Is there a reason why /var/log/lastlog is a huge sparse file (1.1TB)?
What I hence wonder is, what is the need/backgrounding motivation to have those files as sparse, huge files (in my case it was 1.1TB)?
This is how it's supposed to be.
/var/log/lastlog
is not a log file like /var/log/syslog
, and its name should be read as "last logins list" rather than "last logfile".
It's maintained by the pam_lastlog(8)
module, and it's basically an array like this:
struct lastlog {
time_t ll_time; // 4
char ll_line[UT_LINESIZE]; // 32
char ll_host[UT_HOSTSIZE]; // 256
} entry[UINT_MAX];
Sizes of the fields on a typical x86-64 machine are in comments; an entry should be 4 + 32 + 256 = 292 bytes.
Every time a program using the pam_lastlog(8)
pam module is logging a user in, it will seek to uid * sizeof(struct lastlog)
and overwrite the entry corresponding to that user.
did I corrupt anything with truncating those files ?
You did corrupt the output of the lastlog(1)
command, which nobody is using anyway ;-)