I’ll introduce the who command that displays a list of currently logged-in users in Linux.
The who command can display information about currently logged-in users.
Initially, you might not understand the display items, so I recommend using the —heading option to make the display items clearer.
$ who --help
Usage: who [OPTION]... [ FILE | ARG1 ARG2 ]
Print information about users who are currently logged in.
-a, --all same as -b -d --login -p -r -t -T -u
-b, --boot time of last system boot
-d, --dead print dead processes
-H, --heading print line of column headings
-l, --login print system login processes
--lookup attempt to canonicalize hostnames via DNS
-m only hostname and user associated with stdin
-p, --process print active processes spawned by init
-q, --count all login names and number of users logged on
-r, --runlevel print current runlevel
-s, --short print only name, line, and time (default)
-t, --time print last system clock change
-T, -w, --mesg add user's message status as +, - or ?
-u, --users list users logged in
--message same as -T
--writable same as -T
--help display this help and exit
--version output version information and exit
If FILE is not specified, use /var/run/utmp. /var/log/wtmp as FILE is common.
If ARG1 ARG2 given, -m presumed: 'am i' or 'mom likes' are usual.
GNU coreutils online help:
For complete documentation, run: info coreutils 'who invocation'
Sometimes there are processes that remain logged in via ssh, so let’s investigate them using the who command.
As shown below, using who —heading —users reveals that ec2-user processes logged in on 2016-11-21 and 2016-11-24 are showing IDLE time as “old”.
$ who --heading --users
NAME LINE TIME IDLE PID COMMENT
ec2-user pts/0 2017-10-17 02:41 01:06 22973 (forward_proxy1)
ec2-user pts/1 2017-10-17 03:41 . 3667 (forward_proxy1)
ec2-user pts/2 2016-11-21 07:21 old 19734 (forward_proxy1)
ec2-user pts/3 2016-11-24 07:11 old 2202 (forward_proxy1)
Just to be sure, let’s check what the “old” processes are executing using the w command, which displays logged-in usernames and their processing content.
$ w
03:52:38 up 452 days, 18:59, 4 users, load average: 8.06, 8.80, 9.44
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
ec2-user pts/0 forward_proxy1 02:41 1:10m 0.02s 0.01s sshd: ec2-user [priv]
ec2-user pts/1 forward_proxy1 03:41 1.00s 0.05s 0.00s w
ec2-user pts/2 forward_proxy1 21Nov16 329days 0.00s 0.00s -bash
ec2-user pts/3 forward_proxy1 24Nov16 326days 0.01s 0.01s -bash
Both have “-bash” in the WHAT column.
If it’s bash or ssh and nothing is running, it’s safe to terminate the processes.
That’s all from the Gemba, where I also manage servers.