The `who` command is a standard Unix/Linux utility that displays information about users who are currently logged into the system. It reads data from system files that track user logins and system events, primarily the utmp or utmpx database.
**Core Functionality:**
1. **User Identification**: who shows the username, terminal, login time, and remote host (if applicable) for each logged-in user.
2. **System Status Information**: Beyond user logins, who can display information about system boot time, runlevel changes, and other system events.
3. **Current User Information**: The special syntax 'who am i' or the -m option provides information about the current user's session only.
4. **Message Status**: who can indicate whether users have their terminals set to accept or reject messages from other users via the write command.
**Common Use Cases:**
1. **System Monitoring**: System administrators use who to see who's currently using the system and from where they're connected.
2. **Security Auditing**: who helps identify unexpected or unauthorized login sessions.
3. **Resource Management**: Knowing how many users are logged in helps with resource allocation and scheduling maintenance.
4. **User Communication**: The message status indicator shows which users can receive messages via the write command.
5. **Boot Time Verification**: The -b option shows when the system was last booted, useful for determining system uptime.
**Technical Details:**
1. **Data Sources**: who typically reads from /var/run/utmp or /var/log/utmp, which contain records of current login sessions. With arguments, it can read from alternative files.
2. **Related Files**: In addition to utmp, related information is stored in:
- /var/log/wtmp: Historical login records (used by the 'last' command)
- /var/log/btmp: Failed login attempts (used by the 'lastb' command)
3. **Format Variations**: Different Unix-like systems may show slight variations in the output format and available options.
4. **Terminal Message Status**: The + or - indicator shows whether a user's terminal has write permissions for other users, determining if they can receive messages via the 'write' command.
**Historical Context:**
who is one of the original Unix commands, dating back to early versions of the operating system in the 1970s. It was designed for multi-user systems where knowing who else was using the system was important for communication and resource sharing. Despite the evolution of computing toward personal devices, who remains relevant in server environments and multi-user systems.
**Comparison with Related Commands:**
1. **w**: The 'w' command is an enhanced version of who that also shows what each user is doing (their current process) and system load averages.
2. **users**: A simplified version that lists only the usernames of logged-in users, with duplicates for users logged in multiple times.
3. **last**: Shows a history of logins, while who shows only current sessions.
4. **finger**: Provides more detailed information about users, including personal information from the passwd file, if available.
5. **whoami**: Shows only the current username, without session details.
**Security Considerations:**
1. **Information Disclosure**: who reveals information about system users that could potentially be useful to attackers, though this information is typically considered low sensitivity.
2. **Audit Trail**: who doesn't provide a complete audit trail of logins since it only shows current sessions. For historical data, the 'last' command is more appropriate.
3. **Guest Access**: On systems with guest accounts or public access, who allows users to see who else is using the system, which might be a privacy consideration.
**Best Practices:**
1. **Regular Monitoring**: System administrators should regularly check who output to ensure only authorized users are logged in.
2. **Automation**: who output can be parsed and monitored by scripts to alert on unexpected logins or excessive user counts.
3. **Documentation**: In shared environments, users should be informed that their login sessions are visible to other users via commands like who.
4. **Combination with Other Tools**: For more comprehensive monitoring, combine who with other commands like w, last, and ps to get a complete picture of system usage.
Despite its simplicity, who remains a valuable tool in the system administrator's toolkit, providing quick insight into the current state of a multi-user system.