Skip to content

Most recent users on your Mac, the “asl” directory, and permissions

May 13, 2014

If you want to find out who the most recent users on your Mac have been, there are ways to do that. Maybe you want to see if someone has been using your Mac. Or how many times you’ve logged in. Or, if it’s your employer’s Mac, who has been using it. You might also want to reliably know who the current user is. (Hint: “whoami” is unreliable, for if you’re in as sudo or root, it will report that, not the current console user.)

The typical way to scrape the current and most recent users list is the command “last -t console”. You will find many websites saying this is definitively the way to find this information, and that if you wanted to pore over that data manually, it’s in /var/log/wtmp.

Not so.

First, you will find that a non-admin user in OS X will get no output from the “last -t console” command.

And when you go poking around wtmp, you’ll find it empty.

You see, Apple moved away from using wtmp after Mac OS X 10.4. That was a while ago. But many websites claim to this day that it’s still in use.

Where did Apple move this information? To /var/log/asl. That’s a directory containing binary files with all the login information you are seeking.

The problem? It’s restricted with 600 permissions. This is why “last -t console” fails for non-admin users.

As you can guess the solution here is easy; relax those permissions. Do a “chmod -R 666 /var/log/asl”. And bingo, your users can run the “last” command without issue.

Advertisements

From → Uncategorized

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: