GNU Rush – a restricted user shell (split by section):   Section:   Chapter:FastBack: Accounting Database   Up: Accounting Database   FastForward: Reporting Bugs   Contents: Table of ContentsIndex: Concept Index

11.1 The wtmp file

The wtmp file consists of variable-size entries. It is designed so that it can easily be read in both directions.

Each record begins with a fixed-size header, which is followed by three zero-terminated strings, and the record size in size_t representation. The three strings are, in that order: the user login name, the rule tag, and the full command line.

The header has the following structure: 

struct rush_wtmp {
        size_t reclen;
        pid_t pid;
        struct timeval start;
        struct timeval stop;
        char *unused[3];
};

where:

reclen

is the length of the entire record, including the size of this header. This field is duplicated at the end of the record.

pid

is the PID of the command executed for the user.

start

represents the time of the beginning of the user session.

stop

represents the time when the user session finished. If the session is still running, this field is filled with zeros.

unused

The three pointers at the end of the structure are used internally by rush. On disk, these fields are always filled with zeros.

GNU Rush – a restricted user shell (split by section):   Section:   Chapter:FastBack: Accounting Database   Up: Accounting Database   FastForward: Reporting Bugs   Contents: Table of ContentsIndex: Concept Index

This document was generated on January 2, 2022 using makeinfo.

Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.