LabEx
Log InJoin For Free

How to check if a user is currently logged in Linux

LinuxLinuxBeginner
Practice Now

Introduction

In this lab, you will learn how to check which users are currently logged into a Linux system. You will explore fundamental commands like who to list logged-in users and w to get more detailed information about their sessions and activities.

By the end of this lab, you will be able to quickly identify active users on a Linux system and understand basic information about their login sessions, including how to inspect login records in /var/run/utmp.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL linux(("Linux")) -.-> linux/BasicFileOperationsGroup(["Basic File Operations"]) linux(("Linux")) -.-> linux/SystemInformationandMonitoringGroup(["System Information and Monitoring"]) linux(("Linux")) -.-> linux/UserandGroupManagementGroup(["User and Group Management"]) linux/BasicFileOperationsGroup -.-> linux/cat("File Concatenating") linux/SystemInformationandMonitoringGroup -.-> linux/ps("Process Displaying") linux/UserandGroupManagementGroup -.-> linux/whoami("User Identifying") subgraph Lab Skills linux/cat -.-> lab-558775{{"How to check if a user is currently logged in Linux"}} linux/ps -.-> lab-558775{{"How to check if a user is currently logged in Linux"}} linux/whoami -.-> lab-558775{{"How to check if a user is currently logged in Linux"}} end

List logged-in users with who

In this step, you will learn how to list the users currently logged into the system using the who command. This is a fundamental command for system administrators and users alike to see who is active on the system.

The who command displays information about users who are currently logged in. This information typically includes the username, the terminal line they are using, the time they logged in, and the remote host they logged in from (if applicable).

Let's try it out. Open your terminal if it's not already open. You can find the Xfce Terminal icon on the left side of your desktop.

Type the following command and press Enter:

who

You should see output similar to this:

labex    :0           <timestamp> (:0)

Let's break down the output:

  • labex: This is the username of the logged-in user. In this LabEx environment, the default user is labex.
  • :0: This indicates the terminal line or display being used. :0 typically refers to the primary graphical display.
  • <timestamp>: This shows the date and time the user logged in. The exact format and content of the timestamp may vary slightly.
  • (:0): This often provides additional information about the login session, in this case, confirming the display.

The who command is simple but powerful for quickly checking who is using the system. It's a good first step in understanding user activity.

Remember, practice is key! Try running the command a few times to get comfortable with it.

Click Continue to proceed to the next step.

Check user sessions with w command

In this step, you will explore the w command, which provides more detailed information about the users currently logged in and what they are doing. While who gives you a quick list, w offers a snapshot of the system's current activity related to user sessions.

The w command shows who is logged on and what they are doing. It's a handy tool for monitoring system usage and identifying active processes associated with each user.

Let's run the w command in your terminal. If you closed it, open the Xfce Terminal again.

Type the following command and press Enter:

w

You should see output similar to this:

 <timestamp> up <uptime>,  <users> users,  load average: <load_avg>
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
labex    :0       :0               <login_time>   <idle_time>   <jcpu_time>   <pcpu_time> w

Let's break down the different parts of the output:

  • The first line provides a summary:
    • <timestamp>: The current time.
    • up <uptime>: How long the system has been running since the last boot.
    • <users> users: The number of users currently logged in.
    • load average: <load_avg>: The system load average over the last 1, 5, and 15 minutes. This indicates the average number of processes waiting to run.
  • The header row (USER, TTY, FROM, LOGIN@, IDLE, JCPU, PCPU, WHAT) describes the columns that follow for each logged-in user.
  • USER: The username.
  • TTY: The terminal line the user is using.
  • FROM: The remote host the user logged in from (if applicable). For a local graphical session like this, it often shows :0.
  • LOGIN@: The time the user logged in.
  • IDLE: The idle time of the terminal.
  • JCPU: The time used by all processes attached to the tty.
  • PCPU: The time used by the current process.
  • WHAT: The command line of the user's current process. In this case, it shows w because that's the command you just ran.

The w command gives you a more dynamic view compared to who, showing not just who is logged in but also what they are actively doing.

Experiment with the w command. You'll find it useful for quickly assessing system activity.

Click Continue to move on to the next step.

Inspect login records in /var/run/utmp

In this step, you will learn about the /var/run/utmp file and how commands like who and w get their information from it. This file is a crucial part of how Linux tracks who is logged into the system.

The /var/run/utmp file is a binary file that contains information about the users currently logged into the system. It's constantly updated as users log in and out. Commands like who, w, and users read this file to display current login information.

Because /var/run/utmp is a binary file, you cannot simply view its contents with commands like cat or less as you would with a text file. Doing so would result in unreadable characters.

Let's try to view it with cat to see what happens (and understand why we don't do this):

cat /var/run/utmp

You will see a lot of garbled characters, which is expected for a binary file.

<binary_output>

To read the contents of /var/run/utmp in a human-readable format, you typically use commands designed to parse this file, such as who or w, which you used in the previous steps.

Another command that specifically reads and displays the contents of /var/run/utmp is utmpdump. This command is useful for debugging or examining the raw data in the file.

Let's use utmpdump to view the contents of /var/run/utmp.

utmpdump /var/run/utmp

You should see output that is structured and readable, showing records for each login session. The exact output will depend on the current state of the system, but it will look something like this:

Utmp dump of /var/run/utmp
[<type>] [<pid>] [<line>] [<id>] [<user>] [<host>] [<exit>] [<session>] [<tv_sec>] [<tv_usec>] [<addr_v6>]
...
[7] [ <pid> ] [ :0 ] [ :0 ] [ labex  ] [ :0 ] [  0,  0 ] [ <session_id> ] [ <timestamp> ] [ <usec> ] [ <ipv6_address> ]
...

The output shows various fields for each entry in the utmp file, including the type of entry (like user login), process ID, terminal line, username, host, login time, and more.

Understanding /var/run/utmp helps you appreciate how Linux keeps track of user sessions and how commands like who and w work under the hood.

Click Continue to complete this lab.

Summary

In this lab, you learned how to check which users are currently logged in on a Linux system. You started by using the who command, which provides a basic list of logged-in users, their terminal, login time, and source. This command is a fundamental tool for quickly identifying active users.

Following the who command, you explored the w command. While the full details of the w command were not provided in the excerpt, it is introduced as a tool that offers more detailed information about logged-in users and their current activities, going beyond the simple list provided by who.

Related Linux Courses
Quick Start with Linux

Quick Start with Linux

LinuxShell
Beginner
Linux for Noobs

Linux for Noobs

LinuxShell
Intermediate
Practice Linux Commands

Practice Linux Commands

LinuxShell
Beginner