×
Community Blog Discovering Existing and Connecting Users on a Linux Server

Discovering Existing and Connecting Users on a Linux Server

In this article, we'll discuss several important Linux commands to find out existing and connected users in your ECS server for security and troubleshooting purposes.

By Alain Francois, Alibaba Cloud Community Blog author

As an administrator, you can need to grant some access on your server for the remote users such as your employees or collaborators. You can also need to set up a public server which should be accessible over internet, which means that someone can try to penetrate your server.

At that moment it's important to know exactly the existing users/accounts in your server and the users actually connected for a better troubleshooting. There are some commands in Linux which can help you to reach that goal. We will learn the commands to use in this case

1) Commands to List Existing Users on Your Server

On your system you can list all the existing users that you have by using some commands or by checking the content of the /etc/passwd and /etc/shadow files.

a) List /etc/passwd

Local user account data is stored in local files, such as the /etc/passwd file. It's a file consisting of 07 entries

  • first column: the username
  • second column: the password
  • thirth column: the User ID
  • fourth column: the user's primary group
  • fifth column: it's the description
  • sixth column: the home directory of the user
  • seventh column: it defines the login shell of the user

By listing the content of this file, we can have all the users of the system but we will need to filter the file to have only the column with the useful information by using the awk command

$ cat /etc/passwd | awk -F: '{ print $1}'
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
systemd-timesync
systemd-network
systemd-resolve
systemd-bus-proxy
_apt
dnsmasq
avahi-autoipd
messagebus
usbmux
geoclue
speech-dispatcher
sshd
rtkit
pulse
avahi
colord
saned
Debian-gdm
hplip
alain-francois
dimitri
peter

b) Use the getent command

The getent command is used to display the entries of a number of Name Service Switch libraries, including passwd, group, hosts, aliases, and networks. You can use that command to list your existing users but that command will give you the same output as the /etc/passwd file

$ getent passwd | awk -F: '{ print $1}'
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
systemd-timesync
systemd-network
systemd-resolve
systemd-bus-proxy
_apt
dnsmasq
avahi-autoipd
messagebus
usbmux
geoclue
speech-dispatcher
sshd
rtkit
pulse
avahi
colord
saned
Debian-gdm
hplip
alain-francois
dimitri
peter

c) Use /etc/shadow

For more security your Linux machine uses the Shadow Suite which is a set of authentication tools and utilities that insinuates itself into the mix of the /etc/passwd file and user accounts. When the Shadow Suite is installed, the system stores encrypted passwords in the /etc/shadow file for user accounts and the /etc/gshadow file for group accounts. This consists of 08 entries

  • first column: the login name of the user
  • second column: the encrypted password
  • thirth column: Days between January 1, 1970, and the date when the password was last changed.
  • fourth column: Minimum: Days before password may be changed
  • fifth column: Maximum: Days after which password must be changed.
  • sixth column: Warn: Days before password expiration that user is warned.
  • seventh column: Inactive: Days after password expiration that account is disabled
  • eight column: Expire: Days between January 1, 1970, and the date when the account was disabled.
  • ninth column: Reserved field (this field is currently not used).
# cat /etc/shadow | awk -F: '{ print $1}'
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
systemd-timesync
systemd-network
systemd-resolve
systemd-bus-proxy
_apt
dnsmasq
avahi-autoipd
messagebus
usbmux
geoclue
speech-dispatcher
sshd
rtkit
pulse
avahi
colord
saned
Debian-gdm
hplip
alain-francois
dimitri
peter

d) Use the compgen command

There is a bash built-in command called compgen which shows normally all available commands, aliases, and functions. But when you use that with the option -u, it shows the existing users

$ compgen -u
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
systemd-timesync
systemd-network
systemd-resolve
systemd-bus-proxy
_apt
dnsmasq
avahi-autoipd
messagebus
usbmux
geoclue
speech-dispatcher
sshd
rtkit
pulse
avahi
colord
saned
Debian-gdm
hplip
alain-francois
alain
francois

2) Commands to Find Users Connected to Your Server

There are some commands that you can use to display the users connected on your server. Each command displays

a) w

This command lists the users who are actually log in to the system and also shows you what they are doing. It means that if a user is editing a file, it will let you know that the user is editing a file.

The command displays the informations in two parts, first you have a header of 6 items showing

  • the current time
  • since how long in minute the system has been running
  • the number of users logged on the system
  • the system load average during the last, 05 and 15 minutes;

and a table consisting of 08 columns:

  • USER: is the login name of the user actually connected
  • TTY: is the tty name that the user is currently using
  • FROM: is the remote host (ip address) from which the users are actually logged in
  • LOGIN@: shows since when or which time the user is logged in the system:
  • IDLE: shows since how many times the user was inactive
  • JCPU: represents the number of minutes accumulated by all processes attached to the tty including only the currently running background processes
  • PCPU: shows the time consumed by the processes that the users are actually running.
  • WHAT: shows the command line of the current process that a user is running. It also shows the options used with the command.

To understand properly how the command works, we currently have 2 users remotely connected to our computer so that we can have a view on the results of the command

$ w
 09:19:21 up 1 day,  3:40,  4 users,  load average: 0.76, 0.61, 0.72
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
alain-fr tty2     :0               Thu05   27:40m  4:10m  0.29s /opt/google/chrome/chrome --type=renderer --field-trial-handle=4941997322712276813,1
alain-fr pts/0    mycomputer        Thu05   27:38m  0.05s  0.05s /bin/bash
dimitri pts/6    192.168.1.8      22:51    4:02m  0.18s  0.09s vi document
peter    pts/4    192.168.1.5      09:19    5.00s  0.11s  0.11s -bash

By default it gives a report about all the users who have logged in using a console or GUI login window. It will not show the users connected through a window in a GUI that emulates a console commonly called terminal windows.

The w command can be used with some options to filter the result so that you will be able to display only the necessary information that you need. You can use the w --help command to list the available options

b) who

The command who shows the users who are actually logged on the system but it doesn't show what they are doing. The output of the command is a little similar to the w command but in short format consisting only of 4 columns showing the users logged on the system, the rfor example theemote host, the tty and since when they are logged into the system.

$ who
alain-francois tty2         2019-07-25 05:40 (:0)
alain-francois pts/0        2019-07-25 05:40 (mycomputer)
dimitri pts/6        2019-07-25 22:51 (192.168.1.8)
peter    pts/4        2019-07-26 09:19 (192.168.1.5)

You can display the information with a header line using the -H option

$ who -H
NAME     LINE         TIME             COMMENT
alain-francois tty2         2019-07-25 05:40 (:0)
alain-francois pts/0        2019-07-25 05:40 (mycomputer)
dimitri pts/6        2019-07-25 22:51 (192.168.1.8)
peter    pts/4        2019-07-26 09:19 (192.168.1.5)

Or you can print only the logged on users with the total numbers of users for a better information

$ who -q
alain-francois alain-francois francois alain
# users=4

To list the different option available to filter the results to display. Use the who --help command to list the different options

$ who --help
Usage: who [OPTION]... [ FILE | ARG1 ARG2 ]
Print information about users who are currently logged in.

  -a, --all         same as -b -d --login -p -r -t -T -u
  -b, --boot        time of last system boot
  -d, --dead        print dead processes
  -H, --heading     print line of column headings
      --ips         print ips instead of hostnames. with --lookup,
                    canonicalizes based on stored IP, if available,
                    rather than stored hostname
  -l, --login       print system login processes
      --lookup      attempt to canonicalize hostnames via DNS
  -m                only hostname and user associated with stdin
  -p, --process     print active processes spawned by init
  -q, --count       all login names and number of users logged on
  -r, --runlevel    print current runlevel
  -s, --short       print only name, line, and time (default)
  -t, --time        print last system clock change
  -T, -w, --mesg    add user's message status as +, - or ?
  -u, --users       list users logged in
      --message     same as -T
      --writable    same as -T
      --help     display this help and exit
      --version  output version information and exit

c) users

The users command prints the users currently logged in the system. It doesn't give any additionnal information

$ users
alain-francois alain-francois dimitri peter

You can see that this command is very limited but useful if you only want to list the users. You can also list the number of users by combining it with the wc command

$ users | wc -w
4

d) The others commands

There are two commands which also displays the user logged in the systems but it's only limited to the session of the current user. It means that if you switch to another user, the command will only display that session information. Those commands are

  • whoami
$ whoami
alain-francois
  • id which show also the group information of the user and the information about another user that you know
$ id
uid=1000(alain-francois) gid=1000(alain-francois) groups=1000(alain-francois),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),119(scanner),999(docker)

As a system administrator, sometimes you need to make sure there is no access violation on your server. We have seen some commands which can help you to be aware on who is connected which the possibility to know what they are doing

0 0 0
Share on

Alibaba Clouder

1,589 posts | 258 followers

You may also like

Comments