Login accounting is concerned with recording which users are currently logged in to the system, and recording past logins and logouts. This chapter looks at the login accounting files and the library functions used to retrieve and update the information they contain. We also describe the steps that an application providing a login service should perform in order to update these files when a user logs in and out.
UNIX systems maintain two data files containing information about users logging in and out of the system:
The utmp file maintains a record of users currently logged in to the system (as well as certain other information that we describe later). As each user logs in, a record is written to the utmp file. One of the fields in this record, ut_user, records the login name of the user. This record is later erased on logout. Programs such as who(1) use the information in the utmp file to display a list of currently logged-in users.
The wtmp file is an audit trail of all user logins and logouts (as well as certain other information that we describe later). On each login, a record containing the same information as is written to the utmp file is appended to the wtmp file. On logout, a further record is appended to the file. This record contains the same information, except that the ut_user field is zeroed out. The last(1) command can be used to display and filter the contents of the wtmp file.
On Linux, the utmp file resides at /var/run/utmp, and the wtmp file resides at /var/log/wtmp. In general, applications don’t need to know about these pathnames, since they are compiled into glibc. Programs that do need to refer to the locations of these files should use the _PATH_UTMP and _PATH_WTMP pathname constants, defined in <paths.h> (and <utmpx.h>), rather than explicitly coding pathnames into the program.
SUSv3 doesn’t standardize any symbolic names for the pathnames of the utmp and wtmp files. The names _PATH_UTMP and _PATH_WTMP are used on Linux and the BSDs. Many other UNIX implementations instead define the constants UTMP_FILE and WTMP_FILE for these pathnames. Linux also defines these names in <utmp.h>, but doesn’t define them in <utmpx.h> or <paths.h>.