"who" and "w" commands are not working

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5.x
  • Red Hat Enterprise Linux 6.x
  • Red Hat Enterprise Linux 7.x

Issue

  • The who command is not showing users that are logged in, the command returns a stale output.
# who
user1     pts/41       2012-04-25 07:03 
user2     pts/61       2012-04-25 07:18
  • Even though the command shows a stale output, /var/run/utmp is filling up with login information as expected.

  • Running the commands does not return the expected results:

# w
 08:40:04 up  5:47,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
# who
#

Resolution

This could be because of several reasons, some of them are outlined below:

  1. Defunct "login" processes

    • Look for defunct "login" process
    # ps -aux | grep defunct
    root     30930  0.0  0.0      0     0 ?        Zs   07:18   0:00 [login] <defunct>
    
    • Kill the defunct process by killing the parent process
    # kill -9 <pid>
    
    • Log out, or reboot the box
  2. The file /run/utmp is missing.

    • Create the file by running:
    # touch /run/utmp
    
    • Adjust the ownership and permissions:
    # chown root:utmp /run/utmp; chmod g+w /run/utmp
    
    • Log out from the system and log back in.

Root Cause

  • The who command pulls its data from /var/run/utmp, which contains information about users currently logged in via services such as telnet and ssh. This issue is caused when the logging process is in a defunct state.
  • The file /run/utmp is missing on the server.

Diagnostic Steps

  • Confirm if the issue matches those described in this article with the below steps:
  1. Observe the output of who command.
  2. Attempt to ssh into the localhost of the server itself, as the current user.
  3. Look at the output of who again, it is expected to see another instance of ssh.
$ who
test   tty1         2012-04-16 11:55 (:0)
test   pts/0        2012-04-23 16:59 (:0.0)

$ ssh test@localhost

$ who
test   tty1         2012-04-16 11:55 (:0)
test   pts/0        2012-04-23 16:59 (:0.0)
test   pts/5        2012-04-25 17:53 (localhost) 
  • Check file permissions of /var/run/utmp:
# ls -la /var/run/utmp
-rw-rw-r-- 1 root utmp 4608 Apr 17 10:55 /var/run/utmp
  • Strace the w command and attach the generated file to the case:
# strace -o /tmp/w.strace w
  • The strace would show something similar to the below, if the file is missing (/var/run is a symlink to /run):
47397 20:54:01.451139 open("/var/run/utmp", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) <0.000024>

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments