None of these programs creates the file, so if it is removed, record-keeping is turned off.<\/strong><\/p>\n Another important file related to users logins is \/var\/log\/btmp. This file contains bad login attempts{\/var\/log\/btmp \u6587\u4ef6\u8bb0\u5f55\u7684\u662f\u767b\u5f55\u5931\u8d25\u7684\u60c5\u51b5\uff0c\u53ef\u4ee5\u4f7f\u7528lastb\u547d\u4ee4\u8fdb\u884c\u67e5\u770b<\/span><\/strong>}. This file is used by ‘lastb’ command:<\/p>\n ==<\/p>\n ==<\/p>\n logname\u547d\u4ee4\u548cgetlogin()\u51fd\u6570\u90fd\u662f\u4eceutmp\u6587\u4ef6\u4e2d\u83b7\u53d6\u4fe1\u606f\u7684\uff0c\u4f46\u662f\uff0cutmp\u8fd9\u4e2a\u6587\u4ef6\u53c8\u662f\u53ef\u4ee5\u88ab\u4fee\u6539\u7684\uff0c\u6240\u4ee5\u5176\u5b9egetlogin()\u548cgetpwuid(getuid())\u90fd\u4e0d\u53ef\u4fe1\uff0c\u867d\u7136\u8bf4utmp\u8fd9\u4e2a\u6587\u4ef6\u53ea\u80fd\u88ab\u63d0\u5347\u4e86\u6743\u9650\u4e4b\u540e\u7684\u7528\u6237(sudo\/su\u4e4b\u540e)\u4fee\u6539\uff0c\u4f46\u662f\u603b\u6709\u90a3\u4e48\u4e00\u4e9b\u7a0b\u5e8f\u6bd4\u5982screen\u7b49(\u88ab\u8bbe\u7f6e\u4e86setgid\u4e86\u7684\u7a0b\u5e8f)\u53ef\u4ee5\u5bf9\u5176\u5185\u5bb9\u8fdb\u884c\u914d\u7f6e\/\u4fee\u6539\uff0c\u800c\u4e14\u5386\u53f2\u4e0autmp\u6587\u4ef6\u6709\u65f6\u5019\u4f1a\u5d29\u6e83\uff0c\u6240\u4ee5\uff0c\u522b\u4fe1\u8fd9\u4e2a\u4e86\u5b83\u4e0d\u5b89\u5168\u3002<\/p>\n \u800c\u4e14getlogin()\u8fd9\u4e2a\u51fd\u6570\u8fd8\u6709\u4e2a\u672c\u5730\u63d0\u6743\u7684\u6f0f\u6d1e\uff1aCVE-2003-0388<\/a>\uff0c\u8fdeexp<\/a>\u90fd\u5b58\u5728\u597d\u4e45\u4e86\uff08\u4f46\u662f\u6211\u5728\u591a\u4e2a\u7248\u672c\u7684Linux\u7cfb\u7edf\u4e0a\u6d4b\u8bd5\u4e86\u90fd\u6ca1\u6210\u529f\uff0c\u56e0\u4e3a\u6ca1\u6709\u5b9e\u4f53\u673a(tty1\u800c\u4e0d\u662fpts\/0)\u7684\u7f18\u6545\uff1f\uff09\u3002<\/p>\n =EOF=<\/p>\n","protected":false},"excerpt":{"rendered":" \u56e0\u4e3a\u6700\u8fd1\u5bf9Linux\u7cfb\u7edf\u7684\u5ba1\u8ba1\u611f\u5174\u8da3\uff08\u5176\u5b9e\u4e5f\u56e0\u4e3a\u4efb\u52a1\u5728\u8eab\uff09\uff0c\u6240\u4ee5\u9700\u8981\u4e86\u89e3\u5982\u4f55\u5b9a\u4f4d\u201c\u51f6\u624b\u201d\u2014\u2014\u4ece\u4f17\u591a\u7684\u767b\u5f55\u7528\u6237\u4e2d […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23,11,25],"tags":[451,452,456,457],"class_list":["post-1885","post","type-post","status-publish","format-standard","hentry","category-knowledgebase-2","category-linux","category-security","tag-getlogin","tag-logname","tag-utmp","tag-wtmp"],"views":11738,"_links":{"self":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/1885","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/comments?post=1885"}],"version-history":[{"count":0,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/1885\/revisions"}],"wp:attachment":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/media?parent=1885"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/categories?post=1885"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/tags?post=1885"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\u53c2\u8003\u94fe\u63a5\uff1a<\/h6>\n
\n
Difference \/var\/run\/utmp vs \/var\/log\/wtmp Files In Linux<\/h5>\n
\/var\/run\/utmp file<\/h6>\n
$ who\nroot tty1 2012-12-26 11:53\nraghu tty8 2012-12-26 03:00 (:0)\nraghu pts\/0 2012-12-26 11:02 (:0.0)<\/pre>\n
\/var\/log\/wtmp file<\/h6>\n
$ last\nraghu pts\/0 :0.0 Wed Dec 26 11:02 still logged in\nraghu tty8 :0 Wed Dec 26 03:00 still logged in\nreboot system boot 3.5.0-17-generic Wed Dec 26 03:00 - 11:30 (08:29)\nraghu pts\/0 :0.0 Wed Dec 26 02:18 - 02:20 (00:01)\nraghu tty8 :0 Tue Dec 25 18:36 - down (07:44)\nreboot system boot 3.5.0-17-generic Tue Dec 25 18:35 - 02:21 (07:45)\nraghu pts\/0 :0.0 Tue Dec 25 14:36 - 14:38 (00:02)\nraghu pts\/0 :0.0 Tue Dec 25 13:33 - 14:14 (00:40)\nroot pts\/0 :0.0 Tue Dec 25 13:25 - 13:25 (00:00)\nroot pts\/0 :0.0 Tue Dec 25 13:23 - 13:23 (00:00)\nroot pts\/0 :0.0 Tue Dec 25 13:21 - 13:21 (00:00)\n\n---output truncated---\n\nwtmp begins Mon Nov 5 21:10:35 2012<\/pre>\n
\/var\/log\/btmp file<\/h6>\n
$ lastb\nraghu tty8 :0 Fri Dec 21 06:36 - 06:36 (00:00)\nroot tty1 Tue Dec 11 14:14 - 14:14 (00:00)\nraghu tty7 :0 Mon Dec 10 18:51 - 18:51 (00:00)<\/pre>\n
NAME\n utmp, wtmp - login records\n\nSYNOPSIS\n #include <utmp.h>\n\nDESCRIPTION\n The utmp file allows one to discover information about who is currently using the system. There may be more users currently using the system, because not all programs use utmp logging.\n\n Warning: utmp must not be writable by the user class \"other\", because many system programs(foolishly) depend on its integrity. You risk faked system logfiles and modifications of system\n files if you leave utmp writable to any user other than the owner and group owner of the file.\n {utmp\u6587\u4ef6\u5141\u8bb8\u7528\u6237\u53d1\u73b0\u5f53\u524d\u6709\u54ea\u4e9b\u4eba\u6b63\u5728\u4f7f\u7528\u8fd9\u4e2a\u7cfb\u7edf\uff0c\u4f46\u662f\u4e5f\u6709\u53ef\u80fd\u6709\u6f0f\u6389\u7684\uff0c\u4ee5\u4e3a\u4e0d\u662f\u6240\u6709\u7684\u7a0b\u5e8f\u90fd\u4f7f\u7528utmp\u8fdb\u884clog\u8bb0\u5f55\u3002\u8b66\u544a\uff1autmp\u4e00\u5b9a\u4e0d\u80fd\u88ab\u8bbe\u7f6e\u4e3a\u5bf9other\u53ef\u5199\uff0c\u56e0\u4e3a\u6709\u90a3\u4e48\u4e00\u4e9b\u50bb\u903c\u7a0b\u5e8f\u4f9d\u8d56\u4e8eutmp\u6587\u4ef6\u7684\u5b8c\u6574\u6027\uff0c\u6240\u4ee5\u5982\u679c\u4f60\u5c06utmp\u6587\u4ef6\u8bbe\u7f6e\u4e3a\u53ef\u5199\u4e86\u4e4b\u540e\u7b49\u4ef7\u4e8e\u5c06\u6574\u4e2a\u7cfb\u7edf\u7f6e\u4e8e\u98ce\u9669\u4e4b\u4e2d\uff01who\u547d\u4ee4\u4f7f\u7528\u8be5\u6587\u4ef6\u6765\u663e\u793a\u76f8\u5173\u4fe1\u606f}\n ==\n The wtmp file records all logins and logouts. Its format is exactly like utmp except that a null username indicates a logout on the associated terminal. Furthermore, the terminal name ~ with username shutdown or reboot indicates a system shutdown or reboot and the pair of terminal names |\/} logs the old\/new system time when date(1) changes it. wtmp is maintained by login(1), init(8), and some versions of getty(8) (e.g., mingetty(8) or agetty(8)). None of these programs creates the file, so if it is removed, record-keeping is turned off.{wtmp\u6587\u4ef6\u8bb0\u5f55\u6240\u6709\u7684login\u548clogout\u64cd\u4f5c\uff0c\u5b83\u7684\u683c\u5f0f\u5176\u5b9e\u548cutmp\u5f88\u50cf\uff0c\u53ea\u662f\u6709\u4e9b\u8bb8\u533a\u522b\uff1a\u4e0d\u540c\u7684\u7b26\u53f7\u4ee3\u8868\u4e0d\u540c\u7684\u610f\u4e49\u3002wtmp\u8fd9\u4e2a\u6587\u4ef6\u662f\u7531login\/init\/\u548c\u67d0\u4e9b\u7248\u672c\u7684getty\u6765\u7ef4\u62a4\u7684\uff0c\u4f46\u5b83\u4eec\u5e76\u4e0d\u521b\u5efawtmp\u6587\u4ef6\uff0c\u6240\u4ee5\u4e00\u65e6wtmp\u6587\u4ef6\u88ab\u5220\u9664\uff0c\u5b83\u4eec\u7684\u8bb0\u5f55\u4e5f\u5c31\u88ab\u5173\u95ed\u4e86\u3002last\u547d\u4ee4\u7528\u8be5\u6587\u4ef6\u6765\u663e\u793a\u5386\u53f2\u4e0a\u7684\u7528\u6237\u767b\u9646\u60c5\u51b5}\n\nFILES\n \/var\/run\/utmp\n \/var\/log\/wtmp\n\nSEE ALSO\n ac(1), date(1), last(1), login(1), who(1), getutent(3), getutmp(3), login(3), logout(3), logwtmp(3), updwtmp(3), init(8)<\/pre>\n\u53c2\u8003\u94fe\u63a5\uff1a<\/h6>\n
\n
\nLinux-PAM Pam_Wheel Module getlogin() Username Spoofing Privileged Escalation Vulnerability<\/a><\/h6>\n
\n\n
\n Bugtraq ID:<\/td>\n 7929<\/td>\n<\/tr>\n \n Class:<\/td>\n Access Validation Error<\/td>\n<\/tr>\n \n CVE:<\/td>\n CVE-2003-0388<\/td>\n<\/tr>\n \n Remote:<\/td>\n No<\/td>\n<\/tr>\n \n Local:<\/td>\n Yes<\/td>\n<\/tr>\n \n Published:<\/td>\n Jun 16 2003 12:00AM<\/td>\n<\/tr>\n \n Updated:<\/td>\n Jul 11 2009 10:06PM<\/td>\n<\/tr>\n \n Credit:<\/td>\n The discovery of this vulnerability has been credited to Karol Wiesek (appelast@bsquad.sm.pl).<\/td>\n<\/tr>\n \n Vulnerable:<\/td>\n RedHat Linux 9.0 i386
\nRedHat Linux 7.3 i386
\nRedHat Enterprise Linux WS 2.1 IA64
\nRedHat Enterprise Linux WS 2.1
\nRedHat Enterprise Linux ES 2.1 IA64
\nRedHat Enterprise Linux ES 2.1
\nRedHat Advanced Workstation for the Itanium Processor 2.1 IA64
\nRedHat Advanced Workstation for the Itanium Processor 2.1
\nRed Hat Enterprise Linux AS 2.1 IA64
\nRed Hat Enterprise Linux AS 2.1
\nLinux-PAM Linux-PAM 0.77<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n