LinuxCommandLibrary

who

Show who is logged on

TLDR

Display the username, line, and time of all currently logged-in sessions

$ who
copy

Display all available information
$ who [[-a|--all]]
copy

Display all available information with table headers
$ who [[-aH|--all --heading]]
copy

SYNOPSIS

who [OPTION]... [FILE]...
who am i

PARAMETERS

-a, --all
    Equivalent to -b -d -l -p -r -t -T -u. Displays all available information.

-b, --boot
    Prints the time of the last system boot.

-d, --dead
    Prints information about dead processes.

-H, --heading
    Prints column headings above the output, making it easier to read.

-i, --idle
    Adds the idle time to the output. A dot (.) indicates an idle time of less than one minute, while 'old' signifies more than 24 hours.

-l, --login
    Prints system login processes, typically showing active login prompts.

-m
    Displays only the hostname and user information associated with the standard input (stdin), effectively showing information about the current user.

-p, --process
    Prints active processes spawned by init.

-q, --count
    Prints all login names and the total number of users currently logged on, in a concise format.

-r, --runlevel
    Prints the current runlevel of the system.

-s, --short
    Prints only the user's name, line (TTY), and login time. This is the default output format.

-t, --time
    Prints the time of the last system clock change.

-T, --mesg, --message
    Adds the user's message status. + indicates messages are allowed, - means disallows messages, and ? means the status cannot be determined.

-u, --users
    Lists users currently logged in, including their terminal, login time, and remote host.

am i
    A common idiom to print information about the current user (yourself). This is functionally similar to using the -m option.

--help
    Displays a help message and exits.

--version
    Outputs version information and exits.

DESCRIPTION

The who command is a fundamental Unix-like utility designed to provide information about users currently logged into the system. It typically outputs essential details such as the user's login name, the terminal line (TTY) they are using, the time of their login, and optionally, the remote host from which they connected. Beyond current user sessions, who can also reveal system events like the last system boot time, changes in the system's runlevel, or details about dead processes. While who offers a quick and simple overview of active sessions, for more comprehensive data, such as users' current processes or detailed idle times, commands like w or finger are often employed. Its straightforward nature makes it an indispensable tool for quick system monitoring and user identification.

CAVEATS

The who command primarily relies on system accounting files like /var/run/utmp (for current logins) and /var/log/wtmp (for historical logins). Inaccurate or incomplete information may result if these files are corrupted or not properly maintained by the system. It mainly tracks sessions associated with a TTY; graphical desktop sessions or certain SSH configurations might not always be fully or accurately represented. Idle times for SSH sessions can sometimes be misleading, depending on the client and server configurations.

DEFAULT OUTPUT FORMAT

By default, when invoked without options, who displays three columns for each logged-in user: the user's login name, the terminal line (TTY) they are using, and the time of their login. For example:
user tty1 2023-10-27 08:30
If logged in from a remote host, the hostname or IP address may also be included in parentheses.

USING A SPECIFIC LOG FILE

The who command can also be told to read from a specific login record file instead of the default /var/run/utmp. For instance, who /var/log/wtmp will display historical login/logout records, providing a different perspective on system activity.

HISTORY

The who command has been a cornerstone of Unix and Unix-like operating systems since their inception. It originated as a basic utility for system administrators and users to quickly ascertain who was logged into a multi-user system. Its design is straightforward, primarily involving the parsing of system accounting files like utmp to retrieve current login information. As a component of the GNU Core Utilities, its implementation is standardized and widely available across virtually all Linux distributions, maintaining a consistent interface and behavior. The core functionality of who has remained largely unchanged, solidifying its role as a quick and reliable method for identifying active users on a system.

SEE ALSO

w(1), users(1), last(1), finger(1), logname(1), id(1), ps(1)

Copied to clipboard