7

In a RHEL 7.3 server, I was trying to find logged-in users. I ran w and it told me there were two users, but it only showed me the info of one (myself); then I ran who, which displayed the other user as (unknown). Finally, I ran lastlog, with which's output I could match the log in date and port from who's output and find the unknown user actually is gdm.

$ w
 09:33:36 up 4 days, 15:22,  2 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
myusr     pts/0    172.16.23.113    09:32    0.00s  0.06s  0.03s w

$ who
(unknown) :0           2017-07-01 18:13 (:0)
myusr     pts/0        2017-07-06 09:32 (172.16.23.113)

$ lastlog 
Username         Port     From             Latest
...
gdm              :0                        Sat Jul  1 18:13:23 -0500 2017
...

The server is a supermicro machine and from time to time I connect to it using IPMI2's kvm over lan feature. But I don't remember anything weird happening when connecting like that.

This doesn't seem normal. What could have happened?

Samuel
  • 292
  • 3
  • 10
  • 1
    Keep in mind, based on `info coreutils 'who invocation'` the `who` command just outputs the content of `/var/run/utmp`, which is supposed to reflect the current sessions. `who` is not really responsible for the content it outputs, it's just a clean way of showing it. – Centimane Jul 06 '17 at 15:31
  • Someone had added an answer (now deleted) saying that a user without a shell in /etc/passwd would show as unknown. Do you, @Centimane (anybody), know anything about this? – Samuel Jul 06 '17 at 16:35
  • 1
    It seems that answer was deleted based on my comment to it. `who` doesn't touch `/etc/passwd` at all, based on an `strace -e trace=file who 2>&1 | grep etc` – Centimane Jul 06 '17 at 17:13
  • 1
    indeed it was a wild guess that I intended to check when I'll have a few spare time, Centimane corrected me before that so I deleted that wrong answer. – M4rty Jul 06 '17 at 18:05
  • 2
    @M4rty Not all of the answer was wrong though, you were on the right track that the `gdm` login was being misinterpreted. – Centimane Jul 06 '17 at 18:16
  • @Centimane Ok, thanks for the clarification. Your first comment was very helpful as well. – Samuel Jul 06 '17 at 21:52
  • @M4rty Thanks for the effort anyway. – Samuel Jul 06 '17 at 21:55

2 Answers2

5

After reading Centimane's comment on /var/run/utmp and searching differently, I found this fedora forum thread, which mentioned the issue is provoked by a bug in GDM, which creates a bad entry in /var/run/utmp. Eventually I even found a bug report for it and another here.

Samuel
  • 292
  • 3
  • 10
2

It really seems like your unknown user is gdm and who somehow fail to interpret it.

Centimane
  • 4,420
  • 2
  • 21
  • 45
M4rty
  • 1,143
  • 8
  • 14