The problem arose when the /var/account/pacct logfile filed up my
harddisk. As I forgot to remove the service from /etc/init.d it
happened again. The wtmp logfile was completely trashed. I tried to
write a C programm to repair it, but since I couldn't figure out how
to automatically decide if an wtmp entry was good or bad, it became
clear that I had to do it manually.
Solution
So first I needed a binary editor. Most editors say that they can
edit binary files, but they are completely unusable for this task. Have
a look at my list of available.
To be able to see the results of my editing I had to download the
original GNU
acct-package from the Debian mirror which includes a tool called
dump-utmp, that displays the contents of the wtmp file. last
is of no use here, since it can't handle the faults in the wtmp file at all.
I had to use dump-utmp to show me where the faulty entries/boundaries
in the wtmp file were, HexEd to show me the wtmp file in a human-readable
form and beav to edit it. I'd find the faulty entry with dump-utmp,
go into HexEd to find the correct byte-offset of that entry and of the
next 'good' one, change into beav to delete the faulty entries and write a
new wtmp version, and then check again in dump-utmp and repeat the whole
cycle.
Conclusion
By the time the repair was done, which is was in 1997, it was a pain. Linux was
sorely lacking a lot of utilities or in other words the utilities that were there
were not really usable. But things, at least what concern the hexeditors (see also
the hexeds page) have improved a lot. Feedback (
) about how to accomplish the task better or just about the contents of this page are
very wellcome.
