LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   Computer incorrectly reports number of logged in users (http://www.linuxquestions.org/questions/linux-general-1/computer-incorrectly-reports-number-of-logged-in-users-374763/)

phil.d.g 10-19-2005 02:10 PM

Computer incorrectly reports number of logged in users
 
Hi,

My machine is incorrectly reporting the number of users currently logged in. It always thinks I am logged in on tty1 when it isn't the case. I logged in on tty2 and the output of `who` is
Code:

philip      tty2                    Oct 19 19:59
philip      tty1                    Oct 19 19:57

The output of `w` gives
Code:

20:00:33 up 6 days,  8:28,  2 users,  load average: 0.00, 0.00, 0.00
USER    TTY      FROM              LOGIN@  IDLE  JCPU  PCPU WHAT
philip    tty2    -                    19:59      0.00s  0.02s  0.00s w

The output of `ps aux | grep tty1` gives
Code:

USER  PID    %CPU %MEM  VSZ  RSS TTY      STAT START  TIME COMMAND
root    4497  0.0      0.0    1400  484 tty1    Ss+  19:57  0:00 /sbin/agetty 38400 tty1 linux
philip  4523  0.0      0.0      1692 604 tty2      R+  20:02  0:00 grep tty1

So from the above I can see that noone is logged on tty1 and that agetty is being run by root on tty1 awaiting the next logon, I am not running a script or command on tty1 however the system seems to think I am logged in there. Also when I do actually log in on tty1 it doesn't show me as logged in on tty1 twice.

Whats happening? Also the first time I fire up the machine it correctly reports 0 users until I have logged in/out of tty1 a few times

I have noticed nothing unusual in the logs, and if it was showing me logged in a virtual terminal I would be a lot more worried that my system has been breached

thanks for any input

trickykid 10-20-2005 12:00 AM

Do you have X running during this time or any other terminals opened? Each one will display as a login and use up a tty.

I can login, startx, and open up 20 terminal windows which will all show up as being logged in for each.

phil.d.g 10-20-2005 02:27 AM

When it says one user logged in, there was noone logged in and X wasn't running. The only thing running on tty1 was agetty by root

At the minute I have logged in on tty1, started X and have one xterm running, and the ouput of `who` is correct:
Code:

philip  tty1        Oct 20 08:05
philip  pts/0        Oct 20 08:08

The reason I found this was I made a small php script to show some system stats and when I accessed the page it said '1 user' so I thought I must have accidently left myself logged in at home, but when I got back I weren't.

trickykid 10-20-2005 02:29 AM

What's the php script? It isn't making this phantom login is it?

phil.d.g 10-20-2005 02:49 AM

I don't think so, it does make use of shell_exec().

However apache is run as nobody, but the logged in user is me 'philip'. And in my first post I logged in on tty2 and made sure no one was logged in on tty1 and it still showed me logged in on tty1.

For reference the bit of php is simply
PHP Code:

echo shell_exec("uptime"); 

Edit:

If this script was making a terminal, then surely it would be pts/n type terminal?

Another Edit:

I shutdown X and logged out, so that no one at all was logged in, I then logged in on tty2. The output of who showed that I was also logged in on tty1. The log in time was correct - the system just hasn't recognised that I was no longer logged in on tty1. The output of `ps aux` whilst only being logged in on tty2 is:
Code:

USER      PID %CPU %MEM  VSZ  RSS TTY      STAT START  TIME COMMAND
root        1  0.0  0.0  588  228 ?        S    Oct13  0:00 init [3] 
root        2  0.0  0.0    0    0 ?        SN  Oct13  0:02 [ksoftirqd/0]
root        3  0.0  0.0    0    0 ?        S<  Oct13  0:00 [events/0]
root        4  0.0  0.0    0    0 ?        S<  Oct13  0:00 [khelper]
root        19  0.0  0.0    0    0 ?        S<  Oct13  0:02 [kblockd/0]
root        32  0.0  0.0    0    0 ?        S    Oct13  0:00 [khubd]
root        75  0.0  0.0    0    0 ?        S    Oct13  0:00 [kapmd]
root      104  0.0  0.0    0    0 ?        S<  Oct13  0:00 [aio/0]
root      103  0.0  0.0    0    0 ?        S    Oct13  0:07 [kswapd0]
root      693  0.0  0.0    0    0 ?        S    Oct13  0:00 [kseriod]
root      822  0.0  0.0    0    0 ?        S<  Oct13  0:01 [reiserfs/0]
root      873  0.0  0.0  1384  352 ?        S<s  Oct13  0:00 udevd
root      1847  0.0  0.0  1576  600 ?        Ss  Oct13  0:00 /usr/sbin/syslogd
root      1850  0.0  0.0  1532  456 ?        Ss  Oct13  0:00 /usr/sbin/klogd -c 3 -x
root      2006  0.0  0.0    0    0 ?        S    Oct13  0:00 [khpsbpkt]
root      2094  0.0  0.0    0    0 ?        S    Oct13  0:00 [knodemgrd_0]
root      2166  0.0  0.0    0    0 ?        S    Oct13  0:00 [shpchpd_event]
root      2208  0.0  0.0    0    0 ?        S    Oct13  0:00 [pciehpd_event]
root      2257  0.0  0.0    0    0 ?        S<  Oct13  0:00 [ata/0]
root      2279  0.0  0.0    0    0 ?        S    Oct13  0:00 [scsi_eh_0]
root      2280  0.0  0.0    0    0 ?        S    Oct13  0:00 [scsi_eh_1]
root      2295  0.0  0.0    0    0 ?        S    Oct13  0:00 [scsi_eh_2]
root      2296  0.0  0.0    0    0 ?        S    Oct13  0:00 [scsi_eh_3]
root      5349  0.0  0.0  1436  516 ?        Ss  Oct13  0:00 /usr/sbin/inetd
root      5352  0.0  0.1  3280 1472 ?        Ss  Oct13  0:00 /usr/sbin/sshd
root      5366  0.0  0.1  4952 2028 ?        Ss  Oct13  0:00 /usr/sbin/cupsd
root      5379  0.0  0.0  1724  628 ?        S    Oct13  0:00 /usr/sbin/crond -l10
root      5428  0.0  0.0  2416  952 ?        Ss  Oct13  0:00 /usr/libexec/postfix/master
root      5430  0.0  0.0  1392  520 ?        Ss  Oct13  0:00 /usr/sbin/apmd
postfix  5433  0.0  0.0  2472 1036 ?        S    Oct13  0:00 qmgr -l -t fifo -u
root      5567  0.0  0.1  6576 2060 ?        Ss  Oct13  0:00 /usr/sbin/smbd -D
root      5569  0.0  0.1  3444 1424 ?        Ss  Oct13  0:00 /usr/sbin/nmbd -D
root      5571  0.0  0.0  1448  472 ?        Ss  Oct13  0:00 /usr/sbin/gpm -m /dev/mouse -t ps2
root      5575  0.0  0.1  6576 2048 ?        S    Oct13  0:00 /usr/sbin/smbd -D
root      5576  0.0  0.1  3024 1060 ?        Ss  Oct13  0:55 /usr/sbin/dovecot
root      5578  0.0  0.3  3696 3692 ?        SLs  Oct13  0:00 /usr/sbin/ntpd
root      5581  0.0  0.0  1400  484 tty3    Ss+  Oct13  0:00 /sbin/agetty 38400 tty3 linux
root      5582  0.0  0.0  1400  484 tty4    Ss+  Oct13  0:00 /sbin/agetty 38400 tty4 linux
root      5583  0.0  0.0  1400  484 tty5    Ss+  Oct13  0:00 /sbin/agetty 38400 tty5 linux
root      5584  0.0  0.0  1400  484 tty6    Ss+  Oct13  0:00 /sbin/agetty 38400 tty6 linux
root      5655  0.0  0.1  3136 1168 ?        S    Oct13  0:02 dovecot-auth
root    20554  0.0  0.0    0    0 ?        S    Oct15  0:01 [pdflush]
root    20558  0.0  0.0    0    0 ?        S    Oct15  0:03 [pdflush]
root    25336  0.0  0.5 15840 5844 ?        Ss  08:42  0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody  25337  0.0  0.5 15988 5956 ?        S    08:42  0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody  25338  0.0  0.5 15988 6036 ?        S    08:42  0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody  25339  0.0  0.5 15840 5880 ?        S    08:42  0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody  25340  0.0  0.5 15840 5876 ?        S    08:42  0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody  25341  0.0  0.5 15840 5876 ?        S    08:42  0:00 /usr/local/apache/bin/httpd -k start -DSSL
philip  25356  0.0  0.1  3376 1920 tty2    Ss  08:43  0:00 -bash
dovecot  25612  0.0  0.1  3024 1452 ?        S    09:27  0:00 imap-login
dovecot  25614  0.0  0.1  3024 1452 ?        S    09:27  0:00 imap-login
postfix  25619  0.0  0.0  2440  912 ?        S    09:27  0:00 pickup -l -t fifo -u
dovecot  25627  0.0  0.1  3024 1452 ?        S    09:28  0:00 imap-login
root    25646  0.0  0.0  1400  484 tty1    Ss+  09:30  0:00 /sbin/agetty 38400 tty1 linux
philip  25658  0.0  0.0  2536  852 tty2    R+  09:31  0:00 ps aux

I run `chkrootkit` and `rkhunter` every day via cron and have done since the system was first setup and there have been no breaches. I also regularly check the logs and nothing untoward has been happening

phil.d.g 10-22-2005 04:09 AM

Anyone?

It seems that the system is not registering that I have logged off tty1, the login time provided by `who` is always correct.


All times are GMT -5. The time now is 09:41 PM.