GNU Rush – a restricted user shell (split by chapter):   Section:   Chapter:FastBack: Rushlast   Up: Top   FastForward: Reporting Bugs   Contents: Table of ContentsIndex: Concept Index

11 Accounting Database

Rush accounting database is stored in the directory localstatedir/rush, where localstatedir stands for the name of the local state directory, defined at compile time. By default, it is prefix/var, where prefix is the installation prefix, which defaults to /usr/local. Thus, the default database directory is /usr/local/var/rush. You can change this default by using --localstatedir option to configure before compiling the package. The --prefix option affects it as well.

As of version 1.8, the database consists of two files, called utmp and wtmp. The wtmp file keeps information about all user sessions, both finished and still active. The utmp file contains indices to those records in wtmp, which represent active sessions.

The wtmp grows continuously, while utmp normally grows the first day or two after enabling accounting mode, and from then on its size remains without changes. If you set up log file rotation, e.g. by using logrotate (see logrotate in logrotate man page), or a similar tool, it is safe to rotate wtmp without notifying rush. The only requirement is to truncate utmp to zero size after rotating wtmp, as shown in the following logrotate.conf snippet:

/var/run/rush/wtmp {
    create 0640 root svusers
      cat /dev/null > /var/run/rush/utmp

Accounting files are owned by ‘root’ and normally have permissions ‘600’. You may change the default permissions using the following configuration file statements:

Rule Config: acct-umask mask

Set umask used when accessing accounting database files. Default value is ‘022’.

Rule Config: acct-dir-mode mode

Set mode bits for the accounting directory. The mode argument is the mode in octal.

Rule Config: acct-file-mode mode

Set mode bits for wtmp and utmp files.

Notice, that these statements affect file and directory modes only when the corresponding file or directory is created. Rush will not change modes of the existing files.

The following sections contain a detailed description of the structure of these two files. You may skip them, if you are not interested in technical details.

11.1 The wtmp file

The wtmp file consists of variable-size entries. It is designed so that it can easily be read in both directions.

Each record begins with a fixed-size header, which is followed by three zero-terminated strings, and the record size in size_t representation. The three strings are, in that order: the user login name, the rule tag, and the full command line.

The header has the following structure:

struct rush_wtmp {
        size_t reclen;
        pid_t pid;
        struct timeval start;
        struct timeval stop;
        char *unused[3];



is the length of the entire record, including the size of this header. This field is duplicated at the end of the record.


is the PID of the command executed for the user.


represents the time of the beginning of the user session.


represents the time when the user session finished. If the session is still running, this field is filled with zeros.


The three pointers at the end of the structure are used internally by rush. On disk, these fields are always filled with zeros.

11.2 The utmp file

The utmp file consists of a fixed-size records of the following structure:

struct rush_utmp {
        int status;
        off_t offset;

The fields have the following meaning:


Status of the record: ‘0’ if the record is unused, and ‘1’ if it represents an active session.


Offset to the corresponding record in wtmp (see previous section).

GNU Rush – a restricted user shell (split by chapter):   Section:   Chapter:FastBack: Accounting Database   Up: Accounting Database   FastForward: Reporting Bugs   Contents: Table of ContentsIndex: Concept Index