Determine who is currently on the system or the last time a user was on the system

Author: Cezary Morga FreeBSD

Reviewer: name contact BSD flavour

Reviewer: name contact BSD flavour


BSD systems maintain databases which can be queried for details regarding logins. Be familiar with the database names and the utilities available for determining login information.


After logging into an account on BSD system we can see an information like:

""Last login: Thu Jan 11 20:18:18 2007 on ttyv4

This and other kind of information about users and their doings (logins and logouts) is stored in three files:

  • /var/run/utmp which records information about current users,
  • /var/log/wtmp containing information on users' logins and logouts, as well as system's shutdowns and reboots (which won't be discussed here),
  • /var/log/lastlog storing information on users' last logins.

Of course, manually gathering information from aforementioned files makes no sense at all. Thus the BSD systems are equiped with a handful of simple commands that will fetch required information for us.


Determining user's last login time and date can be performed with a lastlogin(8) command:

""$ lastlogin ""root ttyv2 Thu Jan 11 19:12:23 2007 ""mike ttyp1 Thu Jan 11 20:43:05 2007

When executed with no user names lastlogin(8) displays information for all users. Adding user name makes lastlogin(8) display information regarding only specified user.

The last(1) command displays a list of last logins. Executed without any parameters returns a list for user executing it. To minimize the scope of returned list we can use the -n flag, specifying maximum number of lines.

""$ last -n5 mike ""mike ttyp1 Thu Jan 11 20:43 - 20:43 (00:00) ""mike ttyv4 Thu Jan 11 20:42 - 20:42 (00:00) ""mike ttyv4 Thu Jan 11 20:41 - 20:41 (00:00) ""mike ttyp0 Thu Jan 11 20:37 still logged in ""mike ttyp0 Thu Jan 11 20:18 - 20:37 (00:19)

The users(1) utility lists the login names of the users currently logged into the system.

""$ users ""root therek

The w(1) and who(1) tools returns a little more detailed information on current users. The who(1) command displays who is on the system, while the w(1) presents also an information on what they are doing as well as some other system information (covered in section Determine the last system boot time and the workload on the system).

""$ who ""root ttyv4 Jan 11 21:27 ""therek ttyp0 Jan 11 20:37 ( ""$ w "" 9:31PM up 19 days, 1:12, 2 users, load averages: 0.00, 0.02, 0.00 ""USER TTY FROM LOGIN@ IDLE WHAT ""root v4 - 9:27PM 3 -csh (csh) ""therek p0 8:37PM - w

BSD systems give us also an ability to check some more information on system users. To do so, we can use a finger(1) utility with optional user name.

""$ finger ""Login Name TTY Idle Login Time Office Phone ""root Charlie Root *v4 14 Thu 21:27 ""mike Mike Erickson p0 Thu 20:37 ""$ finger mike ""Login: mike Name: Mike Erickson ""Directory: /home/mike Shell: /usr/local/bin/bash ""On since Thu Jan 11 20:37 (CET) on ttyp0 from ""Last login Thu Jan 11 20:43 (CET) on ttyp1 from ""New mail received Thu Jan 11 21:38 2007 (CET) "" Unread since Thu Jan 11 21:28 2007 (CET) ""No Plan.

Practice Exercises

  1. Execute lastlogin(8) without, with only one, and with at least two user names.
  2. Login to a couple of different accounts and check the result of who(1) command with -H and -q flags.
  3. Login to a couple of different accounts and check the result of w(1) command executed with flags: -d, -i, -h.
  4. Compare the output of finger(1) command with -s user and -hs user parameters.
  5. Try out finger(1) with -l flag.

More information

wtmp(5), utmp(5), w(1), who(1), users(1), last(1), lastlogin(8), lastlog(5), finger(1)