Richard Lewis wrote:
> Chris Hofstaedtler <z...@debian.org> writes:
>> util-linux used to ship three vaguely related programs: last, lastb, and
>> lastlog. In trixie, they are gone.
>
> Is this true on all architectures? (when this broke chkrootkit
> it only affected the 64-bit ones)
I'd missed your mention on the old debian-devel thread of chkrootkit
having an independent utmp/wtmp reader. It'll want to switch over to
the new format, but meanwhile if someone wants to know "who was logged
in on the day this system was upgraded to trixie?", chkrootkit and
busybox still provide ways of reading the leftover database files.
> Can i also check whether any attempt is made to delete the old files -- if
> not,
> we should tell users to do their own cleanup. I think this is
> - /var/log/lastlog*
> - /var/log/wtmp*
> - /var/run/utmp (or does this get cleaned on reboot somehow?)
These days /var/run is a link to /run, which defaults to being a tmpfs
and therefore vanishes at reboot. The things in /var/log do get left
behind, but that's normal for files created there.
> I think the advice for most users would be that they dont need to do
> anything else (they can use the replacements you explained below if thry
> want, and ofc we should ex0lain that, but presumably the debian default
> is not to bother)?
Yes, the people who are likely to care are admins with cobwebby
homebrew cronjobs that regularly generate painstakingly formatted
security reports and send them to the fax machine, or whatever.
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
