The who command allows you to see who is currently logged on to the Linux system you run the command on. If you are running a desktop system the who command may not seem that important. But if you are managing a server where multiple users could be logged in at a single time, the who command will alert you to who is logged into the system if you need to do some work that may impact their session. Issuing who by itself produces output similar to this:
Four columns are displayed here:
- The username of the user logged in.
- The terminal the user is logged in on.
- When the user logged in.
- The remote host name or X display the user logged in from/to.
In the example above there is only one users logged in and that user is showing as logged in 10 times. Note the second column, the terminal the user is logged in to. The first line shows tty1 which is a virtual terminal or virtual console. Way back in the early days of computing a keyboard and display corresponding to one instance of a terminal to give you access to the computer. A virtual terminal allows for more than one terminal connection to be used by a keyboard and monitor. The device files for a virtual terminal can be found in the /dev directory. In this case, /dev/tty1 the terminal dann is logged into. This is also the terminal that X is running from.
The remainging devices labeled pts/# are psuedo terminals. Like virtual terminals, psuedo terminals provide terminal-like access. In this case, the psudeo terminals are all running under an X-session, specifically X display :0.0. These are all Konsole sessions. But they could very well be ssh sessions:
In this screenshot there are 2 different user accounts logged on: root and dann. The root account is logged in locally but the two dann accounts are logged in from different hosts.
By default the who command gets the information about who is logged in from the /var/run/utmp, although utmp could be in a different location. The utmp file keeps track of users currently logged into the system along with other system related information since boot. You can point who to a different file to look at by specifying the path to the file after who:
In this example who will print out the history of everyone who logged into the system. The /var/log/wtmp file stores historical login information.
Aside from options and file there is one more arguement that who will take and that is “am i”:
who am i
This will print out the username of the user who issues this command along with the terminal the user is running on, the time logged in and the host or X display logged in from. Essentially this is just the who information for the current user and currently user only. There is also a flag that will report this information:
To help you better recall what each column means, the -H, or –heading, switch will display a heading row at the start of the output defining each column:
The -l, or –login, switch will show all terminals that are waiting for a login. Most Linux systems define 6 virtual terminals be available at boot: tty1-6. Those virtual terminals that have not had anyone log in on yet will be displayed by this switch along and the user name will show LOGIN.
The -u switch will add an addtional column to the output after the time logged in showing how long the user has been idle. The value here is in the format HH:MM. The range is 24 hours so any value over 24 hours will report as “old” and a “.” signfies activity in the last minute.
The -w, -T, –mesg, –message, or –writeable, switches report the status of users ability to accept messages. One of three values will be reported in the column after the user’s name:
- + = The user is accepting messages.
- - = The user is not accepting messages.
- ? = The terminal device was not found.
The ability to accept messages is set with the mesg command. Most system shave ths turned off by default so to turn it on the user must issues:
Now messages from non-root users can be sent to the user using the write command.
The –lookup switch will attempt to canonicalize hostnames via a DNS lookup.
The -q, or –count, switch only reports the usernames of the users logged in and the total users logged in. No other standard information is reported.
The who command can display information other than who is logged in. The following list of switches can be passed to who:
- -b, –boot = Prints the date and time of the last system boot.
- -d, –dead = This switch prints out a list of dead processes (these are processes that have been spawned by init that have since died, not a list of all processes that have died (i.e.; logging out of a virtual terminal or close a psuedo terminal)).
- -p, –process = This lists the active processes that were spawned by the init command.
- -r, –runlevel = This will report the current run-level of the init process.
- -t, –time = Prints the last system clock change.
Some of these values will not be reported on systems that have moved from init to Systemd or Upstart, so your mileage may vary on what is returned.
The final switch to report is -a, or –all, which is a combination of:
-b -d –login -p -r -t -T -u
This tells who to display the last system boot, list dead process, show any terminals waiting for LOGIN, list any active processes spawned by init, list the last system clock change, print the message status, and report the idle time for each user in addition to the regular who output.
The who command is a useful utility in a multi-user environment that will help you get a grasp on the users logged into your system. Beyond that it can display some other important information regarding the system status since last boot. Some of who’s functionality may be limited by migration from init to systemd or upstart, so be aware of these limitations. Regardless, who remains an important utlity for your toolbox.
- man who
- info who
- man utmp
- Wikipedia Article: Virtual Console
- Unix.Stackexchange – what is pts
- Wikipedia Article: Psuedo Terminal
- Wikipedia Artcle: utmp
If the video is not clear enough view it off the YouTube website and select size 2 or full screen. Or download the video in Ogg Theora format:
Thank you very much!