查看linux下utmp文件,Linux系统中的utmp和wtmp文件的不同之处

本文最后更新于2015年1月31日，已超过 1 年没有更新，如果文章内容失效，还请反馈给我，谢谢！

因为最近对Linux系统的审计感兴趣(其实也因为任务在身)，所以需要了解如何定位“凶手”——从众多的登录用户中找出执行了恶意/非法命令的那个人。

除了对Bash的history做审计之外(重新编译Bash，启用syslog功能)，还要能找出具体的那个人——在执行sudo/su命令之前的那个用户，涉及到了两个命令：(logname)和(who am i)。又扯出了utmp和wtmp这两个文件，就有了下面的内容。

确定搜索关键字：

参考链接：

Difference /var/run/utmp vs /var/log/wtmp Files In Linux

Logging is an essential part of the Linux based operating systems. The system maintains loga for activities on the system. Logs of users logged in and logged out are also maintained by the system. The files /var/run/utmp and /var/log/wtmp contains logs for logins and logouts. These two files are binary files. You cannot see them with any text editor or pager like ‘less’. Some commands use these files for their output.

/var/run/utmp file

This file contains information about the users who are currently logged onto the system. ‘who’ command uses this file to display the logged in users:

$ who

root tty1 2012-12-26 11:53

raghu tty8 2012-12-26 03:00 (:0)

raghu pts/0 2012-12-26 11:02 (:0.0)

According to the utmp manual page

The utmp file allows one to discover information about who is currently using the system. There may be more users currently using the system, because not all programs use utmp logging.

/var/log/wtmp file

This file is like history for utmp file, i.e. it maintains the logs of all logged in and logged out users (in the past). The ‘last’ command uses this file to display listing of last logged in users.

$ last

raghu pts/0 :0.0 Wed Dec 26 11:02 still logged in

raghu tty8 :0 Wed Dec 26 03:00 still logged in

reboot system boot 3.5.0-17-generic Wed Dec 26 03:00 - 11:30 (08:29)

raghu pts/0 :0.0 Wed Dec 26 02:18 - 02:20 (00:01)

raghu tty8 :0 Tue Dec 25 18:36 - down (07:44)

reboot system boot 3.5.0-17-generic Tue Dec 25 18:35 - 02:21 (07:45)

raghu pts/0 :0.0 Tue Dec 25 14:36 - 14:38 (00:02)

raghu pts/0 :0.0 Tue Dec 25 13:33 - 14:14 (00:40)

root pts/0 :0.0 Tue Dec 25 13:25 - 13:25 (00:00)

root pts/0 :0.0 Tue Dec 25 13:23 - 13:23 (00:00)

root pts/0 :0.0 Tue Dec 25 13:21 - 13:21 (00:00)

---output truncated---

wtmp begins Mon Nov 5 21:10:35 2012

According to the wtmp manual page

The wtmp file records all logins and logouts. Its format is exactly like utmp except that a null username indicates a logout on the associated terminal. Furthermore, the terminal name ~ with username shutdown or reboot indicates a system shutdown or reboot and the pair of terminal names |/} logs the old/new system time when date(1) changes it. wtmp is maintained by login(1), init(8), and some versions of getty(8) (e.g., mingetty(8) or agetty(8)). None of these programs creates the file, so if it is removed, record-keeping is turned off.

/var/log/btmp file

Another important file related to users logins is /var/log/btmp. This file contains bad login attempts{/var/log/btmp 文件记录的是登录失败的情况，可以使用lastb命令进行查看}. This file is used by ‘lastb’ command:

$ lastb

raghu tty8 :0 Fri Dec 21 06:36 - 06:36 (00:00)

root tty1 Tue Dec 11 14:14 - 14:14 (00:00)

raghu tty7 :0 Mon Dec 10 18:51 - 18:51 (00:00)

==

NAME

utmp, wtmp - login records

SYNOPSIS

#include

DESCRIPTION

The utmp file allows one to discover information about who is currently using the system. There may be more users currently using the system, because not all programs use utmp logging.

Warning: utmp must not be writable by the user class "other", because many system programs(foolishly) depend on its integrity. You risk faked system logfiles and modifications of system

files if you leave utmp writable to any user other than the owner and group owner of the file.

{utmp文件允许用户发现当前有哪些人正在使用这个系统，但是也有可能有漏掉的，以为不是所有的程序都使用utmp进行log记录。警告：utmp一定不能被设置为对other可写，因为有那么一些傻逼程序依赖于utmp文件的完整性，所以如果你将utmp文件设置为可写了之后等价于将整个系统置于风险之中！who命令使用该文件来显示相关信息}

==

The wtmp file records all logins and logouts. Its format is exactly like utmp except that a null username indicates a logout on the associated terminal. Furthermore, the terminal name ~ with username shutdown or reboot indicates a system shutdown or reboot and the pair of terminal names |/} logs the old/new system time when date(1) changes it. wtmp is maintained by login(1), init(8), and some versions of getty(8) (e.g., mingetty(8) or agetty(8)). None of these programs creates the file, so if it is removed, record-keeping is turned off.{wtmp文件记录所有的login和logout操作，它的格式其实和utmp很像，只是有些许区别：不同的符号代表不同的意义。wtmp这个文件是由login/init/和某些版本的getty来维护的，但它们并不创建wtmp文件，所以一旦wtmp文件被删除，它们的记录也就被关闭了。last命令用该文件来显示历史上的用户登陆情况}

FILES

/var/run/utmp

/var/log/wtmp

SEE ALSO

ac(1), date(1), last(1), login(1), who(1), getutent(3), getutmp(3), login(3), logout(3), logwtmp(3), updwtmp(3), init(8)

==

参考链接：

logname命令和getlogin()函数都是从utmp文件中获取信息的，但是，utmp这个文件又是可以被修改的，所以其实getlogin()和getpwuid(getuid())都不可信，虽然说utmp这个文件只能被提升了权限之后的用户(sudo/su之后)修改，但是总有那么一些程序比如screen等(被设置了setgid了的程序)可以对其内容进行配置/修改，而且历史上utmp文件有时候会崩溃，所以，别信这个了它不安全。

而且getlogin()这个函数还有个本地提权的漏洞：CVE-2003-0388，连exp都存在好久了(但是我在多个版本的Linux系统上测试了都没成功，因为没有实体机(tty1而不是pts/0)的缘故？)。

Bugtraq ID:

7929

Class:

Access Validation Error

CVE:

CVE-2003-0388

Remote:

No

Local:

Yes

Published:

Jun 16 2003 12:00AM

Updated:

Jul 11 2009 10:06PM

Credit:

The discovery of this vulnerability has been credited to Karol Wiesek (appelast@bsquad.sm.pl).

Vulnerable:

RedHat Linux 9.0 i386

RedHat Linux 7.3 i386

RedHat Enterprise Linux WS 2.1 IA64

RedHat Enterprise Linux WS 2.1

RedHat Enterprise Linux ES 2.1 IA64

RedHat Enterprise Linux ES 2.1

RedHat Advanced Workstation for the Itanium Processor 2.1 IA64

RedHat Advanced Workstation for the Itanium Processor 2.1

Red Hat Enterprise Linux AS 2.1 IA64

Red Hat Enterprise Linux AS 2.1

Linux-PAM Linux-PAM 0.77

=EOF=