[Linux] who Command to Display Currently Logged-in Users

Tadashi Shigeoka ·  Mon, October 16, 2017

I’ll introduce the who command that displays a list of currently logged-in users in Linux.

Linux

who Command

The who command can display information about currently logged-in users.

Initially, you might not understand the display items, so I recommend using the —heading option to make the display items clearer.

$ who --help
Usage: who [OPTION]... [ FILE | ARG1 ARG2 ]
Print information about users who are currently logged in.

  -a, --all         same as -b -d --login -p -r -t -T -u
  -b, --boot        time of last system boot
  -d, --dead        print dead processes
  -H, --heading     print line of column headings
  -l, --login       print system login processes
      --lookup      attempt to canonicalize hostnames via DNS
  -m                only hostname and user associated with stdin
  -p, --process     print active processes spawned by init
  -q, --count       all login names and number of users logged on
  -r, --runlevel    print current runlevel
  -s, --short       print only name, line, and time (default)
  -t, --time        print last system clock change
  -T, -w, --mesg    add user's message status as +, - or ?
  -u, --users       list users logged in
      --message     same as -T
      --writable    same as -T
      --help     display this help and exit
      --version  output version information and exit

If FILE is not specified, use /var/run/utmp.  /var/log/wtmp as FILE is common.
If ARG1 ARG2 given, -m presumed: 'am i' or 'mom likes' are usual.

GNU coreutils online help: 
For complete documentation, run: info coreutils 'who invocation'

who Command Usage Example

Sometimes there are processes that remain logged in via ssh, so let’s investigate them using the who command.

As shown below, using who —heading —users reveals that ec2-user processes logged in on 2016-11-21 and 2016-11-24 are showing IDLE time as “old”.

$ who --heading --users
NAME     LINE         TIME             IDLE          PID COMMENT
ec2-user pts/0        2017-10-17 02:41 01:06       22973 (forward_proxy1)
ec2-user pts/1        2017-10-17 03:41   .          3667 (forward_proxy1)
ec2-user pts/2        2016-11-21 07:21  old        19734 (forward_proxy1)
ec2-user pts/3        2016-11-24 07:11  old         2202 (forward_proxy1)

Just to be sure, let’s check what the “old” processes are executing using the w command, which displays logged-in usernames and their processing content.

$ w
 03:52:38 up 452 days, 18:59,  4 users,  load average: 8.06, 8.80, 9.44
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
ec2-user pts/0    forward_proxy1   02:41    1:10m  0.02s  0.01s sshd: ec2-user [priv]
ec2-user pts/1    forward_proxy1   03:41    1.00s  0.05s  0.00s w
ec2-user pts/2    forward_proxy1   21Nov16 329days  0.00s  0.00s -bash
ec2-user pts/3    forward_proxy1   24Nov16 326days  0.01s  0.01s -bash

Both have “-bash” in the WHAT column.

If it’s bash or ssh and nothing is running, it’s safe to terminate the processes.

That’s all from the Gemba, where I also manage servers.