The utmp file can be manipulated with the fwtmp command.
1.check the last modification time of the /etc/utmp file
ls -l /etc/utmp
-rw-r–r– 1 root root 1620 Jun 28 09:22 /etc/utmp
2.convert the binary /etc/utmp file to ascii :
/usr/sbin/acct/fwtmp /tmp/utmp.ascii
3.edit the /tmp/utmp.ascii file to remove the old entries
Note : the entries are sorted by date, simply use the login time reported
by
who(1) to find the lines to remove.
4.convert the file back to binary format :
/usr/sbin/acct/fwtmp -ic < /tmp/utmp.ascii > /tmp/utmp.binary
5.verify that all unwanted entries have been removed from the new file :
who /tmp/utmp.binary
6.verify that the /etc/utmp file has not been modified since the beginning of
this procedure :
ls -l /etc/utmp
-rw-r–r– 1 root root 1620 Jun 28 09:22 /etc/utmp
If the file has been updated do all the steps again.
7.replace the existing /etc/utmp file with the new one :
mv /tmp/utmp.binary /etc/utmp
8.verify that the file still has the same ownership and permissions :
ls -l /etc/utmp
-rw-r–r– 1 root root 1600 Jun 28 09:30 /etc/utmp