hpr-knowledge-base/hpr_transcripts/hpr1262.txt

Episode: 1262
Title: HPR1262: LiTS 031: who
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1262/hpr1262.mp3
Transcribed: 2025-10-17 22:35:18

---

Welcome to Linux in the Shell episode 31, who?
My name is Dan Waschko, I'll be your host today and as always I'd like to thank Hacker
Public Radio for hosting the audio files and the website.
Head on over to hackerpublicradio.org for some great content or to see how you can contribute
to Hacker Public Radio a fantastic endeavor.
Today we're going to talk about the Who command.
Now, before I get started on this, I'd like to issue a caveat here.
Now, the Who command is really relying upon a few system files and a few processes,
namely in it, is one of the processes that it relies upon.
Now, on more modern distributions, they've been replacing in it with System D or Upstart.
Upstart is Ubuntu, System D is Arch Fedora.
Maybe, well, I'm just, Asusa, I'm not sure who else is using System D, but I know Arch and Fedora.
So, when I run some of these Who commands on a system running System D because I run Arch,
I don't always get back the expected results and in fact, sometimes I don't get anything back.
And my suspicion is because that System D has replaced in it.
And I have not found or I could not find corroborating evidence of this or documentation,
but that is my suspicion. Some of the man pages that I link to in the bibliography
indicate that some of the services that are kind of cursory tied to the Who command
that it relies upon and in it are kind of either being deprecated or the full functionality has
not rolled over into System D to emulate a lot of what in it used to do or take over some of that.
And it all depends, I guess, upon your version of Who, maybe it's not fully compliant with System D
or Upstart yet. So, just bear some of that in mind if your results do not match up with what's
in the man page. All right. So, going along Who is a very handy command, especially if you're running
a server or a system where multiple users log in. By typing Who, what you're going to get returned to
you by default is all the people that are logged into the System and where they are logged in from
and what they are logged into. Now, what that reads by default is the U-temp that's U-T-M-P
file. And what that U-temp file does is it keeps track of users currently logged into the system
and along with other system-related information since Boo. Now, that's all written to by the
in it command, just so you're aware of. And you're going to find U-temp in var run U-temp.
And you can't really read that file, but you can with the Who command. Another file to pay
attention to would be var log W-temp. And that is a file that contains the historic information
as to Who logged in in the past. You can read that with Who if you passed a file name,
Who, space slash var slash log slash W-temp. And it will show you the historical
information in the W-temp to Who logged in. And it will also give you where they logged in from,
like the host name, When, and how they logged in. And let's talk about how they're logged in
to begin with. Who returns four columns by default? The first column is the user, or the
user account name. The second column is what they're logged into, the device. You're going to see
probably like TTY and some number or PTS slash and some number. TTY is a virtual terminal. And
when you fire up a Linux system, most Linux systems will automatically start five terminals,
or six terminals, I believe, is five or six. TTT one through six will be displayed. Now,
in the old days, the seventh terminal was kind of reserved for when you started X, that became
a seventh terminal. You not always see that in some of the more modern distributions. Like,
when I fire up start X, I don't get a seventh terminal on my ARCH system. But you have TTTY one
through six. Now, those are those are started by system D. In the old init style, in the init tab
file, you would see that it said to start six or five or six terminals, virtual terminals in
there in the init file. And they're kept by either system D or init or upstart, whatever it is,
that when you log into the terminal, if you finished your virtual terminal and you exit,
it quits the terminal, but it automatically system the init or upstart will automatically
respond that virtual terminal. So that's how that's kind of handled. Now, who will show you what
terminal that they're logging into? A PTS slash zero, that's a pseudo terminal. That's something like
if you were to SSH into a system, you might see that, or if you fire up a console, if you fire up
a console in or terminal, an X term or anything like that, you would see that listed as a terminal
type in the who command in that column. It's a pseudo terminal. They're like virtual terminals
and provide terminal like access, but you know, they're not a full fledged terminal. Old days,
a terminal was a physical monitor keyboard that you use to connect into like a mainframe. That's
where the holdover is. So the third column shows a timestamp of when that user logged in.
As to when that user was logged in at.
And then the fourth column, it shows the remote host or the X display of where the user logged in
from or to. So if it's an SSH system, it'll show where the user, the host name of the user that logged
in. If it is just like your local machine, if it's just a terminal, you won't see anything,
but if it's an X term, it'll show you the display. Like if you're an X, it'll show you the display
that X is running on. Who is nice to have, especially if you're like you need to restart a system
or do some services on the system that may interrupt the standard functionality of the server or
services available. You can see who's logged in and alert them or if you're just noticing odd
behaviors, you can see who's logged in. Maybe they're running something that is exhausting system
resources. You could begin by looking at that. If you were to type in who, space, am, space, I,
it shows you only the current your current login information. So if you type in there,
there's a command called who am I all one word that tells you whether you know what user account
you're in as. Like if you were to in root and you typed in who am I would show you root,
but if you type in who space, am, space, I, it shows you all the same information that you would
see with who command the four columns, but it only shows you for that current login session
that you're in. So you'll see that information. So then you can tell which account that you're
actually in whether it's the local login account, the pseudo terminal from an S and S system or
your pseudo day, you know, your S U to root or you're actually logged in as a root, which not
always a good idea. If you are unsure of what the columns mean at any time, you could pass the
dash capital H or dash dash heading switch and that'll list the heading of the columns above it.
You'll see like name line, which stands for what type of terminal they're logged in with time
and comment or the four columns by default that you see comment is like the host name or the
display that you logged in as. Now the who space, am, space, I also has a switch, it's dash,
am. If you type in dash, am, you get the current user information only.
There is a dash L or dash, dash login. Now that shows all terminals that are waiting for a
login, those are those one to six terminals that I talked about before. If they're in a login
state, which means they're waiting for a login for somebody to log in, the dash L switch will just
show you those. It'll just, it'll print those out and instead of showing a username, it'll show
login for username. The dash U switch adds an additional column that I'll put after the time logged
in and that'll show you how long the user has been idle. The value there is going to be in hours
and minutes in a 24 hour period. If you see a dash there, that means that they've actually had
some activity in the last minute. If you see numbers, it's going to be the first two numbers
or hours, the second two numbers or minutes. That's how long they've been idle for. That means
haven't done anything. And if it's over 24 hours, it's going to say 24. It's going to say old
right there. So that that that is indicates that they haven't been doing anything or active
for over 24 hours. The W or dash capital T or dash, dash message or dash, dash,
MESG or dash, dash, writeable. Those five switches right there all do the same thing and that tells
you the status of the user's ability to accept messages. Now there's three values plus minus
and question mark. Plus means that the user's accepting messages minus means the user is not
accepting messages and question mark is a terminal device was not found. Now the ability to accept
messages is done. It's set with the message command MESG. I believe by default most people
have it turned off. You could type MESG space Y and that'll allow you to accept messages.
Now that blocks if it's turned off, it blocks messages from all but from the root account.
So you could type a message to a user as the root account and let them know like, hey,
you have an idle. I'm shutting the system down or if they're in there say, look, I'm shutting
the system down or it's ways to do that. The dash W or dash capital T or those flags that I
talked about will tell you whether or not they're accepting messages whether you can accept
send them a message or not unless you're the root account and then they can always send a message.
The dash dash lookup switch will attempt to canonicalize host names with a DNS lookup by default.
It may not canonicalize. You might just see like IP addresses or whatever you can tell that to
try and do a DNS lookup. Of course, that'll be slower than a standard lookup running of the
root command. The dash Q or dash dash count switch that will only report user names of users that
are logged in and the total of users total users that are logged in. So instead of a standard
report, you'll just get a list of in a horizontal row of all the users that are logged in.
And if you're logged in multiple times, it'll show your user name in there multiple times like
a log in. And if I have a couple of like X term sessions running or console sessions, it'll go
Dan, Dan, Dan, Dan, Dan. And then it'll show you a total of
number of users that are logged in afterwards. Now there's some other information that who can
display other than just the user login information. The dash B or dash, dash boot will print the
date and time of the last system boot. The dash D or dash, dash, dead, that will print out the
list of dead processes. Now, these are processes that have been spawned by the init command that
have since died. It's not a list of all processes that have died. For example, if you logged out
of a virtual terminal or closed the pseudo terminal, you would see that process be counted in the dead
options. The dash P or dash, dash process, this lists all the active processes that were spawned
by the init command. So any process that is actively running that was spawned by init would be
reported here. The dash R or dash, dash run level were report to current run level of the init
process. This, you know, again, as I said in the beginning, some of these options here do not seem
to like work properly on newer systems that are running upstart or I'll say system D. Because if I
do a dash who dash R on my art box, I get nothing back but on Slack where it tells me what run
level I'm running at. So just be, you know, the caveat stays, especially with these reports that do
more than just show users logged in. Dash T or dash, dash time prints the last time the system
clock changed. If it changed at all. Now, some of the values, there is a, again, will not be reported
on systems that aren't running straight in it. Just be aware of that. There is a dash A or dash,
dash all, which is a combination of the following, dash B for boot, dash D for dead,
process list, dash dash login, which shows you, as I mentioned before, the dash dash, what did I
mention, dash dash login? It was the terminals that are waiting for a login and a login state,
the dash P, which is process list started by init, dash R for run level, dash lowercase T for
time, dash capital T for whether our users are accepting messages and dash U, which shows idle time.
So that's a dash A will show, but basically everything that we could print out, except for
the queue, which is the count, which is the list of users in a horizontal line. It doesn't print that.
So who is a very basic command, but has a lot of, you know, functionality, and it's particularly
useful on some systems running straight in it, because your mileage may vary on systems that are
running upstart or system D, but the grand concept of who, for reporting, who's logged into a system
still holds, and that functionality is pertinent, particularly in a multi-user environment,
if you need to do some work on a system to see who's logged in, or whether there's funky things
going on, and you can see whether somebody is doing something or who's logged in before you start
digging into other areas. That's the who command in a nutshell, head on over to the website for
the full write-up, linuxinachel.org, also for the bibliography that has some handy links to
virtual consoles and pseudoterminals and U-TEMP and what PTS is, stuff like that.
I want to thank you for listening. My name is Dan Waschko, and we'll see you in a couple weeks.
You have been listening to Hacker Public Radio at Hacker Public Radio.
We are a community podcast network that releases shows every weekday Monday through Friday.
Today's show, like all our shows, was contributed by a HPR listener like yourself.
If you ever consider recording a podcast, then visit our website to find out how easy it really is.
Hacker Public Radio was founded by the digital dot-pound and the economical and computer cloud.
HPR is funded by the binary revolution at binref.com, all binref projects are crowd-responsive by
LUNA pages. From shared hosting to custom private clouds, go to LUNA pages.com for all your hosting
needs. Unless otherwise stasis, today's show is released under a creative comments,
attribution, share a like, lead us our license.