Display Current Logged-in Users with who Command Guide

Complete guide to the Unix/Linux who command for displaying current logged-in users, monitoring system activity, and performing security audits.

Author:

Published:

Category: System Administration

Reading Time: 11

Display Current Logged-in Users with who

Table of Contents

1. [Introduction](#introduction) 2. [Basic Syntax](#basic-syntax) 3. [Command Options](#command-options) 4. [Output Format](#output-format) 5. [Practical Examples](#practical-examples) 6. [Advanced Usage](#advanced-usage) 7. [Related Commands](#related-commands) 8. [System Administration Applications](#system-administration-applications) 9. [Troubleshooting](#troubleshooting) 10. [Best Practices](#best-practices)

Introduction

The who command is a fundamental Unix/Linux utility that displays information about users currently logged into the system. This command provides essential details about active user sessions, including usernames, terminal devices, login times, and remote connection information. System administrators and users frequently rely on who to monitor system activity, track user sessions, and perform security audits.

The who command reads information from system files, primarily /var/run/utmp and /var/log/wtmp, which maintain records of user login sessions. Understanding how to effectively use who is crucial for system monitoring, security analysis, and general system administration tasks.

Basic Syntax

The basic syntax of the who command follows this pattern:

`bash who [OPTION]... [FILE | ARG1 ARG2] `

Core Components

| Component | Description | Required | |-----------|-------------|----------| | who | Base command | Yes | | OPTION | Command flags and modifiers | No | | FILE | Alternative utmp file to read | No | | ARG1 ARG2 | Special two-argument format | No |

Simplest Usage

`bash who `

This basic invocation displays all currently logged-in users with standard information columns.

Command Options

The who command supports numerous options that modify its output format and information display. Below is a comprehensive breakdown of available options:

Display Options

| Option | Long Form | Description | Output Effect | |--------|-----------|-------------|---------------| | -a | --all | Display all available information | Shows comprehensive user data | | -b | --boot | Show last system boot time | Displays boot timestamp | | -d | --dead | Show dead processes | Lists terminated processes | | -H | --heading | Add column headers | Includes descriptive headers | | -l | --login | Show login processes | Displays login daemon info | | -p | --process | Show active processes spawned by init | Lists init-spawned processes | | -q | --count | Show usernames and user count only | Compact user list with count | | -r | --runlevel | Display current runlevel | Shows system runlevel | | -s | --short | Show name, line, and time only | Minimal information display | | -t | --time | Show last system clock change | Displays clock change timestamp | | -u | --users | Show idle time for each user | Includes user idle status | | -w | --mesg | Show message status | Displays write permission status |

Formatting Options

| Option | Long Form | Description | Usage Context | |--------|-----------|-------------|---------------| | -T | --mesg | Add message status column | Security and communication | | -m | N/A | Show information about current terminal only | Personal session info | | --lookup | N/A | Attempt to canonicalize hostnames via DNS | Network analysis | | --help | N/A | Display help information | Learning and reference | | --version | N/A | Show version information | System documentation |

Output Format

Understanding the output format of the who command is essential for interpreting the displayed information correctly. The standard output contains several columns of data.

Standard Output Columns

| Column | Description | Example | Notes | |--------|-------------|---------|-------| | Username | Login name of the user | john | System account name | | Terminal | Terminal device or connection type | pts/0 | Physical or pseudo-terminal | | Login Time | When the session started | 2024-01-15 09:30 | Local system time | | Remote Host | Source of remote connections | 192.168.1.100 | IP address or hostname |

Terminal Types

| Terminal Type | Description | Common Examples | Connection Method | |---------------|-------------|-----------------|-------------------| | tty[0-9] | Physical console terminals | tty1, tty2 | Direct console access | | pts/[0-9] | Pseudo-terminals | pts/0, pts/1 | SSH, terminal emulators | | console | System console | console | System boot messages | | :0 | X11 display | :0.0 | Graphical desktop session |

Message Status Indicators

When using the -T or -w options, additional status indicators appear:

| Indicator | Meaning | Security Implication | |-----------|---------|---------------------| | + | Messages allowed | User can receive talk/write messages | | - | Messages blocked | User has disabled message reception | | ? | Status unknown | Unable to determine message permissions |

Practical Examples

Basic User Listing

`bash who `

Expected Output: ` john pts/0 2024-01-15 09:30 (192.168.1.100) mary pts/1 2024-01-15 10:15 (10.0.0.50) admin tty1 2024-01-15 08:00 `

Explanation: This shows three active users: john and mary connected via SSH from remote hosts, and admin logged in directly at the console.

Detailed Information Display

`bash who -a `

Expected Output: ` system boot 2024-01-15 07:45 run-level 5 2024-01-15 07:45 LOGIN tty2 2024-01-15 07:45 478 id=2 john + pts/0 2024-01-15 09:30 . 1234 (192.168.1.100) mary - pts/1 2024-01-15 10:15 00:05 1567 (10.0.0.50) `

Explanation: The -a option provides comprehensive information including system boot time, runlevel, process IDs, idle times, and message status.

User Count and Names

`bash who -q `

Expected Output: ` john mary admin

users=3

`

Explanation: This compact format shows only usernames and the total count, useful for quick user enumeration.

Current User Information

`bash who -m `

Expected Output: ` john pts/0 2024-01-15 09:30 (192.168.1.100) `

Explanation: Shows information only for the terminal from which the command is executed.

System Boot Time

`bash who -b `

Expected Output: ` system boot 2024-01-15 07:45 `

Explanation: Displays when the system was last booted, crucial for uptime tracking and maintenance scheduling.

User Idle Status

`bash who -u `

Expected Output: ` john pts/0 2024-01-15 09:30 . 1234 (192.168.1.100) mary pts/1 2024-01-15 10:15 00:05 1567 (10.0.0.50) admin tty1 2024-01-15 08:00 02:30 892 `

Explanation: The idle time column shows how long each user has been inactive. A dot (.) indicates current activity.

Column Headers

`bash who -H `

Expected Output: ` NAME LINE TIME COMMENT john pts/0 2024-01-15 09:30 (192.168.1.100) mary pts/1 2024-01-15 10:15 (10.0.0.50) admin tty1 2024-01-15 08:00 `

Explanation: The -H option adds descriptive column headers for better readability.

Advanced Usage

Combining Multiple Options

`bash who -Hu `

Expected Output: ` NAME LINE TIME IDLE PID COMMENT john pts/0 2024-01-15 09:30 . 1234 (192.168.1.100) mary pts/1 2024-01-15 10:15 00:05 1567 (10.0.0.50) admin tty1 2024-01-15 08:00 02:30 892 `

Explanation: Combines headers with idle time information for comprehensive user session monitoring.

Alternative Data Sources

`bash who /var/log/wtmp `

Explanation: Reads from the wtmp log file instead of the default utmp file, showing historical login information rather than current sessions.

Two-Argument Format

`bash who am i `

Expected Output: ` john pts/0 2024-01-15 09:30 (192.168.1.100) `

Explanation: This special two-argument format shows information about the current user session, equivalent to who -m.

Network Host Resolution

`bash who --lookup `

Explanation: Attempts to resolve IP addresses to hostnames using DNS, providing more readable remote connection information.

Related Commands

Understanding related commands enhances the effectiveness of system monitoring and user management:

Command Comparison Table

| Command | Primary Function | Key Differences | Use Case | |---------|------------------|-----------------|----------| | who | Show current users | Basic user session info | General monitoring | | w | Show user activity | Includes process information | Detailed activity analysis | | users | List logged-in users | Names only, space-separated | Quick user enumeration | | last | Show login history | Historical login records | Security auditing | | finger | User information | Personal details and status | User research | | id | User and group IDs | Identity verification | Permission troubleshooting |

Practical Command Combinations

#### Comprehensive User Analysis

`bash who -aH && echo "---" && w `

This combination provides both current session details and active processes for complete user activity analysis.

#### Security Monitoring Script

`bash #!/bin/bash echo "Current Users:" who -H echo "" echo "Recent Logins:" last -n 10 echo "" echo "Failed Login Attempts:" lastb -n 5 `

System Administration Applications

Security Monitoring

System administrators use who for various security-related tasks:

#### Unauthorized Access Detection

`bash who -H | grep -v "known_user_pattern" `

This command helps identify potentially unauthorized users by filtering out known legitimate accounts.

#### Remote Connection Monitoring

`bash who -H | grep "pts/" | awk '{print $1, $5}' | sort | uniq -c `

Analyzes remote connections by counting unique user-host combinations.

Resource Management

#### Session Duration Tracking

`bash who -u | awk '$4 != "." {print $1, $4}' | sort -k2 -nr `

Identifies users with the longest idle times for resource optimization.

#### Terminal Usage Analysis

`bash who | awk '{print $2}' | cut -d'/' -f1 | sort | uniq -c `

Analyzes terminal type usage patterns for infrastructure planning.

Automated Monitoring

#### User Login Alerting

`bash #!/bin/bash CURRENT_USERS=$(who -q | tail -1 | cut -d'=' -f2) if [ $CURRENT_USERS -gt 5 ]; then echo "High user count: $CURRENT_USERS users logged in" who -H fi `

Automated script for monitoring user count thresholds.

Troubleshooting

Common Issues and Solutions

#### Empty Output

Problem: who command returns no output Possible Causes: - Corrupted utmp file - Insufficient permissions - System in single-user mode

Solutions: `bash

Check utmp file existence and permissions

ls -la /var/run/utmp

Verify system runlevel

who -r

Check alternative data sources

who /var/log/wtmp | tail -10 `

#### Incorrect Time Display

Problem: Login times appear incorrect Possible Causes: - System timezone misconfiguration - Hardware clock issues - NTP synchronization problems

Solutions: `bash

Check system time and timezone

date timedatectl status

Compare with hardware clock

hwclock --show

Verify NTP synchronization

ntpq -p `

#### Missing Remote Host Information

Problem: Remote connections show no hostname/IP Possible Causes: - SSH configuration issues - Logging configuration problems - Network resolution failures

Solutions: `bash

Check SSH daemon configuration

grep -E "UseDNS|LogLevel" /etc/ssh/sshd_config

Verify DNS resolution

nslookup remote_ip_address

Use lookup option

who --lookup `

File System Issues

#### Utmp File Problems

| Issue | Symptoms | Resolution | |-------|----------|------------| | Corrupted utmp | Inconsistent output | Restart system or clear utmp | | Permission denied | Access errors | Check file permissions | | Missing utmp | No current users shown | Verify system logging services |

#### Log Rotation Effects

`bash

Check log rotation configuration

cat /etc/logrotate.conf | grep -A5 wtmp

Verify log file sizes

ls -lh /var/log/wtmp* `

Best Practices

Regular Monitoring Procedures

#### Daily User Audit

`bash #!/bin/bash

Daily user session report

echo "=== Daily User Session Report ===" > /tmp/user_report.txt echo "Date: $(date)" >> /tmp/user_report.txt echo "" >> /tmp/user_report.txt echo "Current Users:" >> /tmp/user_report.txt who -H >> /tmp/user_report.txt echo "" >> /tmp/user_report.txt echo "System Uptime:" >> /tmp/user_report.txt who -b >> /tmp/user_report.txt `

#### Security Baseline Establishment

`bash

Create baseline user patterns

who -H | awk '{print $1}' | sort | uniq > /etc/security/baseline_users.txt

Daily comparison

who -H | awk '{print $1}' | sort | uniq | diff /etc/security/baseline_users.txt - `

Performance Considerations

#### Efficient Monitoring Scripts

`bash

Optimized user counting

ACTIVE_USERS=$(who | wc -l)

Memory-efficient remote user listing

who | grep "(" | cut -d'(' -f2 | cut -d')' -f1 | sort -u `

Integration with System Monitoring

#### Log File Integration

`bash

Combine who output with system logs

{ echo "Current Users:" who -H echo "" echo "Recent Authentication Events:" tail -20 /var/log/auth.log | grep -E "(Accepted|Failed)" } | tee /var/log/user_activity.log `

#### Automated Reporting

`bash #!/bin/bash

Weekly user activity summary

{ echo "Weekly User Activity Summary" echo "Generated: $(date)" echo "==========================" echo "" echo "Current Active Sessions:" who -H echo "" echo "Most Active Users (Last 7 Days):" last -s "-7days" | awk '{print $1}' | sort | uniq -c | sort -nr | head -10 echo "" echo "Unique Remote Hosts:" who | grep "(" | cut -d'(' -f2 | cut -d')' -f1 | sort -u } > "/var/reports/weekly_user_$(date +%Y%m%d).txt" `

The who command serves as a cornerstone tool for system administration, providing essential visibility into user sessions and system activity. Its simplicity belies its power, making it an indispensable utility for monitoring, security, and system management tasks. Regular use of who in combination with other system tools creates a comprehensive approach to user session management and system security monitoring.

Tags

  • Command Line
  • Linux
  • System Monitoring
  • Unix
  • security

Related Articles

Popular Technical Articles & Tutorials

Explore our comprehensive collection of technical articles, programming tutorials, and IT guides written by industry experts:

Browse all 8+ technical articles | Read our IT blog

Display Current Logged-in Users with who Command Guide