Hi,
Author of the
ckwtmpx program mentioned above here.
Quote:
wtmpfix does actually fix truncated entries too
This is correct. However there were a couple of things that I found sub-optimal:
1.
wtmpfix(1M) is too aggressive. I have a test corrupt
wtmpx file as "found in the wild" of 6.7M. Processing with
wtmpfix discards 6.3M of data.
ckwtmpx on the other hand discards 742 _bytes_ and the resulting file certainly appears valid (it processes correctly with
last(1) or
fwtmp(1M), no errors, no truncation).
- wtmpfix's re-alignment jumps forward by one record plus however many bytes remain after removing a complete number of records from the file (the residue in the source quoted above). ckwtmpx's strategy is to crawl forward byte by byte.
- ckwtmpx's strategy to check "does this look like a valid record?" is less complex (strict?). See is_record_valid() in ckwtmpx.c (apparently I can't yet post URLs...).
2.
wtmpfix doesn't show what was discarded. I was interested in trying to work out where the corruption was coming from (
ckwtmpx -e error_file). This didn't help. I know it isn't always lack of disk, and it isn't
LARGEFILE (which I once suspected). The 742 byte example I quoted above contains (almost) two corrupt "system down" records with far too many NULL bytes.
Any problems with
ckwtmpx, suggestions, patches, please hit me by email,
mcarpenter@free.fr. Thanks!