NFS notes: http://www.unixcircle.com/features/nfs.php
/var/adm/lastlog: -- contains last login times/dates for users (printed at login) -- looks big, isn't : [root@eric simonh]# ls -l /var/adm/lastlog* -r--r--r-- 1 root root 2177777784 Sep 24 12:14 /var/adm/lastlog [root@eric simonh]# du /var/adm/lastlog 96 /var/adm/lastlog [root@eric simonh]# -- actually a Unix sparse file -- why so big? ??? -- contains an entry for all uids even if no corresponding user??? -- so with vip users 1--200 say, users 500-32000 say, and odd users created at random with uid 7777777, say, it will be big... ??? ???
Date: Sun, 7 Nov 2004 12:29:26 +0000 From: "Dr. David Alan Gilbert"
To: Ted Harding Cc: firstname.lastname@example.org, email@example.com Subject: Re: [linux-users] lastlog puzzle X-Chocolate: 70 percent or better cocoa solids preferably X-Operating-System: Linux/2.6.5 (i686) X-Uptime: 12:18:13 up 1 day, 19 min, 1 user, load average: 0.06, 0.16, 0.11 User-Agent: Mutt/1.5.6+20040907i X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *1CQmAh-0005vv-2x*avfsO5HJfK6* X-UoM: Scanned by the University Mail System. See http://www.mcc.ac.uk/cos/email/scanning for details. Sender: firstname.lastname@example.org X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *1CQmBH-000K1Y-8Z*2CA5l8uMWHo* * Ted Harding (Ted.Harding@nessie.mcc.ac.uk) wrote: > Hi Folks, > > On one (A) of my 3 running machines, I noticed that 'ls -ls' > on /var/log shows: > > A: > 44 -r-------- 1 root root 19136220 Oct 30 10:52 lastlog > > which is inconsistent: 44K according to $1, but 19136220 bytes > (19MB) according to $6. The latter is enormous! However, it > seems that it has some validity, since > > # cat lastlog | wc -c > 19136220 > > gives the same result, here obtained by byte-counting the > output of 'cat'. This first got me wondering if the lastlog > file or its inode contents were corrupted. We have here a sparse file; one of the more useful but slightly confusing features of Unix. If you start with an empty file, 'seek' a few GB into the file and write one byte you'll actually only store one block of data for the file (oh and a handful of other data saying where it is). Now in this case the empty space normally reads as zero; normal programs just read these zeros without knowing that there is anything special about the file (and so if you copy a sparse file without doing special stuff you suddenly increase the disc usage!). Now what lastlog does is that it stores a block of data for each user of 292 bytes in length (struct lastlog); and it stores those at offset: uid * sizeof(struct lastlog) in the file. > B: > 3 -rw------- 1 root root 12216 Nov 6 15:32 faillog > 3 -rw-r--r-- 1 root root 16128 Nov 6 15:32 lastlog Did you ever log into that other than as root? Or perhaps you have a user with uid 54? > C: > 8 -rw------- 1 root root 12072 Nov 4 13:17 faillog > 16 -rw-r--r-- 1 root tty 146876 Nov 4 13:17 lastlog I'm guessing you have a user on here with uid 502? (146876/292). So now we come to the monster file; 19136220 / 292=65535 that is odd. That suggests that there is an entry in lastlog for user 65534 or 65535 - have you ever logged onto the machine as 'nobody'? Dave -----Open up your eyes, open up your mind, open up your code ------- / Dr. David Alan Gilbert | Running GNU/Linux on Alpha,68K| Happy \ \ gro.gilbert @ treblig.org | MIPS,x86,ARM,SPARC,PPC & HPPA | In Hex / \ _________________________|_____ http://www.treblig.org |_______/ http://lists.man.ac.uk/mailman/listinfo/linux-users