HomeHome ArchiveArchive

Repairing wtmp

Problem

The problem arose when the /var/account/pacct logfile filed up my harddisk. As I forgot to remove the service from /etc/init.d it happened again. The wtmp logfile was completely trashed. I tried to write a C programm to repair it, but since I couldn’t figure out how to automatically decide if an wtmp entry was good or bad, it became clear that I had to do it manually.

Solution

So first I needed a binary editor. Most editors say that they can edit binary files, but they are completely unusable for this task. Have a look at my list of available.

To be able to see the results of my editing I had to download the original GNU acct-package from the Debian mirror which includes a tool called dump-utmp, that displays the contents of the wtmp file. last is of no use here, since it can’t handle the faults in the wtmp file at all.

I had to use dump-utmp to show me where the faulty entries/boundaries in the wtmp file were, HexEd to show me the wtmp file in a human-readable form and beav to edit it. I’d find the faulty entry with dump-utmp, go into HexEd to find the correct byte-offset of that entry and of the next ‘good’ one, change into beav to delete the faulty entries and write a new wtmp version, and then check again in dump-utmp and repeat the whole cycle.

Conclusion

By the time the repair was done, which is was in 1997, it was a pain. Linux was sorely lacking a lot of utilities or in other words the utilities that were there were not really usable. But things, at least what concern the hexeditors (see also the hexeds page) have improved a lot. Feedback (

tpo_hp at sourcepole.ch

) about how to accomplish the task better or just about the contents of this page are very wellcome.