al@darkstar:~$ who
al :0 Nov 12 06:40
al pts/0 Nov 12 06:40
al pts/1 Nov 12 06:40
root pts/3 Nov 22.07:33

Help. I saw the above and could not figure out why root has been logged in.
I do know know how to log "root" off. So I re-booted. (Do you think I've
been hacked?) Is there a way to log off the "root" user? I've never logged
in as root, but I have used SU a lot. What should I have done?


al@darkstar:~$ who
al :0 Dec 12 06:39
al pts/0 Dec 12 06:39
al pts/1 Dec 12 06:40

Upon a re-start, I see that there are 3 of me. How come? What is "pts*"

Thanks,

Al

part of it is the :0 is your x session, and the pts's are remote logins
(ssh, etc) if you are su'ed, it will show the proccess as root, like the
one on pts3.

if you are actually logged into the machine via ssh, this is an expected
output.

do you boot into init 3 and then startx, or do you boot into init 4 and
x automatically starts?

Adams-Blake Company wrote:
> al@darkstar:~$ who
> al :0 Nov 12 06:40
> al pts/0 Nov 12 06:40
> al pts/1 Nov 12 06:40
> root pts/3 Nov 22.07:33
>
> Help. I saw the above and could not figure out why root has been logged in.
> I do know know how to log "root" off. So I re-booted. (Do you think I've
> been hacked?) Is there a way to log off the "root" user? I've never logged
> in as root, but I have used SU a lot. What should I have done?
>
>
> al@darkstar:~$ who
> al :0 Dec 12 06:39
> al pts/0 Dec 12 06:39
> al pts/1 Dec 12 06:40
>
> Upon a re-start, I see that there are 3 of me. How come? What is "pts*"
>
> Thanks,
>
> Al
>

Jason Hamilton wrote:

> part of it is the :0 is your x session, and the pts's are remote logins
> (ssh, etc) if you are su'ed, it will show the proccess as root, like the
> one on pts3.
>
> if you are actually logged into the machine via ssh, this is an expected
> output.
>
> do you boot into init 3 and then startx, or do you boot into init 4 and
> x automatically starts?
>

On advice of someone on this group I changed one of the config files (forget
which one) so that I get a GUI login screen. Not sure if it is X, Gnome, or
KDE. It has a "icon" of me and root and ask me for the usual name and
password (although I can click one of the icons and it knows my username. I
can also click a button to choose which WM I want (it defaults to KDE...
which all I ever use.)

This is a single user machine. Upon re-boot why are there 3 of me? (below)
>> al@darkstar:~$ who
>> al :0 Dec 12 06:39
>> al pts/0 Dec 12 06:39
>> al pts/1 Dec 12 06:4

What does pts/1 mean?

Thanks,
Al




> Adams-Blake Company wrote:
>> al@darkstar:~$ who
>> al :0 Nov 12 06:40
>> al pts/0 Nov 12 06:40
>> al pts/1 Nov 12 06:40
>> root pts/3 Nov 22.07:33
>>
>> Help. I saw the above and could not figure out why root has been logged
>> in. I do know know how to log "root" off. So I re-booted. (Do you think
>> I've been hacked?) Is there a way to log off the "root" user? I've never
>> logged in as root, but I have used SU a lot. What should I have done?
>>
>>
>> al@darkstar:~$ who
>> al :0 Dec 12 06:39
>> al pts/0 Dec 12 06:39
>> al pts/1 Dec 12 06:40
>>
>> Upon a re-start, I see that there are 3 of me. How come? What is "pts*"
>>
>> Thanks,
>>
>> Al
>>

Adams-Blake Company wrote:
>
> On advice of someone on this group I changed one of the config
> files (forget which one) so that I get a GUI login screen. Not
> sure if it is X, Gnome, or KDE. It has a "icon" of me and root
> and ask me for the usual name and password (although I can
> click one of the icons and it knows my username. I can also
> click a button to choose which WM I want (it defaults to
> KDE... which all I ever use.)
>
> This is a single user machine. Upon re-boot why are there 3 of
> me? (below)
>
>>> al@darkstar:~$ who al :0 Dec 12 06:39 al
>>> pts/0 Dec 12 06:39 al pts/1 Dec 12
>>> 06:4
>
>
> What does pts/1 mean?

This is with one user logged in with 11 gnome-terminals open.

who
user tty6 Dec 3 00:09
user :0 Dec 12 09:01
user pts/0 Dec 12 10:11 (:0.0)
user pts/1 Dec 12 10:11 (:0.0)
user pts/2 Dec 12 10:11 (:0.0)
user pts/3 Dec 12 10:11 (:0.0)
user pts/4 Dec 12 10:11 (:0.0)
user pts/5 Dec 12 10:11 (:0.0)
user pts/6 Dec 12 10:11 (:0.0)
user pts/7 Dec 12 10:11 (:0.0)
user pts/8 Dec 12 10:11 (:0.0)
user pts/9 Dec 12 10:11 (:0.0)
user pts/10 Dec 12 10:11 (:0.0)

--
Confucius: He who play in root, eventually kill tree.
Registered with The Linux Counter. http://counter.li.org/
Slackware 9.1.0 Kernel 2.4.23 SMP i686 (GCC) 3.3.2
Uptime: 12 days, 19:34, 2 users, load average: 0.00, 0.04, 0.0

Adams-Blake Company wrote:

> Jason Hamilton wrote:
>
>
>>part of it is the :0 is your x session, and the pts's are remote logins
>>(ssh, etc) if you are su'ed, it will show the proccess as root, like the
>>one on pts3.
>>
>>if you are actually logged into the machine via ssh, this is an expected
>>output.
>>
>>do you boot into init 3 and then startx, or do you boot into init 4 and
>>x automatically starts?
>>
>
>
> On advice of someone on this group I changed one of the config files (forget
> which one) so that I get a GUI login screen. Not sure if it is X, Gnome, or
> KDE. It has a "icon" of me and root and ask me for the usual name and
> password (although I can click one of the icons and it knows my username. I
> can also click a button to choose which WM I want (it defaults to KDE...
> which all I ever use.)
>
> This is a single user machine. Upon re-boot why are there 3 of me? (below)
>
>>>al@darkstar:~$ who
>>>al :0 Dec 12 06:39
>>>al pts/0 Dec 12 06:39
>>>al pts/1 Dec 12 06:4
>
>
> What does pts/1 mean?

"Pseudo Teletype # 1"

OK, I know that doesn't make much sense, so an explanation is in order.

First off, let's recognize that Linux is designed as a replica of Unix.

Originally, Unix users connected to a Unix system through dumb terminals
(TeleType Corporation machines, called "Teletypes" or "TTYs") hardwired to
the computer. There was no "network", other than direct telephone
connections (much like 1970's BBS systems).

Unix recognized each user's connection, and gave the terminal control over
the processes the user ran. When the user disconnected his teletype from the
system, the system would signal all processes attached to that terminal that
the terminal was no longer connected. Since most of these terminals were
connected via phone modems, the signal reflected that the user had "hung up"
the phone connection when he disconnected the terminal from the modem. This
is still evident in the design and implementation of Unix (and Linux), in
the existance of /dev/tty*, "controlling terminals" and SIG_HUP_ (HUP = Hang
UP).

When networks came along, it became possible to connect many terminals to a
Unix system. Unfortunately for Unix, there were no individual /dev/tty*
devices for these connections; they were seperate logical streams of data
sourced from a /single/ device. So, it was either change the entirity of how
Unix represented terminals to itself (including changing the semantics of a
"controlling terminal" and "SIGHUP" to reflect the existance of many
terminals on one device), or make the single network device /look/ like many
seperate terminals.

The second choice was the easiest. The network layer was given the task of
building and managing "pseudo" TTY devices, one for each "terminal" stream
of data. Since there was no hard terminal connected to the pty, and the pty
represented a logical terminal, the logical terminal could be physically
located anywhere. The system semantics would stay the same, just associated
to a network stream of data, rather than an RS232 line. These pseudo
terminal devices are built dynamically in the /dev/pts directory, and are
the network equivalents of the /dev/tty* devices.

Now, when you start an xterm on your system, the xterm program establishes a
/network/ connection to your system. This results in the assignment of a pty
to the network stream of data that the xterm presents as a terminal. And
thus, each xterm you open is given it's own /dev/pts/* entry

--
Lew Pitcher, IT Consultant, Application Architecture
Enterprise Technology Solutions, TD Bank Financial Group

(Opinions expressed here are my own, not my employer's)

In article <vtjl83cdo6pse4@news20.forteinc.com>,
Adams-Blake Company wrote:
> I do know know how to log "root" off. So I re-booted. (Do you think I've
> been hacked?) Is there a way to log off the "root" user? I've never logged
> in as root, but I have used SU a lot. What should I have done?

Relax.

> Upon a re-start, I see that there are 3 of me. How come? What is "pts*"

This is a quirk (or feature, or bug) of the new utempter package in 9.1.
It seems any shell by default will show as a login. Some terminal
emulators (xterm for one) can inhibit this, but others (konsole) cannot.

pts/* listings in who are the pseudo TTY's found in /dev/pts. You can
find a technical description in "man pts", but that's information for a
programmer's use, really.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

On Fri, 12 Dec 2003 06:46:18 -0800, Adams-Blake Company wrote:

> al@darkstar:~$ who
> al :0 Nov 12 06:40
> al pts/0 Nov 12 06:40
> al pts/1 Nov 12 06:40
> root pts/3 Nov 22.07:33
>
> Help. I saw the above and could not figure out why root has been logged in.
> I do know know how to log "root" off. So I re-booted. (Do you think I've
> been hacked?) Is there a way to log off the "root" user? I've never logged
> in as root, but I have used SU a lot. What should I have done?
>
>
> al@darkstar:~$ who
> al :0 Dec 12 06:39
> al pts/0 Dec 12 06:39
> al pts/1 Dec 12 06:40
>
> Upon a re-start, I see that there are 3 of me. How come? What is "pts*"

Do you have open terminal apps of some kind? (xterm, rxvt, gnome-terminal,
etc) Each time you open a terminal it makes an entry in the utmp file.
To surpress this, start your terminals with -ut (no utmp entry) and
you won't see the pts/n entries.

Jim

Adams-Blake Company <atakeoutcanton@adams-blaketakeout.com> wrote:
> Upon a re-start, I see that there are 3 of me. How come? What is "pts*"

Pseudo Terminal Stream, anything that "has a shell" but isn't a
real terminal, like "windows", remote logins, remote shells, etc
gets assigned one of these. In your case it's probably the windows
(xterm, konsole, gnome-terminal, etc) you currently have open.

The confusion is mostly with kde's "konsole" as previous versions
"forgot" to log themselves into the utmp database, so you USED to
"not see" them in who.
Since the 3.1.4/SW9.1 release they now work like the other "windows"
programs (xterm, gnome-terminal).
--
************************************************** ******************
** Eef Hartman, Delft University of Technology, dept. EWI/TW **
** e-mail: E.J.M.Hartman@math.tudelft.nl, fax: +31-15-278 7295 **
** snail-mail: P.O. Box 5031, 2600 GA Delft, The Netherlands **
************************************************** ******************

In article <slrnbtjsqi.mov.rob0@linuxbox.linux.box>, /dev/rob0 wrote:
> This is a quirk (or feature, or bug) of the new utempter package in 9.1.
> It seems any shell by default will show as a login. Some terminal
> emulators (xterm for one) can inhibit this, but others (konsole) cannot.

My scoreboard thus far on the utempter issue: xterm and rxvt both have
command-line options to inhibit utmp listings, and those work. konsole
apparently has no way to do this at all. gnome-terminal has it in the
sessions editor, "Title and Command" tab (2nd from left), but it is not
honoured: all shells are still listed.

The executable /usr/sbin/utempter expects to be run from a master ptmx,
whereas anything in a terminal emulator is run in the slave pty. So I
can't tell how to change a utmp listing manually. Is it a matter of
changing the stdin/stdout/stderr file descriptors?

My lack of experience with other distros is detrimental here. The
utempter package comes to us from Red Hat, where it has been for some
time. Is this the normal behaviour in RH and others? I think it's rather
annoying, because with as many terminals as I need, the "who" or "w"
output is useless. Maybe RH users don't use many terminals?

I want a multi-tabbed terminal like konsole or gnome-terminal (hey, I
just found out that they added tabs to gnome-terminal! which can
inhibit utmp/wtmp listings. Does it exist?
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

Eef Hartman wrote:

> Adams-Blake Company <atakeoutcanton@adams-blaketakeout.com> wrote:
>> Upon a re-start, I see that there are 3 of me. How come? What is "pts*"
>
> Pseudo Terminal Stream, anything that "has a shell" but isn't a
> real terminal, like "windows", remote logins, remote shells, etc
> gets assigned one of these. In your case it's probably the windows
> (xterm, konsole, gnome-terminal, etc) you currently have open.
>
> The confusion is mostly with kde's "konsole" as previous versions
> "forgot" to log themselves into the utmp database, so you USED to
> "not see" them in who.
> Since the 3.1.4/SW9.1 release they now work like the other "windows"
> programs (xterm, gnome-terminal).


All of the explanations have been great... especially the tty-101 course by
Lew. Thanks. I still don't understand one thing:

> al@darkstar:~$ who
> al*******:0************Nov*12*06:40
> al*******pts/0*******Nov*12*06:40
> al*******pts/1******Nov*12*06:40
> root***pts/3*******Nov*22.07:33

Where did that "root" come from? Whenever I go to root I only use su.
Assuming that an entry is made in the utemp database (I've done a bit of
research here.... just a small bit..) what would cause the entry to NOT be
wiped out upon doing an "exit" from the root terminal session.

I gotta tell ya. I was really freaked thinking I'd left a root login "open"
for three weeks while connected to the net. Isn't that a direct invitation
to be hacked to death? Or is there some other (non-firewall) security that
might protect me (yeah, yeah, yeah... I gotta install a fiewall for my
dial-up connections since I'm often on for many hours.)

Thanks,

Al