* Ted Harding (Ted.Harding@nessie.mcc.ac.uk) wrote:
Hi Folks,
On one (A) of my 3 running machines, I noticed that 'ls -ls' on /var/log shows:
A: 44 -r-------- 1 root root 19136220 Oct 30 10:52 lastlog
which is inconsistent: 44K according to $1, but 19136220 bytes (19MB) according to $6. The latter is enormous! However, it seems that it has some validity, since
# cat lastlog | wc -c 19136220
gives the same result, here obtained by byte-counting the output of 'cat'. This first got me wondering if the lastlog file or its inode contents were corrupted.
We have here a sparse file; one of the more useful but slightly confusing features of Unix. If you start with an empty file, 'seek' a few GB into the file and write one byte you'll actually only store one block of data for the file (oh and a handful of other data saying where it is). Now in this case the empty space normally reads as zero; normal programs just read these zeros without knowing that there is anything special about the file (and so if you copy a sparse file without doing special stuff you suddenly increase the disc usage!).
Now what lastlog does is that it stores a block of data for each user of 292 bytes in length (struct lastlog); and it stores those at offset: uid * sizeof(struct lastlog)
in the file.
B: 3 -rw------- 1 root root 12216 Nov 6 15:32 faillog 3 -rw-r--r-- 1 root root 16128 Nov 6 15:32 lastlog
Did you ever log into that other than as root? Or perhaps you have a user with uid 54?
C: 8 -rw------- 1 root root 12072 Nov 4 13:17 faillog 16 -rw-r--r-- 1 root tty 146876 Nov 4 13:17 lastlog
I'm guessing you have a user on here with uid 502? (146876/292).
So now we come to the monster file; 19136220 / 292=65535 that is odd. That suggests that there is an entry in lastlog for user 65534 or 65535 - have you ever logged onto the machine as 'nobody'?
Dave -----Open up your eyes, open up your mind, open up your code ------- / Dr. David Alan Gilbert | Running GNU/Linux on Alpha,68K| Happy \ \ gro.gilbert @ treblig.org | MIPS,x86,ARM,SPARC,PPC & HPPA | In Hex / \ _________________________|_____ http://www.treblig.org |_______/