Learn ‘who’ command in Linux and related files. Understand its usage, different options, and scenarios in which command can be useful.
If you are in Linux/Unix administration, you probably used who command many times. And majorly for checking the list of users currently logged in to the system. But there is much other stuff this command can do which we overlook. Let see the power of
‘who’ command is capable of doing the following :
- Provide information about logged-in users
- List dead processes
- Shows last system boot time
- List system login processes
- List processes spawned by init
- Shows runlevel info
- Track last system clock change
- User’s message status
Let’s see all the above doings one by one and understand from where command fetch this information for us.
1. Provide information about logged-in users
This is a pretty famous use of
who command. Without any argument when run, it shows output similar to one below :
# who root pts/1 2016-12-09 10:48 (10.10.42.56) user4 pts/2 2016-12-09 10:53 (10.10.42.22)
The output consists of 5 columns where,
- The first field is the username of the user who is logged in currently
- The second field is the terminal from where the user is logged in
- Third and fourth fields are date and time of login
- The fifth field is the IP address/hostname from where the user logged in.
who reads information from
/var/run/utmp file and provide in a formatted manner in this output.
Read also: How to check bad logins in HPUX
2. List dead processes
This is helpful during troubleshooting of performance issues or system cleanup. There are some processes that went dead in the system i.e. not properly terminated or closed after their execution completes. These processes can be seen using
# who -d pts/1 2016-12-09 11:46 27696 id=ts/1 term=0 exit=0 pts/2 2016-12-03 00:34 23816 id=ts/2 term=0 exit=0 pts/3 2016-12-03 00:34 23856 id=ts/3 term=0 exit=0
The output shows terminal from which process was fired in the first field, followed by the date, time, process id and other details.
3. Shows last system boot time
If you want to check when the system was booted quickly then
who -b is your way out. No need to search through log files or no need to back-calculate the date from system uptime. Just 4 letters command and you will be presented with last boot time.
# who -b system boot 2016-03-17 19:39
4. List system login processes
These are the currently active login processes i.e. Getty on the system. Using
who -l you will get details of login processes. This information can also be traced/verified in
ps -ef output.
# who -l LOGIN tty3 2016-03-17 19:39 2502 id=3 LOGIN tty6 2016-03-17 19:39 2522 id=6 LOGIN tty5 2016-03-17 19:39 2515 id=5 LOGIN tty2 2016-03-17 19:39 2497 id=2 LOGIN tty4 2016-03-17 19:39 2510 id=4
- The first field is the process type
- The second field denotes terminal used
- Third and fourth are the date and time of spawn
- The fifth field is process id i.e. PID
- Sixth is identification/sequence number
The above processes can be seen in
ps -ef filtered output as well.
# ps -ef |grep -i getty root 2497 1 0 Mar17 tty2 00:00:00 /sbin/mingetty /dev/tty2 root 2502 1 0 Mar17 tty3 00:00:00 /sbin/mingetty /dev/tty3 root 2510 1 0 Mar17 tty4 00:00:00 /sbin/mingetty /dev/tty4 root 2515 1 0 Mar17 tty5 00:00:00 /sbin/mingetty /dev/tty5 root 2522 1 0 Mar17 tty6 00:00:00 /sbin/mingetty /dev/tty6
5. List processes spawned by init
Whenever the system finishes boot, the kernel will load services/processes with the help of the init program. If there are any active processes running on the server which were spawned by init program then those can be viewed using
who -p. Currently, my server does not have such processes exist so no output can be shared here.
6. Shows runlevel info
Another famous use of
-r argument. To check the current run level of the system we use
# who -r run-level 5 2016-03-17 19:39
In the output, it shows the current run level number and date, a time when the system entered this run level. In HPUX this command output also shows the previous run level system was in before entering the current run level.
Read also: Run levels in HPUX
7. Track last system clock change
Normally this option i.e.
who -t is not useful nowadays. Since all system now runs with NTP (network time protocol), time syncs with NTP server and there are no manual interventions for the system time change.
who -t a command normally aims at showing the last system clock change details if manually done.
8. User’s message status
Linux uses a native messaging system using which one can send and messages to logged in the user’s terminal.
who -T gives you the user’s message status i.e. if messaging service is enabled or disabled for the user. The user may opt-out of this service from his terminal using
mesg n command. This will prevent any message to be displayed on his terminal.
By observing the user’s messages status, one can determine which user won’t be receiving a broadcast message is sent. This will help to analyze which user may not be aware of happenings that are notified through broadcast messages. Mainly system reboot, shutdown sent outs broadcast messages to all logged-in users. If some users don’t see it, he may lose his work during the system down event.
# who -T user3 + pts/0 2016-12-09 11:42 (10.10.49.12) testuser2 - pts/1 2016-12-09 12:38 (10.10.49.12)
In the above output, I logged in with testuser2 and opt-out of messaging service with
mesg n. You can see
- sign against testuser2 while user3 is with
+ i.e. he has messaging-enabled and will receive messages on the terminal.