在 SLES11 上,我可以看到以下输出:
$ who | grep -i FOOBARUSER
FOOBARUSER ::ffff:127.0.0.1:3 Mar 2 09:52 (::ffff:127.0.0.1::ffff:127.0.0.1:3)
FOOBARUSER ::ffff:127.0.0.1:3 Mar 2 09:52 (::ffff:127.0.0.1)
$ date
Sun Dec 8 22:01:58 CET 2019
$ id FOOBARUSER
id: FOOBARUSER: No such user
那么这意味着 FOOBARUSER 在“Mar 2”从本地主机登录到本地主机?
问题: 但这怎么可能呢?当前日期是“12 月 8 日”。为什么“who”cmd 将当前登录日期显示为“Mar 2”?而且这个用户根本不存在,怎么能登录呢?
更新,更详细的信息:
# who | grep -i FOOBARUSER
FOOBARUSER ::ffff:127.0.0.1:3 2017-03-02 09:52 (::ffff:127.0.0.1::ffff:127.0.0.1:3)
#
# lsof | grep -i FOOBARUSER
#
# ps auxw | grep -i FOOBARUSER | grep -v grep
#
# date
Mon Dec 9 18:58:36 CET 2019
#
# who -T | grep -i FOOBARUSER
FOOBARUSER ? ::ffff:127.0.0.1:3 2017-03-02 09:52 (::ffff:127.0.0.1::ffff:127.0.0.1:3)
#
# grep --text -i FOOBARUSER /var/run/utmp |strings
::ffff:127.0.0.1:3
.1:3FOOBARUSER
::ffff:127.0.0.1
pts/23
p120
p157
p152
p160
p139
p107
p138
%xX3
::ffff:127.0.0.1:3
::ffFOOBARUSER
::ffff:127.0.0.1::ffff:127.0.0.1:3
::ffff:127.0.0.1:4
.1:4i867930
::ffff:127.0.0.1
p117
pts/187
/187
#
# ls -lah /dev/pts/23
crw--w---- 1 FOOBARUSER2 tty 136, 23 2019-12-09 17:01 /dev/pts/23
#
# stat /dev/pts/23
File: `/dev/pts/23'
Size: 0 Blocks: 0 IO Block: 1024 character special file
Device: ch/12d Inode: 26 Links: 1 Device type: 88,17
Access: (0620/crw--w----) Uid: (3854620/ FOOBARUSER2) Gid: ( 5/ tty)
Access: 2019-12-09 17:00:59.006679171 +0100
Modify: 2019-12-09 17:01:24.174902065 +0100
Change: 2019-12-09 16:57:22.022775177 +0100
#
# grep --color -i 'pts/23' /var/log/messages
#
看起来“2017-03-02 09:52”是不变的。也许这是一个错误,并且该用户实际上并未登录?
“/dev/pts/23”是否表示 FOOBARUSER 使用的 PTS?