Source of information - command who
Source of information - command who
I would like to know how the command "who" pulls out information about ssh history into a Linux system. For example, on my shared-network workstation, where everyone can ssh into it:
"who"
ssh
ssh
[johny@gandor ~]$ who
johny :0 2018-08-30 06:44 (:0)
johny pts/0 2018-08-30 06:45 (:0.0)
johny pts/1 2018-08-30 06:45 (:0.0)
Keiven pts/2 2018-08-30 19:46 (:50.0)
seman pts/6 2018-08-31 15:15 (:50.0)
johny pts/7 2018-08-31 15:51 (:50.0)
casper pts/8 2018-08-31 16:53 (:50.0)
johny pts/10 2018-09-01 06:25 (:50.0)
I think that this information is, originally, stored somewhere in Linux system files and the command "who" reads that information from that file? if so, where is that file located?
"who"
strace who
Hi Steve, thank you. I use Cantos 7. I don't see any path from the output of "strace". Also cd into "/var/run/utmp." is not feasible. I mean there is no such file!
– user308606
Sep 1 at 10:39
@Kasper:
/var/run/utmp is a file, so you cannot cd into it. You also might want to add the output of strace -e trace=open who to your question.– Thomas
Sep 1 at 11:02
/var/run/utmp
cd
strace -e trace=open who
Thank you Zeta, I am new to this forum and I am not familiar with the rules. I will re-edit the question. Thanks!
– user308606
Sep 1 at 13:26
2 Answers
2
Take a look at the man page for who. e.g. "If FILE is not specified, use /var/run/utmp."
This is not a text file, so opening with vi will offer a poor view of the file contents. od -c /var/run/utmp | more would serve better.
vi
od -c /var/run/utmp | more
@Kasper Adding questions to existing questions is frowned upon. A question should have one acceptable answer. If someone now comes along and answers only the
utmp part, none of the answers would be complete. That's why the general rule is: one post = one question. Feel free to open another post (although I've already answered your additional question in my answer, btw).– Zeta
Sep 1 at 13:23
utmp
If you run strace -e open who, you will see all files that who opens. On Linux, that includes /var/run/utmp. utmp is not a human-readable file, instead it is a sequence of utmp structures (see utmpx(5)). On FreeBSD, who opens /var/run/utx.active.
strace -e open who
who
/var/run/utmp
utmp
utmp
utmpx(5)
who
/var/run/utx.active
You can also find this information at who --help, man 1 who or even info who, where the default file is mentioned.
who --help
man 1 who
info who
Good answer, hence +1, and generally
strace is the way to go if you want to know what a program does underneath the hood. If there's no interesting file showing up with open() syscalls, that can mean it's likely is communicating with kernel via library and gets information from there.– Sergiy Kolodyazhnyy
Sep 1 at 15:26
strace
open()
Thanks for contributing an answer to Unix & Linux Stack Exchange!
But avoid …
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
But avoid …
To learn more, see our tips on writing great answers.
Required, but never shown
Required, but never shown
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
If you run
strace whoyou'll see exactly what files it's getting the information from.– steve
Sep 1 at 10:34