There are many ways to do this, but none of them is simple (I guess).
1. Try creating linked lists (if you want to store many things) or an array which you can search easily from a certain entry.
2. Then, there are many ways of seeing who's online:
2.1 You can check the activity of terminals in /dev (but that won't do for nasty users who detach their backdoor/exploit from the terminal)
2.2 You can have something more accurate by continually reading /proc and having an active list of which users are running at least ONE program (pushing and pop'ing to/from the array/linked lists) -- will mess with cron, phpsuexec, suphp, suexec, and any other program that runs with the user's UID (false positives)
2.3 You can #include <utmp.h>, and use the utmp struct which holds everything you need:
Code:
struct utmp {
short ut_type; /* type of login */
pid_t ut_pid; /* PID of login process */
char ut_line[UT_LINESIZE]; /* device name of tty - "/dev/" */
char ut_id[4]; /* init id or abbrev. ttyname */
char ut_user[UT_NAMESIZE]; /* user name */
char ut_host[UT_HOSTSIZE]; /* hostname for remote login */
struct exit_status ut_exit; /* The exit status of a process
marked as DEAD_PROCESS */
/* The ut_session and ut_tv fields must be the same size when
compiled 32- and 64-bit. This allows data files and shared
memory to be shared between 32- and 64-bit applications */
#if __WORDSIZE == 64 && defined __WORDSIZE_COMPAT32
int32_t ut_session; /* Session ID, used for windowing */
struct {
int32_t tv_sec; /* Seconds */
int32_t tv_usec; /* Microseconds */
} ut_tv; /* Time entry was made */
#else
long int ut_session; /* Session ID, used for windowing */
struct timeval ut_tv; /* Time entry was made */
#endif
int32_t ut_addr_v6[4]; /* IP address of remote host */
char __unused[20]; /* Reserved for future use */
};
then you can use functions like getutent() (see the man file). NOTE that you still have to run this very often to see who got in and out by comparing results.
Don't forget that utmp is not the safest way to go because many programs just don't use it. (specially malicious programs)
If I understand correctly, short of changing the behavior of init, which is a terrible idea, you should consider finding a way to implement change notify - like inotify in Linux, on an accounting file - other posters mentioned those files. init DOES in fact write to those files on login and logout. Based on your comments it does not seem to me that you are aware of init behavior or you would already be aimed in that direction....
I didn't see your OS mentioned. inotify is Linux- only kernel 2.6.13 and higher.
i'm very interesting with this threads, because i have learned about utmp but i found only a little.... I can't make the code that can read the utmp file, would you like to show me how to make program that can read the utmp file or use getutent() function?
hi!
How can I find into:
/var/log/messages.4
/var/log/messages.3
/var/log/messages.2
/var/log/messages.1
/var/log/messages
The last user do a login? (for example user1)
My idea is to search by the pattern "Accepted password for" buy I necessary search into all files first and in the... (2 Replies)
Hi friends
I want to get a list of users who have logged in before 10 'o clock in the morning on a given date .
I tried with who and last commands but last gives only the last login time
How do i find who logged before 10 'o clock
Thanks (3 Replies)
I have a situation where I have to capture information of all users who log out, along with the terminal info(tty command).
For example, I may have logged in with /dev/pts/2 as well as /dev/pts4.
Now, when I log out of the session with /dev/pts/2, I need that to be sent in an email to a... (1 Reply)
Hi all,
Say my login user id is "t007" and I login into the unix server first using my id and password and then I used to use "su" command to switch the user using root user id and password. Now, how the third person will come to know who has logged in as a first user ?
As:
Login: t007... (2 Replies)
Discussion started by: varungupta
2 Replies
5. Post Here to Contact Site Administrators and Moderators
Working in AIX (so no date -d)
How can i display all the users who have not logged in for more than 40 days?
A small quick script would be usefull, my scripts are always taking to long to execute, even before they are finished.
Many thanks! (5 Replies)
being ordinary user (not having any administrative rights) can avail myself a facility to know who logged and logged out with their timings get popped onto my terminal as if it get echo 'ed... (3 Replies)
