Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 98659 - /var/log/wtmp registers entries with wrong / arbitrary IP address for local graphical logins
Summary: /var/log/wtmp registers entries with wrong / arbitrary IP address for local g...
Status: CLOSED DUPLICATE of bug 82540
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: SysVinit
Version: 9
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2003-07-06 23:59 UTC by Joaquim Fanton
Modified: 2014-03-17 02:37 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2006-02-21 18:56:57 UTC

Attachments (Terms of Use)

Description Joaquim Fanton 2003-07-06 23:59:37 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225

Description of problem:
The wtmp file contains entries registering logins (and logoffs) from IP at terminal :0.

There's one entry for each time the system is started (booted).

The problem only happens if the system default runlevel is set to 5 (the system
starts X immediately after the boot and the login occurs through gdm). If the
default runlevel is set to 3 the entries are correct.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Set the system's default runlevel to 5 in inittab
(edit /etc/inittab, changing the line id:3:initdefault: 
to id:5:initdefault:)

2. look at wtmp using 'utmdump /var/log/wtmp | grep 128.99

Actual Results:  [root@firenzi etc]# utmpdump /var/log/wtmp | grep 128.99
Utmp dump of /var/log/wtmp
[7] [01931] [:0  ] [jcff    ] [:0          ] [                    ] [
   ] [Sun Jun 22 13:29:26 2003 BRT]
[7] [01859] [:0  ] [root    ] [:0          ] [                    ] [
   ] [Sun Jul 06 18:39:50 2003 BRT]
[8] [00000] [:0  ] [        ] [:0          ] [                    ] [
   ] [Sun Jul 06 18:41:29 2003 BRT]
[root@firenzi etc]#

Expected Results:  [root@firenzi etc]# utmpdump /var/log/wtmp | grep 128.99
Utmp dump of /var/log/wtmp
[root@firenzi etc]#

Additional info:

This behaviour could lead to the wrong conclusion that the system was invaded or
hacked by an unauthorized perpetrator.

Comment 1 Joaquim Fanton 2003-07-07 00:04:27 UTC
This bug is probably similar (or even caused by the same problem) to the one
reported on Bugzilla Bug 82540.

Comment 2 Joaquim Fanton 2003-07-07 17:10:40 UTC
Sorry. In "Steps to Reproduce" I forgot to mention that the system must be 
restarted after the edition of the default run level in the /etc/inittab file. 
(This could seem obvious to me but I should have made it clear.)

So, this would be step 1.5) Restart the system and login via gdm.

Comment 3 Joaquim Fanton 2003-07-18 19:20:20 UTC
The IP registered in wtmp is not always the same. It seems to be an arbitrary 
IP and can be different from machine to machine, distribution to distribution 
or even from time to time. So, the IP itself does not matter. 

The problem is that the address registered should be at terminal :0 
and an arbitrary IP is registered instead.

This observation has impact in the way the problem can be reproduced, since '# 
utmpdump wtmp | grep 128.99' works fine for me but won't work for many users. 
So, one must use '# utmpdump wtmp | more' and search for logins at terminal :0 
with IP addresses others than

I also verified that this problem occurs at Red Hat versions 7 and 8.

Comment 6 Bill Nottingham 2005-01-28 06:21:48 UTC

*** This bug has been marked as a duplicate of 82540 ***

Comment 7 Red Hat Bugzilla 2006-02-21 18:56:57 UTC
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.