Linux – Why Top Command Shows Users Not Shown by Who Command

linuxraspberry pitopuserswho

Working on a Raspberry Pi 2, running Raspbian GNU/Linux 9 (stretch).

I am simply trying to understand why, when I run the top command I can see some users that I cannot see in the who command. Here is output of the commands run on the RPi:

$ top
top - 12:36:42 up 2 days, 15:19,  2 users,  load average: 0.29, 0.34, 0.27
Tasks: 138 total,   1 running,  73 sleeping,   0 stopped,   0 zombie
%Cpu(s):  2.0 us,  0.9 sy,  0.0 ni, 97.0 id,  0.0 wa,  0.0 hi,  0.1 si,  0.0 st
KiB Mem :   949460 total,   354296 free,    62916 used,   532248 buff/cache
KiB Swap:   102396 total,    30972 free,    71424 used.   811488 avail Mem

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
10907 iceman    20   0    6144   3400   1924 S   2.3  0.4   4:05.37 rsync
10876 maverick  20   0    8128   3300   2740 R   1.6  0.3   0:36.49 top
  376 root      20   0  911240   9648   3164 S   0.7  1.0  31:58.38 dockerd
  663 root      20   0  149932   1728   1020 S   0.7  0.2  28:25.48 Xorg
  674 root      20   0  884620   3848   1764 S   0.7  0.4  22:06.18 docker-co


$ who
maverick   pts/0        2018-11-28 11:23 (73.69.181.86)
maverick   pts/1        2018-11-28 11:58 (73.69.181.86)

To clarify, I have tried: who, who -u, who -l, who -p, who -a.

Best Answer

You can find additional information about your system's command-line tools and their parameters by looking at their "man page" (by running man who, for example).

From the respective man pages:

top - display Linux processes

who - show who is logged on

While we're at it, there is also:

w - Show who is logged on and what they are doing.

A user is "logged on" when they have performed a "login", that is they have provided a password or key to authenticate to the system, and the system has launched a "session" for them.

As you can see, who only lists these login sessions — usually together with what the session is attached to, such as

an Xserver session (e.g. :0 for the first graphical session),
a terminal (tty, e.g. Ctrl+Alt+F2),
or a pseudo-terminal (pts, e.g. for an SSH session, terminal emulator or terminal multiplexer program)

There are other ways to start processes that do not involve a login session, such as

system services (started by init, systemd, or whatever your system uses for service startup)
SSH sessions that did not request a tty device — this usually happens when you give a command directly after the SSH invocation (ssh example.com rsync …) instead of requesting an interactive shell (ssh example.com)
starting a process from a login session, but then detaching it from the current shell, and thereby the session (e.g. using disown)

Tangentially, if you want to know what users exist on the system (both locally configured ones from /etc/passwd and any from an external database like LDAP):

getent passwd

If you also want to know when they last logged in:

lastlog

Related Solutions

What does the `who` command result `root :0` mean

See info who (who's Stallman's domain)

If given no non-option arguments, `who' prints the following information for each user currently logged on: login name, terminal line, login time, and remote hostname or X display.

This is X display number (and might be screen number as well, like, 0:0)

Though, it doesn't contain any root for my pseudoterminal X windows. If you're logged in as root, that's probably bad from security point of view.

UPDATE: Display and screen are logical concepts of X windows system. When I say here "screen" or "display" I mean X windows screen or display, not any physical device (who refers to X windows displays and screens, too).

enter image description here

The point of displays is that your computer may run several instances of X server at the same time, then they are said to be run on different displays. E.g. your normal graphical environment can be shown by X server instance 1 at display:0 and you may also have a remote desktop application such as Xephyr or Xnest starting another instance of X server at display:1 and outputting to a single window: see https://superuser.com/questions/363988/display-remote-x-session-complete-desktop-in-one-client-x-window.

X windows system was design to allow X server and X client be separated by the network. For their interaction it relies on Berkley sockets mechanism. Each X server behaves just like a web-server (e.g. Apache) in terms of its interaction with clients. Just like Apache creates TCP/IP sockets to listen to connecting browsers, processes their requests and sends responses, Xorg creates

TCP/IP sockets for remote X clients
Unix domain sockets for local X clients

It processes their requests to draw onto the display and instead of responses sends events - notifications of user activity (mouse buttons clicked, keyboard keys presses etc.).

Each display corresponds to a separate instance of X Server and there's a convention for TCP/IP port numbers and Unix domain socket names, on which displays should listen. To determine the TCP/IP port number, add 6000 to the display number. For example, Display Number 1 listens on TCP port 6001 (1 + 6000 = 6001). Unix domain sockets for Xorg are typically located in /tmp/.X11-unix/ and named appropriately.

Screens: screens were designed to handle the case, when your computer has several physical monitors, but one X server instance draws its output on both. Then first monitor is said to be screen0 and second monitor to be screen1. Xclients had to choose only 1 screen for themselves. To be honest, I never dealt with that case myself and nowadays its pretty much dead, cause with Xinerama extension you may have one X screen, like 0:0 span to several physical monitors as on the picture at wikipedia.

Top Command – Excluding Users

If I understand you correctly, would this help?

top | grep -ve "user1" -e "user2"

Best Answer

Related Solutions

What does the `who` command result `root :0` mean

Top Command – Excluding Users

Related Question