Hi Don,
Our implementation of utmpx should be pretty friendly to use:

- You can call pututxline() with strings that are not null terminated.
- The getutx*() functions return entries in which all strings are null
terminated.

Keep in mind that ut_id is not a string, but a binary identifier,
meaning it is not null terminated.

Best regards,

The latter doesn't appear to be true. If I stuff a non-NUL terminated
32 character user name into ut_user and then call pututxline(), it calls
utx_to_futx(), which uses the UTOF_STRING() macro, which in turn uses
snprintf() to copy the data to the corresponding field in a struct futx
before saving the latter. Going in the other direction, getutxent()
calls futx_to_utx(), which uses the FTOU_STRING() macro, which in turn
uses strncpy() to copy the data back out. If the original name was 32
characters, then the ut_user value in the returned struct utmpx will not
be NUL terminated.

It looks like it is using sizeof() and not sizeof()-1 in both
directions:

Ah, it's using sizeof() going in, but I now see that there is a
carefully hidden -1 adjustment coming out:

#define FTOU_STRING(fu, ut, field) do { \
strncpy((ut)->ut_ ## field, (fu)->fu_ ## field, \
MIN(sizeof (ut)->ut_ ## field - 1, sizeof (fu)->fu_ ## field)); \
} while (0)

We should probably document this in the man page. The Linux man page
that I found online says that the string fields are NUL terminated only
if there is room. The Mac OS X man page and Open Group documentation
are silent on this, which would lead one to think these fields are NUL
terminated.

Code also has be careful to not make the assumption that these fields
are NUL terminated if the struct utmpx has not been laundered through
pututxline() and getutx*(), though this should be rare.