On Fri, 2010-02-05 at 16:52 -0800, Adam Williamson wrote: > As I said, I don't understand much about them. i.e., I don't know what > they're used for. i.e., flippant answers aren't terribly helpful. =) I > am terribly sorry for only having shown up within the last decade or so, > I fully appreciate this makes me a terrible Johnny-come-lately... > > I can guess from the commands referenced that one or both record recent > login actions, yes? utmp is the list of currently logged in users, along with what device they're logged in on, where they're logged in from (if it's a telnet/ssh kind of connection), how long they've been on, etc. wtmp is much the same except it's a historical record and contains login and logoff times. It also tends to contain entries for pseudousers for events like reboots, power loss, etc. So utmp isn't especially privileged information; if you could get into the machine to read it at all, you could just as easily do "ps auwx | grep sh" or "ls -l /dev/pts" and get a pretty good idea of who's logged in. It's in /var/run, not /var/log, but the difference between log file and scoreboard is kind of academic in my mind. And there's a legitimate usage as well; it lets you know whether someone is available for talk(1) or write(1) messages, or whether you need to warn people before rebooting the machine. wtmp might be considered "sensitive" by paranoid admin types. If you haven't rebooted in a while, you may be running an old kernel with a security hole; but uname would tell you that just as well. If you see someone always ssh's in from the same machine, you might infer that they've got some kind of magic ssh key that lets them log in from that machine passwordless, so you'd attack that one next; but again, netstat while they're logged in would tell you what machine they're coming from. I tend to believe that if trivially observable behaviour is security-sensitive, you have two problems. - ajax
Attachment:
signature.asc
Description: This is a digitally signed message part
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
