utmpd(1M) DG/UX B2 Security R4.12MU02 utmpd(1M)
NAME
utmpd - Update the system utmp and wtmp files.
SYNOPSIS
utmpd
DESCRIPTION
utmpd is a system daemon which updates the files /var/adm/utmp and
/var/adm/wtmp on behalf of processes which do not have sufficient
privilege to do it themselves. It allows both the addition and
removal of records in the utmp file (the corresponding wtmp entries
are made automatically by the daemon, based on the requested utmp
record. The user process only needs to deal directly with the utmp
record). However, since it allows this to be done without use of
privilege, there are substantial restrictions on what it will do.
Supported Functions
Adding a utmp record
utmpd allows processes to add new utmp records to the system
utmp file. It enforces tight constraints on the data the
process is allowed to enter in its record. The username
submitted must be the process' own username, and the ttyname
must be the process' actual controlling tty. The hostname and
id_prefix fields are free-form text. Other fields of the utmp
record, such as process id, record type, and current time are
filled in directly by the daemon without any input from the
submitting process. When a new utmp record is added, a new
wtmp entry is made automatically.
Removing a utmp record
utmpd allows processes to remove utmp records from the system
utmp file. A process is only allowed to remove records which
it or one of its child processes created. The utmp daemon
will only remove utmp entries which it created itself. When a
utmp entry is removed, the corresponding wtmp entry is also
updated.
Reading the utmp file
utmpd does not provide a mechanism for reading the utmp file.
The traditional UNIX library call getutent(3C) remains for
this purpose. The wtmp file can be read with the last(1)
command.
Complete documentation on the library routines which provide access
to these functions of the utmp daemon is available on the
utmpdlibrary(3) man page.
Auditing
On a system configured for auditing, utmpd audits all requests which
are either completed successfully or rejected for security reasons
(requests which fail for system-related reasons, such as lack of
available memory, are reported to the administrator via the syslog
mechanism but are not audited). Both adding a new record and
removing a record are subject to auditing and will be tagged with
audit class "UTMPD". A record being added will be audited under the
event "UTMPD_ADD_UTMP_RECORD", while one being removed will have the
event "UTMPD_REMOVE_UTMP_RECORD". All data supplied by the user
program as well as the process' process id will be recorded in the
record. The following are some sample audit records:
AUDIT RECORD:
time: Wed Jul 31 14:39:57.640010 1996
authid=0, pid=1840
class=UTMPD(119), event=UTMPD_ADD_UTMP_RECORD(108), reason=CS(4), errno=0
Event specific:
data as integers: 1847
data as strings: 'proto'
data as strings: 'xt'
data as strings: 'pts/4'
data as strings: 'somehost'
The above audit record indicates that the process with pid 1847 successfully
added a new utmp record with a username field of "proto", an id field of "xt"
(indicating that the program creating the record was xterm(1)), a
ttyname field of "pts/4", and a hostname field
of "somehost".
AUDIT RECORD:
time: Wed Jul 31 14:40:02.960010 1996
authid=0, pid=1840
class=UTMPD(119), event=UTMPD_REMOVE_UTMP_RECORD(109), reason=CS(4), errno=0
Event specific:
data as integers: 1847
data as integers: 0
data as integers: 0
This audit record shows that the same process' entry was subsequently removed
successfully, with termination and exit status values both 0 (termination is
the one which is listed first).
FILES
/var/adm/utmp A series of binary records describing active sessions
on the system.
/var/adm/wtmp A series of binary records describing past sessions on
the system.
SEE ALSO
last(1), who(1), getut(3), utmpdlibrary(3).
Licensed material--property of copyright holder(s)