Red Hat Bugzilla – Bug 218626
"last -ad" print junk in last column
Last modified: 2007-11-30 17:11:51 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:220.127.116.11) Gecko/20061107 Fedora/18.104.22.168-1.fc6 Firefox/22.214.171.124
Description of problem:
bash-3.1$ last -ad -10
wolfgang pts/3 Wed Dec 6 07:28 still logged in 126.96.36.199
wolfgang pts/1 Wed Dec 6 07:11 still logged in 188.8.131.52
wolfgang :0 Wed Dec 6 07:11 still logged in 0.0.0.0
wolfgang pts/1 Tue Dec 5 22:24 - 23:48 (01:23) 184.108.40.206
wolfgang pts/1 Tue Dec 5 20:09 - 21:43 (01:34) 220.127.116.11
wolfgang pts/1 Tue Dec 5 18:33 - 20:07 (01:34) 18.104.22.168
wolfgang pts/0 Tue Dec 5 16:34 - 17:52 (01:17) 22.214.171.124
alison pts/1 Tue Dec 5 15:13 - 16:41 (01:27) 126.96.36.199
wolfgang pts/5 Tue Dec 5 14:14 - 17:52 (03:37) cpe-76-188-12-0.neo.res.rr.com
wtmp begins Fri Dec 1 05:42:03 2006
notice the random-numbers presented as IP addresses in the last field. I suspect either an uninitialized/uncleared struct element or last isn't
correctly suppressing this printing upon seeing that it was a local login.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.type "last -ad -10" on the local machine.
2.look at last column of output
3.scratch head and wonder if one really took a trip around the world and forgot about it.
The list of hosts printed in the last column don't correspond to any known legit logins.
last column should be empty for local xterms etc.
environment: standard gdm / X11 logins with multiple gnu terminals used.
perhaps gnu terminal startup registers the startup with utmp/wtmp incorreclty.
This is a bug in programs that write to the utmp/wtmp file. See
sysvinit-2.86-timeval.patch; there's a similar patch in util-linux. Are you
using gnome-terminal, xterm, or something else?
I'm using gnome-terminal and have just confirmed that what I'm seeing is a direct
result of a new gnome-terminal being created.
Assigning to gnome-terminal; might actually be vte, not sure.
The bug is in gnome-pty-helper that is part of vte.
Should it just print 0.0.0.0 for local logins or what?
If it is possible to suppres the output for local logins that would be less
confusing for the user. 0.0.0.0 implies that ipv4 was somehow involved.
Come to think of it, "ssh ::" has a similar problem. It claims the connection
came from "0.0.0.0" instead of "::".
Theoretically, if the bug is fixed, it will have 0.0.0.0, as that's the data in
the utmp file (all zeroes). I suppose there could be some special casing in last
for 0.0.0.0, but it's really just converting the raw utmp data into an ip address.
gnome-pty-helper doesn't seem to try to write the ip address at all. Can
someone who can reproduce this problem valgrind it? I'll give it a try on a
x86_64 machine. Seems to be related.
It's not the ip addr.
The utmp field is (from bits/utmp.h):
int32_t tv_sec; /* Seconds. */
int32_t tv_usec; /* Microseconds. */
If you write a raw struct timeval in there, on x86_64, it overflows into the
int32_t ut_addr_v6; /* Internet address of remote host. */
which gives you garbage.
So, instead of:
gettimeofday ((struct timeval*) &put.ut_tv, NULL);
you need something like:
struct timeval tv;
put.ut_tv.tv_sec = tv.tv_sec;
put.ut_tv.tv_usec = tv.tv_usec.
Thanks for tracking down!
Created attachment 143195 [details]
patch committed upstream.
vte-0.14.1-1.fc6 has been pushed for fc6, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.
Can someone confirm that the updates fixes this, and close?
I can confirm that the fix in vte-0.14.1-1.fc6 works.
bash-3.1$ last -4 -ad
wolfgang pts/4 Tue Dec 12 12:26 still logged in 0.0.0.0
wolfgang pts/4 Tue Dec 12 10:37 - 11:31 (00:54) 0.0.0.0
wolfgang pts/4 Tue Dec 12 10:09 - 10:19 (00:10) 0.0.0.0
wolfgang pts/4 Tue Dec 12 10:08 - 10:09 (00:00) 0.0.0.0
wtmp begins Fri Dec 1 05:42:03 2006