The who command in Linux is a utility that displays information about users currently logged into the system. It also offers various options to retrieve specific information, such as the system's run level, the last system boot time, or a quick count of all logged-in user.
The who command specifically reads from /var/run/utmp (binary file) to give a snapshot of currently logged-in users. Apart from who command, w command uses utmp file.
who [options] [file | argument1, argument2]
- options: These are optional flags you can use to modify the command's output.
- file: By default, who gathers data from /var/run/utmp. However, you can specify another file, like /var/log/wtmp, which contains historical data.
- argument1 argument2: If you provide two arguments, the first one is taken as the utmp file, and the second argument is treated as the hostname.
The basic usage of the who command in Linux is to display information about users currently logged into the system. When executed without any options, it provides a list of logged-in users and some basic details about their sessions.
Here's what you'd do:
By default w command will give you output with 4 columns:
username terminal login-time originating-IP
root pts/0 2022-03-28 01:29 (192.168.1.10) tom pts/1 2022-03-28 02:26 (192.168.1.22) linuxopsys pts/2 2022-03-28 02:22 (192.168.1.22)
- username - The name of the user who currently logged in.
- terminal - The name of the terminal the user used to logged in. Example: The pts/0 indicates which "pseudo terminal" the user used to logged in. You may see :0 which is referred to as the actual console or display monitor.
- login-time - The date and time when the user logged in. In YYYY-MM-DD HH:MM format.
- originating-IP - If the user is logged in from a remote location, this shows the IP address or hostname of that remote location. If logged in directly (e.g., from a physical terminal or console), this might show the terminal name.
Here's a breakdown of some commonly used who options:
-a: This option shows all the information. It is equivalent to setting all the other options, making it the most verbose form of the command.
-d: Displays only the dead processes.
-H: Outputs column headings at the top, making it easier to understand the information provided.
-q: Quick mode. This displays only the names of logged-in users and at the end, shows the total count.
-r: Displays the current run level. This provides information on the system's state (single-user mode, multi-user mode, etc.).
-s: List only the name, line, and time fields. This is the default.
-T: Adds a column indicating the user's message status (i.e., whether they can receive messages from other users):
+if they can receive messages.
-if they cannot receive messages.
-u: Shows the user's idle time, indicating how long the terminal has been inactive.
--lookup: Attempts to canonicalize hostnames via DNS for remote logins.
--ips: display IP addresses instead of hostnames for remote logins. This can be useful in cases where you'd prefer to see the raw IP addresses without translating them to their DNS names.
-m: Information about the current terminal session of the user invoking the command.
Common Use Cases
Let's look into some of the common use cases of who command.
Monitoring user activity
The primary purpose of the who command is to show which users are currently logged into the system. When executed, it provides details about the user's username, their terminal, the date and time they logged in, and the IP address or hostname from which they logged in (in case of remote logins).
tom pts/1 2022-03-28 02:26 (192.168.1.22)
From the output, we can understand the user "tom" logged into the system on March 28, 2022, at 02:26 from the IP address
192.168.1.22, and his session is on terminal pts/1.
-a option to force the command to print all information:
system boot 2022-03-23 22:49 run-level 3 2022-03-23 22:49 LOGIN tty1 2022-03-23 22:49 645 id=tty1 LOGIN ttyS0 2022-03-23 22:49 633 id=tyS0 root - pts/0 2022-03-28 01:29 00:33 51607 (192.168.1.10) tom + pts/1 2022-03-28 02:26 00:31 52048 (192.168.1.22) linuxopsys + pts/2 2022-03-28 02:22 . 51900 (192.168.1.22
To perform a DNS lookup for the hostname associated with the IP address from where users are logged in, use
Note: You can combine
-H option to understand what each column in the who output represents.
Checking system run level
-r option used with the who command in Linux displays the current run level of the system.
run-level 3 2022-03-23 22:49
This indicates the system is currently in run level 3. Different numbers represent different states. 2022-03-23 22:49: This is the timestamp of when the system last transitioned into run level 3. In this specific case, the system entered this run level on March 23, 2022, at 22:49.
Finding out when the system was last booted
To find out when the system was last booted using the who command, you would use the
Will produce an output similar to:
system boot 2022-03-23 22:49
Here's the breakdown:
- system boot: This label indicates that the information being displayed pertains to the last time the system was started up or rebooted.
- 2022-03-23 22:49: This timestamp indicates the exact date and time the system was last booted. In this specific instance, the system was started on March 23, 2022, at 22:49.
Display logged in users with count
When you use the -q option with the who command, it produces a quick list of user names that are currently logged in, and then it provides a count of how many sessions there are.
root root linuxopsys # users=3
From the output:
- We see three sessions: two from the user "root" and one from the user "linuxopsys".
# users=3line indicates there are three active user sessions in total.
If "root" has two terminal windows open or is logged in from two different methods (e.g., locally and via SSH), her username will appear twice in the output.
Display Users Idle time
-u option with the who command in Linux displays the list of users currently logged into the system, along with additional information about their idle time.
The output will contain an additional column next to the login time that shows idle time and process ID.
who -u tom tty2 2023-09-11 10:23 01:49 63751 bob pts/1 2023-09-11 01:23 . 65000 (220.127.116.11)
From the example:
- bob is logged in from a remote location with IP address
18.104.22.168on terminal pts/1 since 1:23 on 2023-09-11 and has been active within the last minute. His login session has the process ID 65000.
- tom is logged in locally on terminal tty2 since 10:23 on 2023-09-11, has been idle for 1 hour and 49 minutes, and his login session has the process ID 65000.
This information is useful for system administrators who want to know not just who is logged in, but also how long they've been idle, as this can give insights into resource usage and potential system issues.
Read various files
The who command can be used to read various files that track user logins and activity, not just the default /var/run/utmp file. By specifying a file like /var/log/wtmp, you can view a list of past logins and other system events.
The /var/log/wtmp file keeps track of all the logins and logouts to the system. When you use:
root pts/0 2023-07-30 22:21 (22.214.171.124) root pts/0 2023-08-12 07:30 (126.96.36.199) ubuntu pts/0 2023-08-12 07:35 (188.8.131.52) ubuntu pts/0 2023-08-12 07:41 (184.108.40.206) ubuntu pts/0 2023-08-12 08:18 (220.127.116.11) ubuntu pts/0 2023-08-12 08:20 (18.104.22.168) ubuntu pts/0 2023-08-13 04:58 (22.214.171.124)
The command will display a list of past logins, which can be quite extensive depending on the history stored in the wtmp file.
However, there's a catch: Directly using the who command with /var/log/wtmp might not always produce the desired results. The last command is more commonly used for this purpose.
Display Message Status
-T option with the who command in Linux displays user information along with their message status. The message status denotes whether a user is accepting or declining messages sent by the write command.
The output will contain an additional column next to the username that shows one of three possible message status symbols:
+: This symbol means that messages are allowed. Other users on the system can use the write command to send messages to this user's terminal.
-: This symbol means that messages are disallowed. Other users cannot send messages to this user's terminal using the write command.
?: This symbol indicates that the message status could not be determined.
who -T ubuntu + pts/1 2023-09-10 10:30 (192.168.1.10) linuxopsys - pts/2 2023-09-10 10:35 (192.168.1.11)
In this example:
- ubuntu on terminal pts/1 is allowing messages, as indicated by the
- linuxopsys on terminal pts/2 is not allowing messages, as indicated by the
Display List of Dead Processes
-d option used with the who command in Linux displays "dead processes".
who -d -H NAME LINE TIME IDLE PID COMMENT EXIT pts/2 2023-09-08 03:11 39045 id=ts/2 term=0 exit=0
In the context of the
who -d command, "dead processes" are not the same as "zombie processes" or defunct processes in the system. Instead, these "dead processes" refer to user sessions recorded in the /var/run/utmp file (where who retrieves its data) that don't have associated active processes. Essentially, these are sessions that have not been cleaned up properly. This can happen due to abrupt terminations, crashes, or other anomalies.