who Command in Linux Explained [With Examples]

Last updated: September 11, 2023 | Linuxopsys

The who command in Linux is a utility that displays information about users currently logged into the system. It also offers various options to retrieve specific information, such as the system's run level, the last system boot time, or a quick count of all logged-in user.

The who command specifically reads from /var/run/utmp (binary file) to give a snapshot of currently logged-in users. Apart from who command, w command uses utmp file.

Basic Syntax:

who [options] [file | argument1, argument2]
  • options: These are optional flags you can use to modify the command's output.
  • file: By default, who gathers data from /var/run/utmp. However, you can specify another file, like /var/log/wtmp, which contains historical data.
  • argument1 argument2: If you provide two arguments, the first one is taken as the utmp file, and the second argument is treated as the hostname.

Basic Usage

The basic usage of the who command in Linux is to display information about users currently logged into the system. When executed without any options, it provides a list of logged-in users and some basic details about their sessions.

Here's what you'd do:

who

Output Explained

By default w command will give you output with 4 columns:

username  terminal  login-time  originating-IP

Example:

root     pts/0        2022-03-28 01:29 (192.168.1.10)
tom      pts/1        2022-03-28 02:26 (192.168.1.22)
linuxopsys pts/2        2022-03-28 02:22 (192.168.1.22)
  • username - The name of the user who currently logged in.
  • terminal - The name of the terminal the user used to logged in. Example: The pts/0 indicates which "pseudo terminal" the user used to logged in. You may see :0 which is referred to as the actual console or display monitor.
  • login-time - The date and time when the user logged in. In YYYY-MM-DD HH:MM format.
  • originating-IP - If the user is logged in from a remote location, this shows the IP address or hostname of that remote location. If logged in directly (e.g., from a physical terminal or console), this might show the terminal name.

Options

Here's a breakdown of some commonly used who options:

  • -a: This option shows all the information. It is equivalent to setting all the other options, making it the most verbose form of the command.
  • -d: Displays only the dead processes.
  • -H: Outputs column headings at the top, making it easier to understand the information provided.
  • -q: Quick mode. This displays only the names of logged-in users and at the end, shows the total count.
  • -r: Displays the current run level. This provides information on the system's state (single-user mode, multi-user mode, etc.).
  • -s: List only the name, line, and time fields. This is the default.
  • -T: Adds a column indicating the user's message status (i.e., whether they can receive messages from other users):
    • + if they can receive messages.
    • - if they cannot receive messages.
  • -u: Shows the user's idle time, indicating how long the terminal has been inactive.
  • --lookup: Attempts to canonicalize hostnames via DNS for remote logins.
  • --ips: display IP addresses instead of hostnames for remote logins. This can be useful in cases where you'd prefer to see the raw IP addresses without translating them to their DNS names.
  • --message or -m: Information about the current terminal session of the user invoking the command.

Common Use Cases

Let's look into some of the common use cases of who command.

Monitoring user activity

The primary purpose of the who command is to show which users are currently logged into the system. When executed, it provides details about the user's username, their terminal, the date and time they logged in, and the IP address or hostname from which they logged in (in case of remote logins).

Example:

who
tom      pts/1        2022-03-28 02:26 (192.168.1.22)

From the output, we can understand the user "tom" logged into the system on March 28, 2022, at 02:26 from the IP address 192.168.1.22, and his session is on terminal pts/1.

Use the -a option to force the command to print all information:

who -a
Output
           system boot  2022-03-23 22:49
           run-level 3  2022-03-23 22:49
LOGIN      tty1         2022-03-23 22:49               645 id=tty1
LOGIN      ttyS0        2022-03-23 22:49               633 id=tyS0
root     - pts/0        2022-03-28 01:29 00:33       51607 (192.168.1.10)
tom      + pts/1        2022-03-28 02:26 00:31       52048 (192.168.1.22)
linuxopsys + pts/2        2022-03-28 02:22   .         51900 (192.168.1.22

To perform a DNS lookup for the hostname associated with the IP address from where users are logged in, use --lookup option.

Note: You can combine -H option to understand what each column in the who output represents.

Checking system run level

The -r option used with the who command in Linux displays the current run level of the system.

Example:

who -r
run-level 3  2022-03-23 22:49

This indicates the system is currently in run level 3. Different numbers represent different states. 2022-03-23 22:49: This is the timestamp of when the system last transitioned into run level 3. In this specific case, the system entered this run level on March 23, 2022, at 22:49.

Finding out when the system was last booted

To find out when the system was last booted using the who command, you would use the -b option.

The command:

who -b

Will produce an output similar to:

         system boot  2022-03-23 22:49

Here's the breakdown:

  • system boot: This label indicates that the information being displayed pertains to the last time the system was started up or rebooted.
  • 2022-03-23 22:49: This timestamp indicates the exact date and time the system was last booted. In this specific instance, the system was started on March 23, 2022, at 22:49.

Display logged in users with count

When you use the -q option with the who command, it produces a quick list of user names that are currently logged in, and then it provides a count of how many sessions there are.

The command:

who -q
Output
root root linuxopsys
# users=3

From the output:

  • We see three sessions: two from the user "root" and one from the user "linuxopsys".
  • The # users=3 line indicates there are three active user sessions in total.

If "root" has two terminal windows open or is logged in from two different methods (e.g., locally and via SSH), her username will appear twice in the output.

Display Users Idle time

The -u option with the who command in Linux displays the list of users currently logged into the system, along with additional information about their idle time.

The output will contain an additional column next to the login time that shows idle time and process ID.

The command

who -u
tom     tty2        2023-09-11 10:23 01:49       63751
bob     pts/1        2023-09-11 01:23 .           65000 (58.108.74.6)

From the example:

  • bob is logged in from a remote location with IP address 59.108.74.6 on terminal pts/1 since 1:23 on 2023-09-11 and has been active within the last minute. His login session has the process ID 65000.
  • tom is logged in locally on terminal tty2 since 10:23 on 2023-09-11, has been idle for 1 hour and 49 minutes, and his login session has the process ID 65000.

This information is useful for system administrators who want to know not just who is logged in, but also how long they've been idle, as this can give insights into resource usage and potential system issues.

Read various files

The who command can be used to read various files that track user logins and activity, not just the default /var/run/utmp file. By specifying a file like /var/log/wtmp, you can view a list of past logins and other system events.

The /var/log/wtmp file keeps track of all the logins and logouts to the system. When you use:

who /var/log/wtmp
root     pts/0        2023-07-30 22:21 (57.108.74.6)
root     pts/0        2023-08-12 07:30 (57.108.74.6)
ubuntu   pts/0        2023-08-12 07:35 (57.108.74.6)
ubuntu   pts/0        2023-08-12 07:41 (48.37.171.63)
ubuntu   pts/0        2023-08-12 08:18 (48.37.171.63)
ubuntu   pts/0        2023-08-12 08:20 (48.37.171.63)
ubuntu   pts/0        2023-08-13 04:58 (48.37.169.186)

The command will display a list of past logins, which can be quite extensive depending on the history stored in the wtmp file.

However, there's a catch: Directly using the who command with /var/log/wtmp might not always produce the desired results. The last command is more commonly used for this purpose.

Display Message Status

The -T option with the who command in Linux displays user information along with their message status. The message status denotes whether a user is accepting or declining messages sent by the write command.

The output will contain an additional column next to the username that shows one of three possible message status symbols:

  • +: This symbol means that messages are allowed. Other users on the system can use the write command to send messages to this user's terminal.
  • -: This symbol means that messages are disallowed. Other users cannot send messages to this user's terminal using the write command.
  • ?: This symbol indicates that the message status could not be determined.

Example:

who -T
ubuntu     + pts/1     2023-09-10 10:30 (192.168.1.10)
linuxopsys    - pts/2     2023-09-10 10:35 (192.168.1.11)

In this example:

  • ubuntu on terminal pts/1 is allowing messages, as indicated by the + symbol.
  • linuxopsys on terminal pts/2 is not allowing messages, as indicated by the - symbol.

Display List of Dead Processes

The -d option used with the who command in Linux displays "dead processes".

The command:

who -d -H
NAME     LINE         TIME             IDLE          PID COMMENT  EXIT
         pts/2        2023-09-08 03:11             39045 id=ts/2  term=0 exit=0

In the context of the who -d command, "dead processes" are not the same as "zombie processes" or defunct processes in the system. Instead, these "dead processes" refer to user sessions recorded in the /var/run/utmp file (where who retrieves its data) that don't have associated active processes. Essentially, these are sessions that have not been cleaned up properly. This can happen due to abrupt terminations, crashes, or other anomalies.

SHARE

Comments

Please add comments below to provide the author your ideas, appreciation and feedback.

Leave a Reply

Leave a Comment