Path: utzoo!attcan!telly!eci386!ecicrl!clewis From: clewis@ferret.ocunix.on.ca (Chris Lewis) Newsgroups: comp.unix.admin Subject: Re: Overflowing wtmp Keywords: solution, C, mail me for a copy Message-ID: <1244@ecicrl.ocunix.on.ca> Date: 30 Jan 91 19:58:50 GMT References: <705@camco.Celestial.COM> <338@alchemy.UUCP> <120587@uunet.UU.NET> <1991Jan30.124501.6670@mp.cs.niu.edu> Organization: Elegant Communications Inc., Ottawa, Canada Lines: 57 In article <1991Jan30.124501.6670@mp.cs.niu.edu> rickert@mp.cs.niu.edu (Neil Rickert) writes: >In article <120587@uunet.UU.NET> rbj@uunet.UU.NET (Root Boy Jim) writes: >>In article <338@alchemy.UUCP> bbs@alchemy.UUCP (BBS Administration) writes: >>>a copy of my "wsize" program... >>>... I run it as a "root" crontask on the 1st and 15th >>Tsk tsk, overkill. Howabout a range of 2000 to 3000 records? Try >> >> #! /bin/sh >> cd /usr/adm >> split wtmp >> set x?? /dev/null /dev/null /dev/null /dev/null >> shift `expr $# - 3` >> cat $* > xxx >> mv xxx wtmp >> rm -f x?? > Hey. That's neat. But what do we do if we have a 'split' that wants to >break the file based on lines, and a 'wtmp' that doesn't contain lines? I wonder if he's tried this... Nifty trick with the set's. You must therefore have a version of UNIX that keeps wtmps in ASCII format. I didn't know that there was one. Another problem: on many systems where wtmp is held open all of the time (System V), the "mv" will result in the new wtmp not being written to at all, and /etc/init will continue to write to a file that's been unlinked - so you can't see it, but it's still there and growing. And finally, even if your version of split works on binaries (which I doubt), you have to make sure that split cuts on a record boundary. You can do the split with a loop using dd "skip" and "count" and "bs=" options. "bs" has to be a multiple of the wtmp record size. Grotty, slow, but it works. Unfortunately, you cannot replace the wtmp like this on System V, you either have to tell init to reopen wtmp (there's an accounting program that does this), or clobber it completely, ala: > wtmp On System V, you can turn on the accounting sufficiently that the wtmp pruner works properly, but the rest of the accounting (process accounting records) isn't being done, so you don't get accounting overhead. In some software we've written commercially, we first try to run the accounting stuff to clear the wtmp, only resorting to: cp /etc/wtmp /etc/wtmp.old > /etc/wtmp If the accounting software is obviously not managing to keep wtmp below a threshold (ie: accounting ain't there, or it ain't running). Actually, if my memory serves, the UNIX accounting software cuts it over like this, and arranges to process the old wtmps into more useful (and compact) forms, but still completely wipes the existing wtmp. -- Chris Lewis, Phone: (613) 832-0541, Internet: clewis@ferret.ocunix.on.ca UUCP: uunet!mitel!cunews!latour!ecicrl!clewis Moderator of the Ferret Mailing List (ferret-request@eci386) Psroff enquiries: psroff-request@eci386, current patchlevel is *7*.