BSD Newsletter.com
   Front | Info | Lists | Newsfeeds | Study Guide | What is BSD?
Advertisement: The OpenBSD PF Packet Filter Book: PF for NetBSD, FreeBSD, DragonFly and OpenBSD

BSD Links
·New Links
·Advocacy
·Drivers
·Events
·Flavours
·FAQs
·Guides
·Programming
·Security
·Software
·User Groups

This is the BSDA Study Guide Book written via a wiki collaboration. This is a work in progress. You may contribute to or discuss this specific page at http://bsdwiki.reedmedia.net/wiki/Determine_who_is_currently_on_the_system_or_the_last_time_a_user_was_on_the_system.html.

Determine who is currently on the system or the last time a user was on the system

Concept

BSD systems maintain databases which can be queried for details regarding logins. Be familiar with the database names and the utilities available for determining login information.

Introduction

After logging into an account on BSD system we can see an information like:

Last login: Thu Jan 11 20:18:18 2007 on ttyv4

This and other kind of information about users and their doings (logins and logouts) is stored in three files:

  • /var/run/utmp which records information about current users,
  • /var/log/wtmp containing information on users' logins and logouts, as well as system's shutdowns and reboots (which won't be discussed here),
  • /var/log/lastlog storing information on users' last logins.

Of course, manually gathering information from aforementioned files makes no sense at all. Thus the BSD systems are equiped with a handful of simple commands that will fetch required information for us.

Examples

Determining user's last login time and date can be performed with a lastlogin(8) command:

$ lastlogin
root              ttyv2                       Thu Jan 11 19:12:23 2007
mike              ttyp1    192.168.112.24     Thu Jan 11 20:43:05 2007

When executed with no user names lastlogin(8) displays information for all users. Adding user name makes lastlogin(8) display information regarding only specified user.

The last(1) command displays a list of last logins. Executed without any parameters returns a list for user executing it. To minimize the scope of returned list we can use the -n flag, specifying maximum number of lines.

$ last -n5 mike
mike           ttyp1    192.168.112.24    Thu Jan 11 20:43 - 20:43  (00:00)
mike           ttyv4                      Thu Jan 11 20:42 - 20:42  (00:00)
mike           ttyv4                      Thu Jan 11 20:41 - 20:41  (00:00)
mike           ttyp0    192.168.112.24    Thu Jan 11 20:37   still logged in
mike           ttyp0    192.168.112.24    Thu Jan 11 20:18 - 20:37  (00:19)

The users(1) utility lists the login names of the users currently logged into the system.

$ users
root therek

The w(1) and who(1) tools returns a little more detailed information on current users. The who(1) command displays who is on the system, while the w(1) presents also an information on what they are doing as well as some other system information (covered in section Determine the last system boot time and the workload on the system).

$ who
root             ttyv4    Jan 11 21:27
therek           ttyp0    Jan 11 20:37 (192.168.112.24)
$ w
9:31PM  up 19 days,  1:12, 2 users, load averages: 0.00, 0.02, 0.00
USER             TTY      FROM              LOGIN@  IDLE WHAT
root             v4       -                 9:27PM     3 -csh (csh)
therek           p0       192.168.112.24    8:37PM     - w

BSD systems give us also an ability to check some more information on system users. To do so, we can use a finger(1) utility with optional user name.

$ finger
Login            Name                 TTY  Idle  Login  Time   Office  Phone
root             Charlie Root        *v4     14  Thu    21:27
mike             Mike Erickson        p0         Thu    20:37
$ finger mike
Login: mike                             Name: Mike Erickson
Directory: /home/mike                   Shell: /usr/local/bin/bash
On since Thu Jan 11 20:37 (CET) on ttyp0 from 192.168.112.24
Last login Thu Jan 11 20:43 (CET) on ttyp1 from 192.168.112.24
New mail received Thu Jan 11 21:38 2007 (CET)
    Unread since Thu Jan 11 21:28 2007 (CET)
No Plan.

Practice Exercises

  1. Execute lastlogin(8) without, with only one, and with at least two user names.
  2. Login to a couple of different accounts and check the result of who(1) command with -H and -q flags.
  3. Login to a couple of different accounts and check the result of w(1) command executed with flags: -d, -i, -h.
  4. Compare the output of finger(1) command with -s user and -hs user parameters.
  5. Try out finger(1) with -l flag.

More information

wtmp(5), utmp(5), w(1), who(1), users(1), last(1), lastlogin(8), lastlog(5), finger(1)



Front | Information | Lists | Newsfeeds