From: Roman Bakshansky <bakshansky.lists@gmail.com>
To: linux-api@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, audit@vger.kernel.org,
libc-alpha@sourceware.org
Subject: [RFC] Modernizing Linux authentication logs (lastlog, btmp, utmp, wtmp) with SQLite
Date: Fri, 13 Mar 2026 00:01:25 +0300 [thread overview]
Message-ID: <660c10e6-f8b5-46e2-a424-e3e052992b3a@gmail.com> (raw)
Hi all,
I'd like to share a draft RFC proposing a complete overhaul of the legacy
binary logs used for authentication auditing in Linux: lastlog, btmp, utmp,
and wtmp.
These files, designed decades ago, are running into fundamental limitations:
- Y2038 problem - they use 32-bit timestamps (time_t in lastlog,
tv_sec in utmpx). Even on 64-bit systems the fields remain 32-bit
due to ABI constraints, so all Linux systems are affected.
- No extensibility - any new field (e.g., container ID, service name,
source IP) requires changing fixed structures, breaking all existing
tools that read them.
- Poor query performance - tools like last, lastb, who have to
scan whole files linearly; with millions of records this becomes
painfully slow.
- No atomicity - partial writes during a crash can corrupt logs.
- Concurrency bottlenecks - multiple writers (sshd, login, etc.)
contend for the same file with coarse locking.
To address this once and for all, the RFC proposes replacing these logs
with dedicated shared libraries that use SQLite as the storage backend:
- liblastlog2 - last login time
- libbtmp2 - failed login attempts
- libutmp2 - current sessions
- libwtmp2 - login/logout history
SQLite brings:
- 64-bit time -> Y2038 solved forever.
- Indexes -> O(log N) queries instead of full scans.
- Extensible schema -> new fields can be added without breaking old tools.
- ACID and WAL mode -> atomic writes and concurrent access.
- Portability - runs on any Linux system, no systemd dependency.
The full RFC, including preliminary database schemas and API drafts,
is available in the discussion repository:
https://github.com/bakshansky/linux-auth-logs
I'm looking for feedback on the overall direction, the proposed
interfaces, and the open questions listed in the document (e.g.,
library naming, database location, fallback options for embedded
systems). Please use GitHub Issues for comments, or reply to this
thread - I'll monitor both.
Thanks for your time and input!
next reply other threads:[~2026-03-12 21:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 21:01 Roman Bakshansky [this message]
2026-03-13 13:59 ` [RFC] Modernizing Linux authentication logs (lastlog, btmp, utmp, wtmp) with SQLite Adhemerval Zanella Netto
2026-03-13 14:45 ` Vincent Lefevre
2026-03-13 17:49 ` Roman Bakshansky
2026-03-13 17:48 ` Roman Bakshansky
2026-03-13 18:03 ` Adhemerval Zanella Netto
2026-03-13 18:51 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=660c10e6-f8b5-46e2-a424-e3e052992b3a@gmail.com \
--to=bakshansky.lists@gmail.com \
--cc=audit@vger.kernel.org \
--cc=libc-alpha@sourceware.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox