utmp
utmp, wtmp, btmp and variants such as utmpx, wtmpx and btmpx are files on Unix-like systems that keep track of all logins and logouts to the system.
Format
utmp, wtmp and btmp
- utmp maintains a full accounting of the current status of the system, system boot time (used by uptime), recording user logins at which terminals, logouts, system events etc.
- wtmp acts as a historical utmp
- btmp records failed login attempts
These files are not regular text files, but rather a binary format which needs to be edited by specially crafted programs. The implementation and the fields present in the file differ depending of the system or the libc version, and are defined in the utmp.h header file. The wtmp and btmp format are exactly like utmp except that a null value for "username" indicates a logout on the associated terminal (the actual user name is located by finding the preceding login on that terminal). Furthermore, a value of "~" for terminal name with username "shutdown" or "reboot" indicates a system shutdown or reboot (respectively) and the pair of terminal names / logs the old/new system time when date changes it.
These files are not set by any given PAM module (such as pam_unix.so or pam_sss.so) but are set by the application performing the operation (e.g. mingetty, /bin/login, or sshd). As such it is the obligation of the program itself to record the utmp information.
utmpx, wtmpx and btmpx
Utmpx and wtmpx are extensions to the original utmp and wtmp, originating from Sun Microsystems. Utmpx is specified in POSIX. The utmp, wtmp and btmp files were never a part of any official Unix standard, such as Single UNIX Specification, while utmpx and corresponding APIs are part of it.[1][2] While some systems create different newer files for the utmpx variants and have deprecated/obsoleted former formats, this is not always the case. Linux for example uses the utmpx structure in the place of the older file strcture.
Location
Depending on the system, those files may commonly be found in different places (non-exhaustive list) :
Linux :
/var/run/utmp /var/log/wtmp /var/log/btmp
Solaris:
/var/adm/utmp (deprecated), /var/adm/utmpx /var/adm/wtmp (deprecated), /var/adm/wtmpx
HP-UX:
/etc/utmp (deprecated), /etc/utmpx /var/adm/wtmp (deprecated), /var/adm/wtmpx /var/adm/btmp (deprecated), /var/adm/btmpx
FreeBSD 9.0 introduced new files while adding support for utmpx:
/var/run/utx.active (replaces utmp) /var/log/utx.lastlogin (replaces lastlog) /var/log/utx.log (replaces wtmp)
Related commands
Different commands allow users to consult the information stored in those files, including who (which show current system users), last (which show last logged in users) and lastb (which show last failed login attempts, Linux-specific).
See also
References
External links
- : indicate last logins of users and ttys – FreeBSD General Commands Manual
- : login records – FreeBSD File Formats Manual
- : lshow listing of last logged in users – Linux User Commands Manual
- : login records – Linux Programmer's Manual – File Formats
- : display login and logout information about users and terminals – Solaris 10 User Commands Reference Manual
- : utmp and wtmp entry formats – Solaris 10 File Formats Reference Manual
- Solaris Trim wtmpx file