This series covers everything about Linux login accounting โ how the system tracks who is logged in, how to read and write login records, and how to implement your own login service. Based on Chapter 40 of The Linux Programming Interface by Michael Kerrisk.
Understand what login accounting is, the two core files (utmp and wtmp), how they work, file path constants, and how tools like who and last use them.
History of the BSD vs System V split, why the “x” suffix exists, Linux’s hybrid approach, and why to prefer utmpx over utmp API.
Full breakdown of struct utmpx fields, all 9 record type constants (EMPTY through DEAD_PROCESS), ut_line/ut_id derivation, and the complete login lifecycle in wtmp.
The 5 core utmpx functions: setutxent, endutxent, getutxent, getutxid, getutxline. The cache problem and how to avoid infinite loops. Full dump_utmpx implementation.
How getlogin() identifies the original login name using utmp, when it fails (daemons), comparison with getpwuid() and LOGNAME, thread-safe getlogin_r(), and implementing getlogin() from scratch.
pututxline() and updwtmpx() in detail. Login and logout rules, field requirements, complete utmpx_login.c implementation, signal-safe cleanup, and implementing login(3)/logout(3)/logwtmp(3).
The lastlog file format, struct lastlog, UID-based direct indexing with lseek, reading/writing lastlog records, and a complete dump utility for all users.
Begin with Part 1 and follow the series in order for the best learning experience.