Viewing user accounts and activities on Linux servers

When you first sign into a Linux server to take over the role of managing it, there are a number of things that you will need to know right away about the system’s user accounts – such as where they are stored, how you list them, how you can determine who is logged in, how to view how often users log in, how to list what processes your users are running, determining if users change their passwords from time to time, and checking if they are members of more than one user group.

Listing user accounts

User accounts, often referred to as the users’ “home accounts,” are generally stored in the /home directory. In fact, /home will usually occupy its own file system partition to preserve its disk space for user files alone. Use the “ls /home” or the “ls -l /home” to list accounts on the system. The first command will simply show the home directories. The directory names should be the same as the usernames. With the -l argument, you will see a “long listing” which will generally include lines like these:

drwx------. 1 brie    brie      289 Feb  6 11:23 brie
drwx------. 1 lola    lola     3265 Feb 11 09:16 lola

Clearly these two users are not providing access to other users. Their read, write and execute permissions are associated only with their own privileges (rwx) and none with the group or anyone else. The following two “—” strings indicate no read, write or execute permissions have been provided to other group members (if any exist) or to other users on the system.

Note that, on some more rare systems, you might see home directories stored in /export/home. Those accounts might be shared on other servers where they are mounted on /home.

Checking disk space

To get a quick look at disk usage by user, you can run a command like the one below. Notice that it requires sudo and uses the “s” argument to give summaries by user.

$ sudo du -sh /home/*
12K     /home/brie
223M    /home/fedora
16K     /home/george
49M     /home/justme
12K     /home/lola
12K     /home/newuser
125M    /home/shs

The overall home partition on this system is a little more than 50% full. It’s important to know when disk space is running low and sometime to gauge how fast it’s filling up.

$ df -h /home
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda3        14G  7.2G  5.7G  56% /home

Asking who

The who command provides information on which users are currently logged in. In the case below, justme is logged in on the console and has a terminal window open. The other user currently logged in, shs, is logged in over the network. This is why one login shows the terminal ID and the other the IP addressing from where the login connection has been made.

$ who
justme   seat0        2024-02-10 12:30 (login screen)
justme   tty2         2024-02-10 12:30 (tty2)
shs      pts/1        2024-02-10 12:38 (192.168.0.8)

The who output also displays the login date and time. How long each user spends on the server depends on the work that he or she needs to do on the system.

Listing user account details

To list system accounts, you can check out the entries in the /etc/passwd file. This file contains details including the usernames, user numeric IDs (UIDs), user group ID (GIDs), home directories and which shells they use. The query below is only taking looks at the bottom of the /etc/passwd file because that file contains information on nearly 50 system accounts.

$ tail -6 /etc/passwd
shs:x:1001:1001:Sandra H-S:/home/shs:/bin/bash
newuser:x:1002:1002:New Guy:/home/newuser:/bin/bash
george:x:1003:1003:George M:/home/george:/bin/bash
justme:x:1004:1004:Just Me:/home/justme:/bin/bash
brie:x:1005:1005:Brie the Cat:/home/brie:/bin/bash
lola:x:1006:1006:Lola the Dog:/home/lola:/bin/bash

Notice that no passwords are included in the /etc/passwd file in spite of the file having “passwd” as its name. For many years, passwords have been encrypted and maintained in the /etc/shadow file. Notice that the second field for each user in this colon-separated file entry is more than 70 characters long. The remaining fields relate to password aging.

If passwords are not being aged, you will see a string of 9’s in one of the last fields of the /etc/shadow file. For this to make sense, use the command below to determine today’s “date” in the “since the epoch” time:

$ today=$(( $( date \"+%s\" ) / 86400 ))
$ echo $today
19764

The date the password was last changed and the expiration date shows up near the end of the lines in the /etc/shadow file. Here’s an example in which the password was just recently changed. These are the rightmost fields in the /etc/shadow file for this user.

19740:0:99999:7:::

Compare that to the expiration field in the /etc/shadow file like this to determine how long before the password will expire:

$ expr 86400 - 19763 
66637

It looks like we’re got quite a ways to go! Of course, this would be very different if annual or semi-annual password changing were enforced on this system.

Viewing recent logins

You can view a user’s recent logins using the “last” command:

$ last lola | head -11
lola  pts/3   192.168.0.8    Sat Feb 10 12:55   still logged in
lola  pts/1   192.168.0.8    Sat Feb 10 12:38 - 13:10  (00:31)
lola  tty2    tty2           Sat Feb 10 12:13 - 12:35  (00:22)
lola  seat0   login screen   Sat Feb 10 12:13 - 12:36  (00:22)
lola  pts/1   192.168.0.8    Wed Jan 31 12:52 - 14:11  (01:19)
lola  pts/0   192.168.0.8    Tue Jan 30 11:45 - 12:35  (00:50)
lola  pts/1   192.168.0.22   Mon Jan 29 11:25 - 12:06  (00:41)
lola  tty2    tty2           Mon Jan 29 11:23 - down   (00:43)
lola  seat0   login screen   Mon Jan 29 11:23 - down   (00:43)
lola  pts/1   192.168.0.8    Fri Jan 26 12:27 - 13:11  (00:44)
lola  pts/0   192.168.0.22   Thu Jan 25 13:45 - 13:47  (00:02)

This report will show the most recent logins for the user you are asking about.

User groups

By default, Linux users will each be put into their own private groups when their accounts are set up and their group IDs (GIDs) will start at 1,000. For example:

rejustme:x:1004:

The group for the user named “justme” is assigned group number 1004 (same as that user’s UID) and the group has no password, so it shows up as an “x”.

Shared groups can also be set up in the /etc/groups file by including the group name, the group number and the members in a format like this:

sysadmins:x:88:george,lola

Wrap-up

Configuring and managing Linux accounts is fairly easy. It just takes getting used to a handful of commands and managing the servers properly. One thing this post has not covered is monitoring disk space use for user accounts.