Send in your Unix questions today! |
See additional Unix tips and tricks
I used to rely on the "finger -i" command to tell me how many users were logged into systems I managed and how long each of them had been idle. If I needed to reboot a system and the only users logged in at the time were both unresponsive and long idle, I felt justified in proceeding with the reboot. In recent years, however, I've seen too many instances in which finger doesn't tell me the whole story. The difference between the output of the who command and the output of finger shows me that the who command often reports more logged in users than does finger.
Here's an example. On this particular system, the who command shows that we have eleven logins from seven systems:
locust# who
root pts/5 Jul 11 12:28 (elm)
lloyd pts/2 Jul 11 16:11 (ash)
peter pts/1 Jul 11 10:04 (beech)
lois pts/3 Jul 11 09:35 (cedar)
root pts/6 Jul 11 13:14 (dogwood)
vicki pts/7 Jul 11 13:14 (dogwood)
hankp pts/4 Jul 11 10:10 (birch)
jasper pts/12 Jul 11 15:19 (ginkgo)
hankp pts/9 Jul 11 14:56 (birch)
hankp pts/10 Jul 11 15:12 (birch)
hankp pts/11 Jul 11 15:16 (birch)
|
The finger command with the -i option (to show how long users have been idle) on the other hand, shows only four logged in users:
locust# finger -i
Login TTY When Idle
root pts/5 Wed Jul 11 12:28
root pts/6 Wed Jul 11 13:14 3 hours 11 minutes
vicki pts/7 Wed Jul 11 13:14 7 minutes 23 seconds
jasper pts/12 Wed Jul 11 15:19 17 minutes
|
So, which is correct? Did the who command fail to notice when some of the users logged off or did the finger command fail to notice that additional users had logged in?
One way to address the issue is to consult a third command. Using the last command to display login history, the same four users are listed. The last command seems to hold the same view of the system as the finger command:
locust# last | head -6
ainet pts/12 ginkgo Wed Jul 11 15:19 still logged in
vicki pts/7 dogwood Wed Jul 11 13:14 still logged in
root pts/6 dogwood Wed Jul 11 13:14 still logged in
root pts/5 elm Wed Jul 11 12:28 still logged in
peter pts/1 beech Wed Jul 11 09:27 - 09:55 (00:28)
root pts/1 holly Tue Jul 10 12:53 - 13:11 (00:18)
|
A more thorough approach is to determine where each of the commands obtains the information that it uses to determine who is logged in. The two files that maintain login records on Solaris systems are /var/adm/utmpx and /var/adm/wtmpx. The utmpx file contains current login records while the wtmpx file holds a record of past logins. The difference in the sizes of these two files makes sense considering how the two files are used.
-rw-r--r-- 1 root bin 8928 Jul 11 17:07 utmpx
-rw-r--r-- 1 adm adm 249984 Jul 11 17:07 wtmpx
The last command looks at /var/adm/wtmpx and can reach as far back as the time your current wtmpx file was initialized. The who command looks at /var/adm/utmpx and can only report on current users unless, of course, it is asked to look at a
different file (e.g., by typing "who /var/adm/wtmpx").
If we use the last command and force it to look at the utmpx file, we will see a list of logins that corresponds to those reported by who, but some very odd records in the rightmost column which make it appear as if the person logging in from dogwood has logged out.
locust# last -f utmpx
hankp pts/11 birch Wed Jul 11 15:16 still logged in
hankp pts/10 birch Wed Jul 11 15:12 still logged in
hankp pts/9 birch Wed Jul 11 14:56 still logged in
jasper pts/12 ginkgo Wed Jul 11 15:19 still logged in
hankp pts/4 birch Wed Jul 11 10:10 still logged in
vicki pts/7 dogwood Wed Jul 11 13:14 - 11:13 (21:59)
root pts/6 dogwood Wed Jul 11 13:14 - 14:48 (01:33)
lois pts/3 cedar Wed Jul 11 09:35 still logged in
peter pts/1 beech Wed Jul 11 10:04 still logged in
lloyd pts/2 ash Wed Jul 11 16:11 still logged in
root pts/5 elm Wed Jul 11 12:28 - 10:58 (22:29)
reboot system boot Thu May 31 13:12
wtmp begins Thu May 31 13:12
|
Looking at ps output, we can verify that each of these login sessions is associated with a login shell. This reinforces the conclusion that who is providing a more accurate picture of the system than finger.
locust# ps -ef | grep ksh
lloyd 17486 17483 0 16:11:52 pts/2 0:00 -ksh
jasper 13207 13203 0 15:19:02 pts/12 0:00 -ksh
peter 23670 23669 0 10:04:56 pts/1 0:00 -ksh
hankp 12682 12681 0 15:12:36 pts/10 0:00 -ksh
hankp 12944 12943 0 15:16:06 pts/11 0:00 -ksh
lois 21793 21774 0 09:35:53 pts/3 0:00 -ksh
vicki 5266 5262 0 13:14:37 pts/7 0:00 -ksh
hankp 24027 24026 0 10:10:59 pts/4 0:00 -ksh
hankp 11474 11473 0 14:56:22 pts/9 0:00 -ksh
root 5246 5242 0 13:14:33 pts/6 0:00 ksh -o vi
root 2198 2196 0 12:28:49 pts/5 0:00 ksh -o vi
|
In fact, if we compare the most recent wtmpx records with our who output, we are likely to see that there is some overlap. In other words, some of our current sessions have already been added to the historical login file.
locust# who wtmpx | tail -7
root pts/1 Jul 10 12:53 (beech)
peter pts/1 Jul 11 09:27 (beech)
root pts/5 Jul 11 12:28 (10.1.4.10)
root pts/6 Jul 11 13:14 (10.9.2.78)
ainet pts/7 Jul 11 13:14 (10.9.2.78)
ainet pts/12 Jul 11 15:19 (stcroix)
ainet pts/13 Jul 11 16:33 (stjohn)
|
All these varieties of information regarding who is logged in to a system can be annoying if you'd like to depend on one command or another to give an accurate view of the system. On the other hand, one use of the who command seems to give me just about everything I want to know when checking the logins on a system -- the who command with the -T option. This command shows me not only who is logged in, but how long each user has been idle and the process ID of each user's login shell.
locust# who -T
root + pts/5 Jul 11 12:28 . 2198 (elm)
lloyd + pts/2 Jul 11 16:11 0:05 17486 (ash)
peter + pts/1 Jul 11 10:04 1:02 23670 (beech)
lois + pts/3 Jul 11 09:35 0:09 21793 (cedar)
root + pts/6 Jul 11 13:14 3:11 5246 (dogwood)
vicki + pts/7 Jul 11 13:14 0:07 5266 (dogwood)
hankp + pts/4 Jul 11 10:10 4:11 24027 (birch)
jasper + pts/12 Jul 11 15:19 0:17 13207 (ginkgo)
hankp + pts/9 Jul 11 14:56 0:47 11474 (birch)
hankp + pts/10 Jul 11 15:12 0:40 12682 (birch)
hankp + pts/11 Jul 11 15:16 . 12944 (birch)
|
The seven columns in the who -T output are:
uname
+, - or ? (whether the terminal allows write access to other users)
the assigned pseudo-terminal
the login date and time
the amount of time idle (a "." indicates no idle time)
the PID of the login shell
the source of the login
Sandra Henry-Stocker has been administering Unix systems
for more than 18 years. She describes herself as "USL"
(Unix as a second language) but remembers enough English
to write books and buy groceries. She
currently works for TeleCommunication Systems, a wireless
communications company, in Annapolis, Maryland, where no
one else necessarily shares any of her opinions. She lives
with her second family on a small farm on Maryland's
Eastern Shore. Send comments and suggestions to bugfarm@gmail.com.
|
