NFS notes:
http://www.unixcircle.com/features/nfs.php
/var/adm/lastlog:
-- contains last login times/dates for users (printed at login)
-- looks big, isn't :
[root@eric simonh]# ls -l /var/adm/lastlog*
-r--r--r-- 1 root root 2177777784 Sep 24 12:14 /var/adm/lastlog
[root@eric simonh]# du /var/adm/lastlog
96 /var/adm/lastlog
[root@eric simonh]#
-- actually a Unix sparse file
-- why so big?
???
-- contains an entry for all uids even if no corresponding user???
-- so with vip users 1--200 say, users 500-32000 say, and odd users
created at random with uid 7777777, say, it will be big... ???
???
Date: Sun, 7 Nov 2004 12:29:26 +0000
From: "Dr. David Alan Gilbert"
To: Ted Harding
Cc: linux-users@lists.man.ac.uk, main@lists.alug.org.uk
Subject: Re: [linux-users] lastlog puzzle
X-Chocolate: 70 percent or better cocoa solids preferably
X-Operating-System: Linux/2.6.5 (i686)
X-Uptime: 12:18:13 up 1 day, 19 min, 1 user, load average: 0.06, 0.16, 0.11
User-Agent: Mutt/1.5.6+20040907i
X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *1CQmAh-0005vv-2x*avfsO5HJfK6*
X-UoM: Scanned by the University Mail System. See http://www.mcc.ac.uk/cos/email/scanning for details.
Sender: linux-users-admin@lists.man.ac.uk
X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *1CQmBH-000K1Y-8Z*2CA5l8uMWHo*
* Ted Harding (Ted.Harding@nessie.mcc.ac.uk) wrote:
> Hi Folks,
>
> On one (A) of my 3 running machines, I noticed that 'ls -ls'
> on /var/log shows:
>
> A:
> 44 -r-------- 1 root root 19136220 Oct 30 10:52 lastlog
>
> which is inconsistent: 44K according to $1, but 19136220 bytes
> (19MB) according to $6. The latter is enormous! However, it
> seems that it has some validity, since
>
> # cat lastlog | wc -c
> 19136220
>
> gives the same result, here obtained by byte-counting the
> output of 'cat'. This first got me wondering if the lastlog
> file or its inode contents were corrupted.
We have here a sparse file; one of the more useful but
slightly confusing features of Unix. If you start with an
empty file, 'seek' a few GB into the file and write one byte
you'll actually only store one block of data for the file
(oh and a handful of other data saying where it is).
Now in this case the empty space normally reads as zero;
normal programs just read these zeros without knowing that
there is anything special about the file (and so if you
copy a sparse file without doing special stuff you suddenly
increase the disc usage!).
Now what lastlog does is that it stores a block of
data for each user of 292 bytes in length (struct lastlog);
and it stores those at offset:
uid * sizeof(struct lastlog)
in the file.
> B:
> 3 -rw------- 1 root root 12216 Nov 6 15:32 faillog
> 3 -rw-r--r-- 1 root root 16128 Nov 6 15:32 lastlog
Did you ever log into that other than as root?
Or perhaps you have a user with uid 54?
> C:
> 8 -rw------- 1 root root 12072 Nov 4 13:17 faillog
> 16 -rw-r--r-- 1 root tty 146876 Nov 4 13:17 lastlog
I'm guessing you have a user on here with uid 502?
(146876/292).
So now we come to the monster file; 19136220 / 292=65535
that is odd. That suggests that there is an entry in lastlog
for user 65534 or 65535 - have you ever logged onto the machine
as 'nobody'?
Dave
-----Open up your eyes, open up your mind, open up your code -------
/ Dr. David Alan Gilbert | Running GNU/Linux on Alpha,68K| Happy \
\ gro.gilbert @ treblig.org | MIPS,x86,ARM,SPARC,PPC & HPPA | In Hex /
\ _________________________|_____ http://www.treblig.org |_______/
http://lists.man.ac.uk/mailman/listinfo/linux-users