On 07-Nov-04 Dr. David Alan Gilbert wrote:
- Ted Harding (Ted.Harding@nessie.mcc.ac.uk) wrote:
Hi Folks,
On one (A) of my 3 running machines, I noticed that 'ls -ls' on /var/log shows:
A: 44 -r-------- 1 root root 19136220 Oct 30 10:52 lastlog
[...] We have here a sparse file; one of the more useful but slightly confusing features of Unix. If you start with an empty file, 'seek' a few GB into the file and write one byte you'll actually only store one block of data for the file (oh and a handful of other data saying where it is). Now in this case the empty space normally reads as zero; normal programs just read these zeros without knowing that there is anything special about the file (and so if you copy a sparse file without doing special stuff you suddenly increase the disc usage!).
Now what lastlog does is that it stores a block of data for each user of 292 bytes in length (struct lastlog); and it stores those at offset: uid * sizeof(struct lastlog)
in the file.
Dave, thanks for an illuminating explanation and especially the pointer to the offset calculation, and how the file size depends on the largest uid that has logged in! Most helpful and useful.
B: 3 -rw------- 1 root root 12216 Nov 6 15:32 faillog 3 -rw-r--r-- 1 root root 16128 Nov 6 15:32 lastlog
Did you ever log into that other than as root? Or perhaps you have a user with uid 54?
Hmmm -- I have uids in /etc/passwd in the range 500-508, and I regularly log in with uids 500 and 503.
C: 8 -rw------- 1 root root 12072 Nov 4 13:17 faillog 16 -rw-r--r-- 1 root tty 146876 Nov 4 13:17 lastlog
I'm guessing you have a user on here with uid 502? (146876/292).
Here 500-502, so it's consistent!
So now we come to the monster file; 19136220 / 292=65535 that is odd. That suggests that there is an entry in lastlog for user 65534 or 65535 - have you ever logged onto the machine as 'nobody'?
User "nobody" has uid 99 on this machine. However, there is an "nfsnobody" with uid 65534, but to my memory I've not logged in as such on this machine. However, it may be that some process started up by the machine itself (Red Hat 9) does this. I've certainly hooked the machine up to nfs many times.
However, the 'lastlog' program gives: nobody **Never logged in** [...] nfsnobody **Never logged in**
Anyway, all very interesting! Thanks.
Ted.
-------------------------------------------------------------------- E-Mail: (Ted Harding) Ted.Harding@nessie.mcc.ac.uk Fax-to-email: +44 (0)870 094 0861 [NB: New number!] Date: 07-Nov-04 Time: 14:05:33 ------------------------------ XFMail ------------------------------