# 5.1 Basic Security and Identifying User Types
### **5.1 Basic Security and Identifying User Types**
**Weight:** 2
**Description:** Various types of users on a Linux system.
**Key Knowledge Areas:**
* Root and standard users
* System users
**The following is a partial list of the used files, terms and utilities:**
* /etc/passwd, /etc/shadow, /etc/group
* id, last, who, w
* sudo, su
## Users
Linux is a **multi-user operating system**, meaning many people can interact with the same system; each with different levels of access.
Here are the three core user types:
#### 1. **Root User (Superuser)**
* Has **unlimited access** to everything on the system
* Can read, write, execute, delete any file
* Used for administrative tasks like installing packages, changing permissions or editing system files
**Username:** `root`
**Prompt Symbol:** `#`\
\
(e.g., `root@server:~#`)
**Example:**
```
sudo apt update
sudo vi /etc/hosts
```
#### 2. **Regular Users (Standard Accounts)**
* Created by administrators or during OS setup
* Can only access their own files and directories
* Cannot modify system files or other users' data without permission
**Prompt Symbol:** `$`\
\
(e.g., `sana@linux:~$`)
**Example:**
```
mkdir ~/projects
nano notes.txt
```
{% hint style="success" %}
For daily use, always operate as a regular user it is safer and best practice.
{% endhint %}
#### 3. **System Users (Service Accounts)**
* Created by the system or during software installs
* Not used for logging in directly
* Manage background services (e.g., `nginx`, `mysql`, `sshd`, `postfix`)
**Example Users:** `www-data`, `mysql`, `nobody`
**Use Case Example:**\
When you install Apache or Nginx, the web server runs as `www-data`, not as a normal user; this limits access for security.
{% hint style="info" %}
#### Real World Scenarios
* **Root** installs software, modifies config files, adds users.
* **Regular user** writes code, manages personal projects and runs apps in home directory.
* **System users** keep services running in the background securely.
{% endhint %}
A user account is a systematic way to track and monitor the use of system resources. Each user account has two unique identifiers: a username and a UID.
### Username
A username is a text string. When you add a new user account, you must select a unique username for the user account. A username is flexible. If required, you can change it. When you choose a username, it must be unique. Two user accounts cannot use the same username.
### UID
A UID (User ID) is a unique numeric ID. Similar to the username, you can choose a particular UID for the user account. If you do not select a UID for the user account, Linux automatically assigns a unique ID. If you manually select a custom UID, you must choose a unique UID. Two user accounts can not use the same UID.
{% hint style="success" %}
### User management systems
There are two ways to manage the user accounts: centralized and standalone.
* In centralized management, a centralized server system manages all user accounts. It uses a directory service such as LDAP or ADS for user management and authentication. The local system sends the user's login information to the server system. The server system authenticates the user.
* In standalone management, the local system manages user accounts. It uses text files to save user accounts and related information. It uses locally stored data to authenticate users.
{% endhint %}
## Groups
In Linux, there can be multiple users (those who use/operate the system), and groups are nothing but a collection of users. Groups make it easy to manage users with the same security and access privileges. A user can be part of different groups.
### gid
As you might expect, UID is a number associated with a user account, and GID is a number associated with a group.
### /etc/group
It stores group information or defines the user groups i.e. it defines the groups to which users belong. There is one entry per line, and each line has the following format (all fields are separated by a colon (:)
Where,
1. **group\_name**: It is the name of group. If you run ls -l command, you will see this name printed in the group field.
2. **Password**: Generally password is not used, hence it is empty/blank. It can store encrypted password. This is useful to implement privileged groups.
3. **Group ID (GID)**: Each user must be assigned a group ID. You can see this number in your /etc/passwd file.
4. **Group List**: It is a list of user names of users who are members of the group. The user names, must be separated by commas.
## How to Display a UID and GID
There are several ways to view a UID and GID. You can find the GID and UID of your current user or other users with the aptly named **`id`** command.
### id
The '**id'** command in Linux is a powerful tool used to display user and group names along with their numeric IDs (User ID - UID or Group ID - GID) of the current user or any specified user on the system. This command is particularly useful for system administrators and users who need to verify user identities and associated permissions.
Without any **OPTION** it prints every set of identified information i.e. numeric IDs.
```
[payam@earth ~]$ id
uid=1000(payam) gid=1000(payam) groups=1000(payam),10(wheel),977(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
```
This command is useful to find out the following information as listed below:
* User name and real user id.
* Find out the specific User UID.
* Show the UID and all groups associated with a user.
* List out all the groups a user belongs to.
* Display the security context of the current user.
**Syntax:**
```
id [OPTION]… [USER]
```
**Options:**
* **'-g':** Prints only the effective group ID of the user.
* **'-G':** Prints all group IDs associated with the user.
* **'-n':** Displays names instead of numeric IDs.
* **'-r':** Shows the real ID instead of the effective one.
* **'-u':** Prints only the effective user ID.
* **'--help':** Displays help messages for the id command and exits.
* **'-version'**: Shows the version information and exits.
Another simple way to see uid and gui is to look at the /etc/passwd file, which is available on most Linux operating systems.
### /etc/passwd
The **/etc/passwd** file stores essential information required during login. In other words, it stores user account information. The /etc/passwd is a plain text file. It contains a list of the system’s accounts, giving for each account some useful information like user ID, group ID, home directory, shell, and more. The /etc/passwd file should have general read permission as many command utilities use it to map user IDs to user names. However, write access to the /etc/passwd must only limit for the superuser/root account.
```
[payam@earth ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
tss:x:59:59:Account used for TPM access:/:/usr/sbin/nologin
systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:998:996:User for polkitd:/:/sbin/nologin
clevis:x:997:994:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/usr/sbin/nologin
sssd:x:996:993:User for sssd:/:/sbin/nologin
libstoragemgmt:x:991:991:daemon account for libstoragemgmt:/:/usr/sbin/nologin
setroubleshoot:x:990:990:SELinux troubleshoot server:/var/lib/setroubleshoot:/usr/sbin/nologin
cockpit-ws:x:989:989:User for cockpit web service:/nonexisting:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/usr/share/empty.sshd:/usr/sbin/nologin
chrony:x:987:987:chrony system user:/var/lib/chrony:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
payam:x:1000:1000:payam:/home/payam:/bin/bash
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
geoclue:x:986:986:User for geoclue:/var/lib/geoclue:/sbin/nologin
colord:x:985:984:User for colord:/var/lib/colord:/sbin/nologin
rtkit:x:172:172:RealtimeKit:/:/sbin/nologin
pipewire:x:984:983:PipeWire System Daemon:/run/pipewire:/usr/sbin/nologin
flatpak:x:983:982:Flatpak system helper:/:/usr/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
gdm:x:42:42:GNOME Display Manager:/var/lib/gdm:/usr/sbin/nologin
gnome-initial-setup:x:982:981::/run/gnome-initial-setup/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
dnsmasq:x:981:979:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/usr/sbin/nologin
stapunpriv:x:159:159:systemtap unprivileged user:/var/lib/stapunpriv:/sbin/nologin
pesign:x:980:978:Group for the pesign signing daemon:/run/pesign:/sbin/nologin
```
#### Understanding /etc/passwd file fields:
The /etc/passwd contains one entry per line for each user (user account) of the system. All fields are separated by a colon (:) symbol. Total of seven fields as follows. Generally, /etc/passwd file entry looks as follows:
From the above image:
1. **Username**: It is used when user logs in. It should be between 1 and 32 characters in length.
2. **Password**: An x character indicates that encrypted and salted password is stored in /etc/shadow file. Please note that you need to use the passwd command to computes the hash of a password typed at the CLI or to store/update the hash of the password in /etc/shadow file.
3. **User ID (UID)**: Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
4. **Group ID (GID)**: The primary group ID (stored in /etc/group file)
5. **User ID Info**: The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.
6. **Home directory**: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
7. **Command/shell**: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell. For example, sysadmin can use the nologin shell, which acts as a replacement shell for the user accounts. If shell set to /sbin/nologin and the user tries to log in to the Linux system directly, the /sbin/nologin shell closes the connection. If the user entry in the /etc/passwd file doesn’t have an entry in the shell field, the user gets a Bourne shell (/bin/sh).
But, where are my encrypted hashed (salted) passwords? Good question.
### Your password hashes is in the /etc/shadow file
Your encrypted password hashes are in the /etc/shadow file. There was no significant problem with this general read permission in the good old days. Everybody could read the encrypted passwords, but the hardware was too slow to crack a well-chosen password, and the basic assumption used to be that of a friendly user community. Therefore, we use /etc/shadow files on Linux and other Unix-like operating systems for security reasons.
{% hint style="info" %}
#### Encryption
Please note that the passwords stored in /etc/shadow are not in plain text. They are hashed using algorithms like MD5, SHA-256, or SHA-512. Hashing makes passwords irreversible and secure. To validate a password, the login system compares the entered password’s hash against the stored hash.
{% endhint %}
{% hint style="info" %}
#### Salting
Salting is the process of adding a random string of data to a password before hashing it. This makes it difficult for attackers to crack passwords using pre-computed hashes or detect identical passwords.
{% endhint %}
In sort, passwords in /etc/shadow are stored in a hashed format and cannot be reversed easily. The combination of hashing and salting is used to provide significantly more protection than simple encryption alone.
### /etc/shadow
The **/etc/shadow** is a text-based password file. The shadow file stores the hashed passphrase (or “hash”) format for Linux user account with additional properties related to the user password. This shadow file is directly accessible only to the root user. However, some commands or programs (e.g., su, passwd, and others) with unique SetUID (SUID) are set on them to grant them access to the shadow file. Understanding /etc/shadow file format is essential for sysadmins and developers to debug user account issues.
```
[payam@earth ~]$ cat /etc/shadow
cat: /etc/shadow: Permission denied
[payam@earth ~]$ sudo cat /etc/shadow
[sudo] password for payam:
root:$6$M2lQmPDEcevzNv/9$YNhXnesikMukIaphL.cTR6oZw667D8NFvMDRYBhPoMg72ygbGtzWYcQGvd6ZO2eAQeY5XD0s//T1nKAyPrgyB0::0:99999:7:::
bin:*:19820:0:99999:7:::
daemon:*:19820:0:99999:7:::
adm:*:19820:0:99999:7:::
lp:*:19820:0:99999:7:::
sync:*:19820:0:99999:7:::
shutdown:*:19820:0:99999:7:::
halt:*:19820:0:99999:7:::
mail:*:19820:0:99999:7:::
operator:*:19820:0:99999:7:::
games:*:19820:0:99999:7:::
ftp:*:19820:0:99999:7:::
nobody:*:19820:0:99999:7:::
tss:!!:20409::::::
systemd-coredump:!!:20409::::::
dbus:!!:20409::::::
polkitd:!!:20409::::::
clevis:!!:20409::::::
sssd:!!:20409::::::
libstoragemgmt:!*:20409::::::
setroubleshoot:!!:20409::::::
cockpit-ws:!!:20409::::::
sshd:!!:20409::::::
chrony:!!:20409::::::
tcpdump:!!:20409::::::
payam:$6$CENJWgtpgLdq6cy1$OUVNFWy9hJLtBp6sSlCh1kidtzHPAyeZMiQ8.Dr7ES0ykBW4wnP6H7v0eczAiZK.Hk5.XGXgd3NDUgew1Wh6e/::0:99999:7:::
avahi:!!:20409::::::
geoclue:!!:20409::::::
colord:!!:20409::::::
rtkit:!!:20409::::::
pipewire:!!:20409::::::
flatpak:!!:20409::::::
rpc:!!:20409:0:99999:7:::
gdm:!!:20409::::::
gnome-initial-setup:!!:20409::::::
rpcuser:!!:20409::::::
dnsmasq:!!:20409::::::
stapunpriv:!*:20410::::::
pesign:!!:20410::::::
```
#### Understanding /etc/shadow file fields and format
Basically, the /etc/shadow file stores secure user account information. All fields are separated by a colon (:) symbol. It contains one entry per line for each user listed in /etc/passwd file. Generally, shadow file entry looks as follows:
As with the /etc/passwd, each field in the shadow file is also separated with “:” colon characters as follows:
1. **Username** : A valid account name, which exist on the system.
2. **Password** : Your encrypted password is in hash format. The password should be minimum 15-20 characters long including special characters, digits, lower case alphabetic and more. Usually password format is set to $id$salt$hashed, The $id is the algorithm prefix used On GNU/Linux as follows
1. **$1$** is MD5
2. **$2a$** is Blowfish
3. **$2y$** is Blowfish
4. **$5$** is SHA-256
5. **$6$** is SHA-512
6. **$y$** is yescrypt
3. **Last password change (lastchanged)** : The date of the last password change, expressed as the number of days since Jan 1, 1970 (Unix time). The value 0 has a special meaning, which is that the user should change her password the next time she will log in the system. An empty field means that password aging features are disabled.
4. **Minimum** : The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change her password again. An empty field and value 0 mean that there are no minimum password age.
5. **Maximum** : The maximum number of days the password is valid, after that user is forced to change her password again.
6. **Warn** : The number of days before password is to expire that user is warned that his/her password must be changed
7. **Inactive** : The number of days after password expires that account is disabled.
8. **Expire** : The date of expiration of the account, expressed as the number of days since Jan 1, 1970.
#### Format of an encrypted password in the /etc/shadow file
Consider the following entry in the /etc/passwd for a user named ‘bob‘:
```
bob:x:1001:1002:bob clinton,555,123456789,999123457:/home/bob:/bin/bash
```
And an encrypted password hash for a user named ‘bob’ in the /etc/shadow file is as follows:
* bob – User ID
* **$6** – The hashing algorithm prefix used for this password. In this case, it is a SHA-512 hash (512 bits). It was originally developed by Ulrich Drepper for GNU libc. Supported on Linux but not common elsewhere. Acceptable for new hashes. The default CPU time cost parameter is 5000, which is too low for modern hardware.
* **$YTJ7JKnfsB4esnbS** – The salt used to encrypt the password and it is chosen at random (6 to 96 bits).
* **$5XvmYk2.GXVWhDo2TYGN2hCitD/wU9Kov.uZD8xsnleuf1r0ARX3qodIKiDsdoQA444b8IMPMOnUWDmVJVkeg1** – The encrypted hash of the password for the user is named ‘bob’. Then, the salt and the unencrypted password are combined and encrypted to generate the encrypted hash of the password. Why use salt? It prevents two users with the same password from having duplicate entries in the /etc/shadow file. Say, if users named ‘bob’ and ‘ram’ both use ‘abracadabra’ as their passwords, their encrypted passwords in /etc/shadow will be different if their salts are different.
{% hint style="success" %}
#### How Linux password verification works with /etc/shadow file
Say a user named ‘sai’ tries to log into a Linux machine, and the Linux OS looks up the entry for the user in the /etc/shadow file. It combines the salt for the user named ‘sai’ with the unencrypted password typed in by the ‘sai’ and encrypts them using the specified hashing algorithm such as SHA-512. If the result matches the encrypted hash, the user named ‘sai’ typed in the correct password. If the result does not match the encrypted hash, the user named ‘sai’ types in the wrong password, and the login attempt fails. This method allows the Linux operating system to determine if the user typed in the correct password without storing that password in a form usable for logging in.
{% endhint %}
***
### su vs sudo
When it comes to working with Linux, there are two ways to run administrative applications. You can either change over to the super user, also known as the root account, using the “su” command, or you can use the “sudo” command. Which one you use will depend on which type of Linux you have. Some types, such as Fedora, Red Hat, and openSuSE enable the root user, while others, such as Ubuntu and Debian, do not. I am going to refer to Ubuntu in this blog.
The Unix command su, stands for “substitute user,” “super user,” or “switch user,” and allows you to log in as root and do whatever you want with the system. Sudo stands for either "substitute user do" or "super user do" and it allows you to temporarily elevate your current user account to have root privileges. This is different from “su” which is not temporary. With “sudo,” you continue to use your user account, but with root privilege, whereas in “su,” you are actually logged into the root account. Also, the root privilege in “sudo” is only valid for a finite time. Once that time expires, you have to enter your password again to regain root privilege.
Using “sudo,” you can do pretty much the same things you can with “su.” To use it, you just have to add “sudo” in front of all root commands. Having root user privileges can be dangerous, but using sudo instead of su can help you keep your system more secure. If you are using Linux and you want your actions to be safe, you need to know and understand these two commands.
| su | sudo |
| ------------------- | --------------------------- |
| Become another user | do things as different user |
| By default , root | root by default |
| Needs root password | needs user's password |
***
Every Linux SysAdmin needs to monitor and manage users, hopefully with ease. There are several Linux commands which can help.
### w
The **`w`** command is a built-in tool that allows administrators to view information about users that are currently logged in. This includes their username, where they are logged in from, and what they are currently doing.
**Syntax:**
```
w [options] [username]
```
Where:
* **`[options]`**: Options that change the way the command behaves.
* **`[username]`**: Entering the name of a specific user only shows information about that particular user in the output.
Using the **`w`** command without any additional options produces an output similar to this:
The first line of the output shows system information:
* **System time:** The current system time.
* **Up time:** How long the system has logged in.
* **Number of users:** The number of users currently logged in.
* **Average system load:** The average number of jobs running on the system in the last 1, 5, and 15 minutes, respectively.
The second line shows user and process information:
* **`USER`:** The names of currently logged in users.
* **`TTY`:** The name of the terminal the user is logging in from.
* **`FROM`:** The name or IP address of the terminal or host the user is logging in from.
* **`LOGIN@`:** The time the user logged in, in a 24-hour format.
* **`IDLE`:** The time since the user last used the terminal; displays **?xdm?** if the user is currently active.
* **`JCPU`:** The total run time of all system processes attached to the user's terminal.
* **`PCPU`:** Elapsed time for the user's current process.
* **`WHAT`:** The name of the user's current process.
**The `w` command uses the following options:**
| **`-h, --no-header`** | Print output without the header. |
| ---------------------- | -------------------------------------------------------------------------- |
| **`-u, --no-current`** | Ignores username when calculating current process times and load. |
| **`-s, --short`** | Print output in the short format. |
| **`-f, --from`** | Toggle printing the **FROM** (remote hostname) field. |
| **`--help`** | Display help text. |
| **`-i, --ip-addr`** | Replace the hostname in the **FROM** field with the IP address. |
| **`-V, --version`** | Display current command version. |
| **`-o, --old-style`** | Print old-style output (blank space for idle times shorter than 1 minute). |
### who
The `who` command is a simple and effective way to display information about currently logged-in users
**who** command is used to find out the following information :
1. Time of last system boot
2. Current run level of the system (LPIC 1)
3. List of logged-in users and more.
**Syntax:**
```
who [options] [filename]
```
The who command displays the following information for each user currently logged in to the system if no option is provided :
* Login name of the users
* Terminal line numbers
* Login time of the users into the system
* The remote host name of the user
```
[payam@earth ~]$ who
payam seat0 2025-12-14 08:38 (login screen)
payam tty2 2025-12-14 08:38 (tty2)
```
**who command options:**
| Option | Description |
| ----------------- | --------------------------------------------- |
| **-a** | Same as -b -d –login -p -r -t -T -u |
| **-b** | Time of last system boot |
| **-d** | Print dead processes |
| **-H** | Print line of column headings |
| **-l** | Print system login processes |
| **-m** | Only hostname and user associated with stdin |
| **-p** | Print active processes spawned by init |
| **-q** | All login names and number of users logged on |
| **-r** | Print current runlevel |
| **-t** | Print last system clock change |
| **-T** | Add user’s message status as +, – or ? |
| **-u** | List users logged in |
### last
The 'last' command reads from the '/var/log/wtmp' file to provide a detailed list of user login and logout sessions. It can show the login times, durations, and hostnames associated with each session, giving insights into system access patterns. The command can also accept usernames and terminal names as arguments to display sessions related to specific users or terminals.
{% hint style="info" %}
**/var/adm/wtmp** Contains connect-time accounting data, including login, logoff, and shutdown records.
{% endhint %}
**Syntax:**
```
last [options] [username...] [tty...]
```
To view a list of recent user logins, simply run the last command without any options:
```
[payam@earth ~]$ last
payam tty2 tty2 Sun Dec 14 08:38 still logged in
payam seat0 login screen Sun Dec 14 08:38 still logged in
reboot system boot 5.14.0-611.11.1. Sun Dec 14 08:30 still running
payam tty2 tty2 Sat Dec 13 08:18 - down (09:05)
payam seat0 login screen Sat Dec 13 08:18 - down (09:05)
reboot system boot 5.14.0-611.11.1. Sat Dec 13 08:13 - 17:24 (09:10)
payam tty2 tty2 Wed Dec 10 08:40 - down (08:16)
payam seat0 login screen Wed Dec 10 08:40 - down (08:16)
reboot system boot 5.14.0-611.11.1. Wed Dec 10 08:26 - 16:57 (08:30)
payam tty2 tty2 Tue Dec 9 16:49 - down (00:10)
payam seat0 login screen Tue Dec 9 16:49 - down (00:10)
reboot system boot 5.14.0-611.9.1.e Tue Dec 9 16:48 - 17:00 (00:12)
payam tty2 tty2 Tue Dec 9 08:54 - down (07:23)
payam seat0 login screen Tue Dec 9 08:54 - down (07:23)
reboot system boot 5.14.0-611.9.1.e Tue Dec 9 08:52 - 16:17 (07:24)
payam tty2 tty2 Mon Dec 8 09:41 - down (07:06)
```
#### Understanding the last command outputs
```
root pts/0 10.1.6.120 Tue Jan 28 04:08 still logged in
```
1. **root** – It is the user name. For example, for system events such as reboot and shutdown of the Linux/Unix box, unique user names reboot and shutdown are used to indicate that activity.
2. **pts/0** – Explains how the user logged into the system. For instance, pts for pseudoterminal session (ssh login), tty for the terminal, :0, :1, (:2) X windows GUI system, etc.
3. **10.1.6.120** – The IP address or the FQDN (or hostname) from which the user logged into the system.
4. **Tue Jan 28 04:08** – The date and time stamp for the user login activity (the log in time).
5. **still logged in** – The logout time.
Of course, you can specifies a file to search other than /var/log/wtmp using -f option. For example:
```
last -f /nas/server/webserver/.log/wtmp
last -f /nas/server/webserver/.log/wtmp userNameHere
```
**the last command options:**
| Option | Description |
| ------------- | ------------------------------------------------------------------ |
| **`-a`** | Display the hostname in the last column |
| **`-d`** | Display IP addresses in numbers-and-dots notation |
| **`-F`** | Show full login and logout times (date and time) |
| **`-i`** | Display IP addresses in numbers-and-dots notation (same as `-d`) |
| **`-n`** | Limit output to specified number of lines (e.g., `-n 20`) |
| **`-R`** | Suppress hostname display |
| **`-x`** | Display system shutdowns and run level changes |
| **`-w`** | Display full user and domain names in output |
| **`-t`** | Show only entries logged in before specified time (YYYYMMDDHHMMSS) |
| **`-s`** | Show only entries logged in after specified time (YYYYMMDDHHMMSS) |
| **`-f`** | Read from specified file instead of `/var/log/wtmp` |
| **`-p`** | Show logins at specific time (YYYYMMDDHHMMSS) |
| **`--since`** | Display entries since specified date (YYYY-MM-DD) |
| **`--until`** | Display entries until specified date (YYYY-MM-DD) |
That's all
.
.
.
***
sources:
\
\
\
\
\
\
\
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://borosan.gitbook.io/lpi-linux-essentials/5.1-basic-security-and-identifying-user-types.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.