Back to Commands

who

system informationLinux/Unix
The who command is one of the most frequently used commands in Linux/Unix-like operating systems. who Show who is logged on the system
See ExamplesView Syntax

Quick Reference

Command Name:

who

Category:

system information

Platform:

Linux/Unix

Basic Usage:

who [options] [arguments]

Common Use Cases

    Syntax

    who [OPTION]... [FILE | ARG1 ARG2]

    Options

    Option Description
    -a, --all Display all information (same as -b -d --login -p -r -t -T -u)
    -b, --boot Show time of last system boot
    -d, --dead Show dead processes
    -H, --heading Print column headings
    -i, --ip-addr Display IP addresses instead of hostnames
    -l, --login Show system login processes
    -m Show information about the current user only (same as 'who am i')
    -p, --process Show active processes spawned by init
    -q, --count Show only usernames and count of users logged on
    -r, --runlevel Show current runlevel
    -s, --short Display only name, line, and time (default)
    -t, --time Show last system clock change
    -T, -w, --mesg, --message, --writable Show user message status (+, -, or ?)
    -u, --users List users logged in
    --help Display a help message and exit
    --version Output version information and exit

    Output Format

    The default output of who displays the following columns:

    Column Description
    1 Username
    2 Terminal name
    3 Login date and time
    4 Remote hostname or IP address (if applicable)

    With the -T option, an additional column appears between the username and terminal name, showing message status:

    • +: User accepts messages
    • -: User rejects messages
    • ?: Unknown status

    Examples

    How to Use These Examples

    The examples below show common ways to use the who command. Try them in your terminal to see the results. You can copy any example by clicking on the code block.

    # Basic Examples Basic
    # Display information about currently logged in users who
    # Display the current username who am i
    # Display the current username (alternate format) who -m
    # Display all available information who -a
    # Show login time for each user who -T
    # Advanced Examples Advanced # Display information in a more readable format who -H # Show the last system boot time who -b # Display the runlevel information who -r # Show dead processes who -d # Show login processes who -l # Count the number of logged-in users who | wc -l # Display only usernames who -q # Display IP addresses instead of hostnames who -i # Show information from a different utmp file who /var/run/utmp

    Try It Yourself

    Practice makes perfect! The best way to learn is by trying these examples on your own system with real files.

    Understanding Syntax

    Pay attention to the syntax coloring: commands, options, and file paths are highlighted differently.

    Notes

    The `who` command is a standard Unix/Linux utility that displays information about users who are currently logged into the system. It reads data from system files that track user logins and system events, primarily the utmp or utmpx database. **Core Functionality:** 1. **User Identification**: who shows the username, terminal, login time, and remote host (if applicable) for each logged-in user. 2. **System Status Information**: Beyond user logins, who can display information about system boot time, runlevel changes, and other system events. 3. **Current User Information**: The special syntax 'who am i' or the -m option provides information about the current user's session only. 4. **Message Status**: who can indicate whether users have their terminals set to accept or reject messages from other users via the write command. **Common Use Cases:** 1. **System Monitoring**: System administrators use who to see who's currently using the system and from where they're connected. 2. **Security Auditing**: who helps identify unexpected or unauthorized login sessions. 3. **Resource Management**: Knowing how many users are logged in helps with resource allocation and scheduling maintenance. 4. **User Communication**: The message status indicator shows which users can receive messages via the write command. 5. **Boot Time Verification**: The -b option shows when the system was last booted, useful for determining system uptime. **Technical Details:** 1. **Data Sources**: who typically reads from /var/run/utmp or /var/log/utmp, which contain records of current login sessions. With arguments, it can read from alternative files. 2. **Related Files**: In addition to utmp, related information is stored in: - /var/log/wtmp: Historical login records (used by the 'last' command) - /var/log/btmp: Failed login attempts (used by the 'lastb' command) 3. **Format Variations**: Different Unix-like systems may show slight variations in the output format and available options. 4. **Terminal Message Status**: The + or - indicator shows whether a user's terminal has write permissions for other users, determining if they can receive messages via the 'write' command. **Historical Context:** who is one of the original Unix commands, dating back to early versions of the operating system in the 1970s. It was designed for multi-user systems where knowing who else was using the system was important for communication and resource sharing. Despite the evolution of computing toward personal devices, who remains relevant in server environments and multi-user systems. **Comparison with Related Commands:** 1. **w**: The 'w' command is an enhanced version of who that also shows what each user is doing (their current process) and system load averages. 2. **users**: A simplified version that lists only the usernames of logged-in users, with duplicates for users logged in multiple times. 3. **last**: Shows a history of logins, while who shows only current sessions. 4. **finger**: Provides more detailed information about users, including personal information from the passwd file, if available. 5. **whoami**: Shows only the current username, without session details. **Security Considerations:** 1. **Information Disclosure**: who reveals information about system users that could potentially be useful to attackers, though this information is typically considered low sensitivity. 2. **Audit Trail**: who doesn't provide a complete audit trail of logins since it only shows current sessions. For historical data, the 'last' command is more appropriate. 3. **Guest Access**: On systems with guest accounts or public access, who allows users to see who else is using the system, which might be a privacy consideration. **Best Practices:** 1. **Regular Monitoring**: System administrators should regularly check who output to ensure only authorized users are logged in. 2. **Automation**: who output can be parsed and monitored by scripts to alert on unexpected logins or excessive user counts. 3. **Documentation**: In shared environments, users should be informed that their login sessions are visible to other users via commands like who. 4. **Combination with Other Tools**: For more comprehensive monitoring, combine who with other commands like w, last, and ps to get a complete picture of system usage. Despite its simplicity, who remains a valuable tool in the system administrator's toolkit, providing quick insight into the current state of a multi-user system.

    Related Commands

    These commands are frequently used alongside who or serve similar purposes:

    w
    users
    last
    whoami
    finger
    id
    write
    mesg
    Explore All Commands

    Use Cases

    Learn By Doing

    The best way to learn Linux commands is by practicing. Try out these examples in your terminal to build muscle memory and understand how the who command works in different scenarios.

    See ExamplesTry Lab Exercises
    $ who
    View All Commands