[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]








 "http://www.w3.org/TR/html4/loose.dtd">

<li>date: Sat Apr 24 16:12:55 2004</li>
<li>from: dhurst at kennesaw.edu (Dow Hurst)</li>
<li>in-reply-to: <<a href="msg01060.html">[email protected]</a>></li>
<li>references: <<a href="msg00645.html">[email protected]</a>> <<a href="msg01037.html">[email protected]</a>> <<a href="msg01047.html">[email protected]</a>> <<a href="msg01060.html">[email protected]</a>></li> leak to occur, led me to the man page for utmp to remind myself what wrote
<li>subject: [ale] diagnosis</li>

Hope this helps you find out what is going on.
Dow



Here is a link to a forensic analysis explanation with an example.
<a  rel="nofollow" href="http://www.samag.com/documents/s=9053/sam0403e/0403e.htm";>http://www.samag.com/documents/s=9053/sam0403e/0403e.htm</a>



Here is the relevant excerpt from man page for utmp:

The first entries ever created result  from  init(8)  processing  init-
tab(5).   Before  an entry is processed, though, init(8) cleans up utmp
by setting ut_type to  DEAD_PROCESS,  clearing  ut_user,  ut_host,  and
ut_time  with null bytes for each record which ut_type is not DEAD_PRO-
CESS or RUN_LVL and where no process with PID  ut_pid  exists.   If  no
empty  record  with  the  needed ut_id can be found, init creates a new
one.  It sets ut_id from the inittab, ut_pid and ut_time to the current
values, and ut_type to INIT_PROCESS.

getty(8)  locates  the  entry by the pid, changes ut_type to LOGIN_PRO-
CESS, changes ut_time, sets ut_line, and waits  for  connection  to  be
established.   login(8),  after  a user has been authenticated, changes
ut_type to USER_PROCESS, changes ut_time, and sets ut_host and ut_addr.
Depending  on  getty(8) and login(8), records may be located by ut_line
instead of the preferable ut_pid.

When init(8) finds that a process has exited, it locates its utmp entry
by  ut_pid,  sets  ut_type to DEAD_PROCESS, and clears ut_user, ut_host
and ut_time with null bytes.

xterm(1) and other terminal emulators directly  create  a  USER_PROCESS
record  and  generate  the  ut_id  by  using  the  last  two letters of
/dev/ttyp%c or by using p%d for /dev/pts/%d.  If they find a  DEAD_PRO-
CESS  for  this id, they recycle it, otherwise they create a new entry.
If they can, they will mark it as DEAD_PROCESS on  exiting  and  it  is
advised  that they null ut_line, ut_time, ut_user, and ut_host as well.

xdm(8) should not create a utmp record, because there  is  no  assigned
terminal.   Letting  it create one will result in errors, such as ?fin-
ger: cannot stat /dev/machine.dom?.  It  should  create  wtmp  entries,
though, just like ftpd(8) does.

telnetd(8)  sets  up  a  LOGIN_PROCESS  entry  and  leaves  the rest to
login(8) as usual.  After the telnet session ends, telnetd(8) cleans up
utmp in the described way.


-- 
__________________________________________________________
Dow Hurst                  Office: 770-499-3428            *
Systems Support Specialist    Fax: 770-423-6744            *
1000 Chastain Rd. Bldg. 12                                 *
Chemistry Department SC428  Email:   dhurst at kennesaw.edu   *
Kennesaw State University         Dow.Hurst at mindspring.com *
Kennesaw, GA 30144                                         *
************************************************************
This message (including any attachments) contains          *
confidential information intended for a specific individual*
and purpose, and is protected by law.  If you are not the  *
intended recipient, you should delete this message and are *
hereby notified that any disclosure, copying, distribution *
of this message, or the taking of any action based on it,  *
is strictly prohibited.                                    *
************************************************************



</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00645" href="msg00645.html">[ale] diagnosis</a></strong>
<ul><li><em>From:</em> dcorbin at machturtle.com (David Corbin)</li></ul></li>
<li><strong><a name="01037" href="msg01037.html">[ale] diagnosis</a></strong>
<ul><li><em>From:</em> dcorbin at machturtle.com (David Corbin)</li></ul></li>
<li><strong><a name="01047" href="msg01047.html">[ale] diagnosis</a></strong>
<ul><li><em>From:</em> jkinney at localnetsolutions.com (James P. Kinney III)</li></ul></li>
<li><strong><a name="01060" href="msg01060.html">[ale] diagnosis</a></strong>
<ul><li><em>From:</em> dcorbin at machturtle.com (David Corbin)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg01073.html">[ale] QoS Question</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg01075.html">[ale] BayStar wants SCO to repay loan</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg01079.html">[ale] diagnosis</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00781.html">[ale] diagnosis</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#01074"><strong>Date</strong></a></li>
<li><a href="threads.html#01074"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>

Prev by Date: [no subject]
Next by Date: [no subject]
Previous by thread: [no subject]
Next by thread: [no subject]
Index(es):
- Date
- Thread