Tutorial

How To View System Users in Linux on Ubuntu

Updated on January 3, 2023
How To View System Users in Linux on Ubuntu

Introduction

A fundamental part of system administration is configuring and managing users and groups. Part of this task involves monitoring the log in capabilities of all system entities.

In this tutorial, you will review the ideas behind user management and authentication logging.

We will be exploring these concepts on a Ubuntu 22.04 server, but you can follow along on any modern Linux distribution. You can set up a Ubuntu 22.04 server for this tutorial by following our guide to Initial Server Setup on Ubuntu 22.04.

Part one will cover how to view system users and find out who is logged into the system.

How To View Available Users

Every user on a Linux system, whether created as an account for a real human being or associated with a particular service or system function, is stored in a file called /etc/passwd.

The /etc/passwd file contains information about the users on the system. Each line describes a distinct user.

Have a look by using the less command, so you can scroll through the entire file:

  1. less /etc/passwd
Output
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin . . .

Each line is broken up into fields. These fields are delimited by the colon (:) character.

The only field that you need at the moment is the first one. Each is an independent username. When you are done using less, press q to quit.

You can get this list without wading through the entire “/etc/passwd” by using the cut command to split on colon delimiters (-d :):

  1. cut -d : -f 1 /etc/passwd
Output
root daemon bin sys sync games . . .

You probably recognize root as the administrative user. Towards the end, you may see the user you are logged in as.

In between, you will probably see a number of other users whose usage seems at least somewhat clear. For instance, www-data is configured as the owner of web server processes.

This is done to separate functional privileges. That way, if an account is compromised or misused, the effect will be isolated.

You can read more about the fields in /etc/passwd in this tutorial.

How To View Available Groups

The corresponding file for discovering system groups is /etc/group.

You can use less again to view this file:

  1. less /etc/group
Output
root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4: tty:x:5: disk:x:6: . . .

You may notice that many of the group names mirror the users you discovered on your system. This is part of a configuration scheme called user private groups, or UPG.

User private groups create a private group for each user and set that group as the primary group. The umask is then changed from 022 to 002.

This allows for more flexibility in shared directories by setting a flag called setgid, which gives files inside the directory the same group owner as the directory itself.

Once again, you can pare down the information from the /etc/group file by using the cut command:

  1. cut -d : -f 1 /etc/group
Output
root daemon bin sys adm tty disk . . .

The output will be a list of each group on the system, one per line.

How To Find Which Users Are Logged In

Many times, it will be more useful to find out which users are active on your system.

The w command is a straightforward way to list all of the currently logged in users, their log in time, and what commands they are currently running:

  1. w
Output
19:37:15 up 5:48, 2 users, load average: 0.33, 0.10, 0.07 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 rrcs-72-43-115-1 19:15 38.00s 0.33s 0.33s -bash demoer pts/1 rrcs-72-43-115-1 19:37 0.00s 0.47s 0.00s w

The first line contains system uptime information. The following lines describe who is logged in.

An alternative that provides similar information is who:

  1. who
Output
root pts/0 2013-09-05 19:15 (rrcs-72-43-115-186.nyc.biz.rr.com) demoer pts/1 2013-09-05 19:37 (rrcs-72-43-115-186.nyc.biz.rr.com)

Conclusion

User authentication on Linux is a relatively flexible area of system management. There are many ways of accomplishing the same objective with widely available tools.

You should now know how to find out where your server stores its user and group information. You can also see who is logged in at any given time.

In the next part of this tutorial series, you will review how to restrict login access.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors

Default avatar

Senior DevOps Technical Writer


Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
3 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Try using lastlog

Thank you!

KFSys
Site Moderator
Site Moderator badge
December 29, 2023

As an alternative as it has already been mentioned, you can use lastlog.

lastlog is a command in Linux that displays the latest login information for all users. It shows the most recent login of each user, including the login time, the remote hostname or IP address from which the user logged in, and the terminal line used. This command is particularly useful for system administrators to track user activity or investigate security concerns.

Here’s how you can use lastlog on a Linux system like Ubuntu:

Basic Usage of lastlog

  1. Open a Terminal: You can do this through your graphical interface or by connecting to a remote server via SSH, depending on your setup.
  2. Run the Lastlog Command: Simply type lastlog and press Enter.
lastlog
  1. Review the Output: The command will display a list of users with their last login information. The output typically includes columns for:

    • Username
    • Port (the terminal line or interface used)
    • From (the remote hostname or IP address)
    • Latest (the date and time of the last login)

Filtering Output

  • Filtering by User: If you’re interested in the last login information for a specific user, you can use the grep command to filter the output. For example:
lastlog | grep username
  • Replace username with the actual username you’re interested in.

  • Filtering by Date: To show only the entries newer than a certain number of days, use the -t option followed by the number of days. For example, to show last logins more recent than 7 days:

lastlog -t 7

Notes

  • Non-Logged Users: lastlog will also show users who have never logged in, typically displaying “Never logged in” for the latest login time.
  • System Users: Some entries may belong to system users or service accounts that do not log in interactively.

Remember, lastlog provides a snapshot of the latest login activity, which can be helpful for routine system audits and security monitoring.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.