Ways to Identify Who is Logged-In on Your Linux System ?
1. Get the running processes of logged-in user using w
w command is used to show logged-in user names and what they are doing. The information will be read from /var/run/utmp file. The output of the w command contains the following columns:
- Name of the user
- User’s machine number or tty number
- Remote machine address
- User’s Login time
- Idle time (not usable time)
- Time used by all processes attached to the tty (JCPU time)
- Time used by the current process (PCPU time)
- Command currently getting executed by the users
Following options can be used for the w command:
- -h Ignore the header information
- -u Display the load average (uptime output)
- -s Remove the JCPU, PCPU, and login time.
$ w 23:04:27 up 29 days, 7:51, 3 users, load average: 0.04, 0.06, 0.02 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT ramesh pts/0 dev-db-server 22:57 8.00s 0.05s 0.01s sshd: ramesh [priv] jason pts/1 dev-db-server 23:01 2:53 0.01s 0.01s -bash john pts/2 dev-db-server 23:04 0.00s 0.00s 0.00s w $ w -h ramesh pts/0 dev-db-server 22:57 17:43 2.52s 0.01s sshd: ramesh [priv] jason pts/1 dev-db-server 23:01 20:28 0.01s 0.01s -bash john pts/2 dev-db-server 23:04 0.00s 0.03s 0.00s w -h $ w -u 23:22:06 up 29 days, 8:08, 3 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT ramesh pts/0 dev-db-server 22:57 17:47 2.52s 2.49s top jason pts/1 dev-db-server 23:01 20:32 0.01s 0.01s -bash john pts/2 dev-db-server 23:04 0.00s 0.03s 0.00s w -u $ w -s 23:22:10 up 29 days, 8:08, 3 users, load average: 0.00, 0.00, 0.00 USER TTY FROM IDLE WHAT ramesh pts/0 dev-db-server 17:51 sshd: ramesh [priv] jason pts/1 dev-db-server 20:36 -bash john pts/2 dev-db-server 1.00s w -s
2. Get the user name and process of logged in user using who and users command
How can I find out who is logged on my UNIX / Linux system?
who command is used to get the list of the usernames who are currently logged in. Output of the who command contains the following columns: user name, tty number, date and time, machine address.
$ who ramesh pts/0 2009-03-28 22:57 (dev-db-server) jason pts/1 2009-03-28 23:01 (dev-db-server) john pts/2 2009-03-28 23:04 (dev-db-server)
raj ttypV Jan 17 07:23 . (192.168.1.10)
ben ttypW Jan 17 07:42 . (192.168.1.11)
$ who | grep raj
users command is used to print the user name who are all currently logged in the current host. It is one of the command don’t have any option other than help and version. If the user using, ‘n’ number of terminals, the user name will shown in ‘n’ number of time in the output.
whoami command gives the same output as id -un as shown below:
who am i command will display the logged-in user name and current tty details.
3. Any one has idea how to find and kill these type of orphan process?
use pkill command to kill users.
$ who | less $ who | more
To get a list of all usernames that are currently logged in, use the following:
$ who | cut -d' ' -f1 | sort | uniq john jason rameshUsers Command
$ users john jason ramesh
3. Get the username you are currently logged in using whoami
whoami command is used to print the loggedin user name.
$ whoami john
whoami command gives the same output as id -un as shown below:
$ id -un john
who am i command will display the logged-in user name and current tty details.
The output of this command contains the following columns: logged-in user name, tty name, current time with date and ip-address from where this users initiated the connection.
$ who am i john pts/2 2009-03-28 23:04 (dev-db-server) $ who mom likes john pts/2 2009-03-28 23:04 (dev-db-server) Warning: Don't try "who mom hates" command.
Also, if you do su to some other user, this command will give the information about the logged in user name details.
4. Get the user login history at any time
last command will give login history for a specific username. If we don’t give any argument for this command, it will list login history for all users. By default this information will read from /var/log/wtmp file. The output of this command contains the following columns:
- User name
- Tty device number
- Login date and time
- Logout time
- Total working time
$ last jason jason pts/0 dev-db-server Fri Mar 27 22:57 still logged in jason pts/0 dev-db-server Fri Mar 27 22:09 - 22:54 (00:45) jason pts/0 dev-db-server Wed Mar 25 19:58 - 22:26 (02:28) jason pts/1 dev-db-server Mon Mar 16 20:10 - 21:44 (01:33) jason pts/0 192.168.201.11 Fri Mar 13 08:35 - 16:46 (08:11) jason pts/1 192.168.201.12 Thu Mar 12 09:03 - 09:19 (00:15) jason pts/0 dev-db-server Wed Mar 11 20:11 - 20:50 (00:39
last, lastb - show listing of last logged in users
Options:-t YYYYMMDDHHMMSS
Display the state of logins as of the specified time. This is useful, to determine easily who was logged in at a particular time.
-f file
Specifies a file to search other than /var/log/wtmp.
-R Suppresses the display of the hostname field.
-a Display the hostname in the last column. Useful in combination with the next flag.
-d For non-local logins, Linux stores not only the host name of the remo te host but its IP number as
well. This option translates the IP number back into a hostname.
-i This option is like -d in that it displays the IP number of the remote host, but it displays the IP number in numbers-and-dots notation.
-o Read an old-type wtmp file (written by linux-libc5 applications).
-x Display the system shutdown entries and run level changes.
/var/log/wtmp
/var/log/btmp
Important Q:
1. Anyone can tell me what is the actual process use w command in linux system to display system and user information
2. I want to know PID of the terminal which user has logged in and closed the connection without logging out. When I fire Who I can see some terminal process but coud not get there PID to kill those process.
3. Any one has idea how to find and kill these type of orphan process?
Linux Command: List All Users In The System
I'm a new Linux sys admin and I'm unable to find the command to list all users on my RHEL server. What is the command to list users under Linux operating systems?
/etc/passwd file contains one line for each user account, with seven fields delimited by colons. This is a text file. You can easily list users using thecat command as follows:
Sample outputs:
/etc/passwd file contains one line for each user account, with seven fields delimited by colons. This is a text file. You can easily list users using thecat command as follows:
$ cat /etc/passwd
Sample outputs:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
....
..
...
OR use pages as follows to view /etc/passwd file:
Sample outputs:
$ more /etc/passwd
$ less /etc/passwd
Sample outputs:
All fields are separated by a colon (:) symbol. Total seven fields exists. The first field is username. It is used when user logs in. It should be between 1 and 32 characters in length.
Task: Linux List Users Command
To list only usernames type the following awk command:
Sample outputs:
$ awk -F':' '{ print $1}' /etc/passwd
Sample outputs:
root
daemon
bin
sys
sync
games
man
lp
mail
news
....
..
..hplip
vivek
bind
haldaemon
sshd
mysql
radvd
A Note About System and General Users
Each user has numerical user ID called UID. It is defined in /etc/passwd file. The UID for each user is automatically selected using /etc/login.defs file when you use useradd command. To see current value, enter:
Sample outputs:
$ grep "^UID_MIN" /etc/login.defs
$ grep UID_MIN /etc/login.defs
Sample outputs:
UID_MIN 1000
#SYS_UID_MIN 100
1000 is minimum values for automatic uid selection in useradd command. In other words all normal system users must have UID >= 1000 and only those users are allowed to login into system if shell is bash/csh/tcsh/ksh etc as defined /etc/shells file. Type the following command to list all login users:
## get UID limit ##
l=$(grep "^UID_MIN" /etc/login.defs)
## use awk to print if UID >= $UID_LIMIT ##
awk -F':' -v "limit=${l##UID_MIN}" '{ if ( $3 >= limit ) print $1}' /etc/passwd
To see maximum values for automatic uid selection in useradd command, enter:awk -F':' -v "min=${l##UID_MIN}" -v "max=${l1##UID_MAX}" '{ if ( $3 >= min && $3 <= max ) print $0}' /etc/passwd
$ grep "^UID_MAX" /etc/login.defs
Sample outputs:
UID_MAX 60000
In other words all normal system users must have UID >= 1000 (MIN) and UID <= 60000 (MAX) and only those users are allowed to login into system if shell is bash/csh/tcsh/ksh etc as defined /etc/shells file. Here is an updated code:
## get mini UID limit ##
l=$(grep "^UID_MIN" /etc/login.defs)
## get max UID limit ##
l1=$(grep "^UID_MAX" /etc/login.defs)
## use awk to print if UID >= $MIN and UID <= $MAX ##
awk -F':' -v "min=${l##UID_MIN}" -v "max=${l1##UID_MAX}" '{ if ( $3 >= min && $3 <= max ) print $0}' /etc/passwd
Sample outputs:
vivek:x:500:500::/home/vivek:/bin/bash
raj:x:501:501::/home/raj:/bin/ksh
ash:x:502:502::/home/ash:/bin/zsh
jadmin:x:503:503::/home/jadmin:/bin/sh
jwww:x:504:504::/htdocs/html:/sbin/nologin
wwwcorp:x:505:505::/htdocs/corp:/sbin/nologin
wwwint:x:506:506::/htdocs/intranet:/bin/bash
scpftp:x:507:507::/htdocs/ftpjail:/bin/bash
rsynftp:x:508:508::/htdocs/projets:/bin/bash
mirror:x:509:509::/htdocs:/bin/bash
jony:x:510:510::/home/jony:/bin/ksh
amyk:x:511:511::/home/amyk:/bin/ksh
/sbin/nologin is used to politely refuse a login i.e. /sbin/nologin displays a message that an account is not available and exits non-zero. It is intended as a replacement shell field for accounts that have been disabled or you do not want user to login into system using ssh. To filter /sbin/nologin, enter:
#!/bin/bash
# Name: listusers.bash
# Purpose: List all normal user accounts in the system. Tested on RHEL / Debian Linux
# Author: Vivek Gite <www.cyberciti.biz>, under GPL v2.0+
# -----------------------------------------------------------------------------------
_l="/etc/login.defs"
_p="/etc/passwd"
## get mini UID limit ##
l=$(grep "^UID_MIN" $_l)
## get max UID limit ##
l1=$(grep "^UID_MAX" $_l)
## use awk to print if UID >= $MIN and UID <= $MAX and shell is not /sbin/nologin ##
awk -F':' -v "min=${l##UID_MIN}" -v "max=${l1##UID_MAX}" '{ if ( $3 >= min && $3 <= max && $7 != "/sbin/nologin" ) "$_p"
Sample outputs:
vivek:x:500:500::/home/vivek:/bin/bash
raj:x:501:501::/home/raj:/bin/ksh
ash:x:502:502::/home/ash:/bin/zsh
jadmin:x:503:503::/home/jadmin:/bin/sh
wwwint:x:506:506::/htdocs/intranet:/bin/bash
scpftp:x:507:507::/htdocs/ftpjail:/bin/bash
rsynftp:x:508:508::/htdocs/projets:/bin/bash
mirror:x:509:509::/htdocs:/bin/bash
jony:x:510:510::/home/jony:/bin/ksh
amyk:x:511:511::/home/amyk:/bin/ksh
Finally, this script lists both system and users accounts:
#!/bin/bash
# Name: listusers.bash
# Purpose: List all normal user and system accounts in the system. Tested on RHEL / Debian Linux
# Author: Vivek Gite <www.cyberciti.biz>, under GPL v2.0+
# -----------------------------------------------------------------------------------
_l="/etc/login.defs"
_p="/etc/passwd"
## get mini UID limit ##
l=$(grep "^UID_MIN" $_l)
## get max UID limit ##
l1=$(grep "^UID_MAX" $_l)
## use awk to print if UID >= $MIN and UID <= $MAX and shell is not /sbin/nologin ##
echo "----------[ Normal User Accounts ]---------------"
awk -F':' -v "min=${l##UID_MIN}" -v "max=${l1##UID_MAX}" '{ if ( $3 >= min && $3 <= max && $7 != "/sbin/nologin" ) print $0 }' "$_p"
echo ""
echo "----------[ System User Accounts ]---------------"
awk -F':' -v "min=${l##UID_MIN}" -v "max=${l1##UID_MAX}" '{ if ( !($3 >= min && $3 <= max && $7 != "/sbin/nologin")) print $0 }' "$_p"
Sample outputs:
----------[ Normal User Accounts ]--------------- vivek:x:500:500::/home/vivek:/bin/bash raj:x:501:501::/home/raj:/bin/ksh ash:x:502:502::/home/ash:/bin/zsh jadmin:x:503:503::/home/jadmin:/bin/sh wwwint:x:506:506::/htdocs/intranet:/bin/bash scpftp:x:507:507::/htdocs/ftpjail:/bin/bash rsynftp:x:508:508::/htdocs/projets:/bin/bash mirror:x:509:509::/htdocs:/bin/bash jony:x:510:510::/home/jony:/bin/ksh amyk:x:511:511::/home/amyk:/bin/ksh ----------[ System User Accounts ]--------------- root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin saslauth:x:499:499:"Saslauthd user":/var/empty/saslauth:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash memcached:x:498:496:Memcached daemon:/var/run/memcached:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
No comments:
Post a Comment