Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!bbn!bbn.com!ellard
From: ellard@bbn.com (Dan Ellard)
Newsgroups: comp.unix.wizards
Subject: Re: Learning about remote users
Summary: who(1) not enough
Message-ID: <37364@bbn.COM>
Date: 17 Mar 89 02:33:33 GMT
References: <199@minya.UUCP> <2124@helios.ee.lbl.gov>
Sender: news@bbn.COM
Reply-To: ellard@BBN.COM (Dan Ellard)
Organization: Bolt Beranek and Newman Inc., Cambridge MA
Lines: 31

In article <2124@helios.ee.lbl.gov> envbvs@epb6 (Brian V. Smith) writes:
>
> In article <199@minya.UUCP> jc@minya.UUCP (John Chambers) writes:
> >Suppose that you have a Unix system (BSD, Sys/V, Xenix, etc.) connected to
> >a network via the usual TCP-style networking, and you'd like to learn what
> >you can about who is logging in. The obvious thing to do is to insert some
>
>Yes, the program 'who' shows both the tty (pseudo-tty for remote login)
>and the originating machine in parentheses.  This holds true for 4.2BSD,
>Ultrix and SunOs systems.  I don't know about any others

Unfortunately, the who program gets its information about the name of the user
logged in on each line from utmp, which (at least on ULTRIX and SunOS 3.x) is
publicly writable, so a clever user can dup the who, w, finger, and users
programs.  /usr/adm/wtmp is usually more secure, since it is only written
to by login and init (run as daemons) and is not publicly writeable.  I
don't know if wtmp exists on SysV or Xenix, but I would be surprised if
something equivalent doesn't exist.

Your best bet is probably to write a new login program which kept track of
whatever info you wanted about each login, if you are really serious about it. 

Other things to look at: ps, which gives info about who is logged in (reliably,
as far as I know) and netstat, which tells which hosts have network connections
to your host (even though it doesn't say who is logged in on them).

Good Luck!

-Dan
Dan Ellard
ellard@bbn.com