July 24, 2006

CLI Magic: The five Ws

Author: Nathan Willis

The command line can tell you a lot, if you bother to ask it. Most of us learned the five Ws as a research rubric: who? what? where? when? why? (and usually, how?). By sheer coincidence, the five Ws can also illuminate important characteristics on your Linux system, its users, processes, and commands.


There are four commands that ask some form of the question "who." The whois command queries the whois directory service (RFC 3912), so you can look up public info for a registered domain name. Nowadays, unfortunately, much of that information is inaccurate or simply reflects registrar information.

More useful is the somewhat existential whoami command; whoami returns your effective user ID. Normally you are logged in as yourself, but if you work on remote machines, whoami can provide a helpful reminder. When working on systems administration tasks, typing whoami can save you from making a grave error by reminding you that you are logged in as root.

The who command returns a list of the currently logged-in users -- but that doesn't mean it is useful only for multi-user systems. By itself, who can help you track down a zombie login session, and it has a bevy of options for querying other login-related stats, such as the last system boot or current processes.

If you want to get a little more personal, w is a separate command (also short for who, but of course that name was already taken). Like who, w will list the logged-on users, but it also allows you to see what commands they are running, whether they are logged in locally or remotely, how long they have been logged in, and how long (if at all) they have been idle.


The whatis command returns a brief description of any commands you list after it. The definitions returned are culled from the relevant Unix manual pages. For a short explanatory note, whatis is faster than man or info -- but it lacks the detail and verbose help afforded by the latter tools.

Frequently, though, a short explanation is all that you want, especially if you just need to jog your memory. For instance, whatis who whois whoami w will return:

who (1) - show who is logged on
whois (1) - client for the whois directory service
whoami (1) - print effective userid
w (1) - Show who is logged on and what they are doing.

... and can save you some trouble remembering the differences between all those "who" commands.


It is both a blessing and a curse that software can happily reside in any location on your Linux system. On those occasions when you can't remember where a program is installed, you will be glad you have whereis. Whereis searches for the binary executable, source code, and manual pages for the command you ask about. Once, for example, I had trouble with Privoxy; issuing whereis privoxy told me that the executable lived in /usr/sbin (not the directory I had thought to look in) and the manual pages were in /usr/share/man/man8.

By default, whereis searches in the "standard" locations for executables, source code, and manual pages -- meaning /bin, /usr/bin, /usr/lib/, /usr/src, /usr/man, and so on. But you can expand the search space by calling whereis with the -B, -S, and -M flags. -B lets you specify alternate locations to look for binary executables, -S alternate locations for source, and -M alternate locations for manual pages.

Whereis is designed to find "typical" system programs, so it looks for matches to your search pattern in all three categories. Sometimes, of course, we don't have the source code installed, or perhaps the manual page; in that case, pass whereis the -u flag. It stands for "unusual," and returns matching binaries even if they lack a source code or manual page match.


I searched in vain for some legitimate utility I could wedge awkwardly under the "when" banner. Bash has while and wait built-in commands, both of which begin with the correct letter and are time-related, but neither were questions.

Then I stumbled across a tiny GPLed utility called whenis (scroll down to the bottom of the linked page). Once you download all 12KB of it, unzip the file and type make to compile it. There is no installation script, so if you decide the novelty of it is worth keeping around, you will have to copy the resulting executable to /usr/local/bin. But once it is there, you will be the proud owner of a command that -- apparently -- does nothing but convert time- and date-formatted strings.

Useless? Almost. But until the major-league Linux distributions catch on and start packaging it for mass consumption, you'll be the only one at your local LUG meeting with a whenis command at his fingertips.

Why? Or in this case Which?

Regrettably, I had no such luck unearthing a whyis command. But let us dispense with formalities; which is another useful command-line tool, it fits the W and question criteria, and it makes a helpful companion to one of the Ws we've already looked at.

Whereis can tell you the location of system commands and resources, but sometimes there are multiple copies of an executable in different locations on your system. Sometimes this is intentional -- providing a special version of a program for the root account, for instance. But it can also happen accidentally, either as a result of one copy being built in to the system (in /usr/bin) and another added locally (in /usr/local/bin) or through confusion of symbolic links.

When you execute a command by its name alone -- say, firefox -- the bash shell searches through the predetermined directories in the PATH environment variable until it finds an executable named firefox, then runs it. If it happens to find an executable with the right name before the one you expected it to find, you may be surprised by the result. That is where which comes in.

The which command searches your PATH and determines the particular binary executed when you type a command's name. For example, typing which firefox reveals to me that when I call firefox at the command line, the executable run is actually /opt/firefox/firefox -- which is a more recent beta version of the browser than the /usr/bin/firefox shipped by my distro. I installed the beta in /opt/firefox to test it, but if it is too buggy, I need to explicitly execute /usr/bin/firefox to get the old standby instead.


Finally, as was the case back in school, the "sixth W," how, comes last. There is no how or howis command. But if your system isn't complete without that final question, there is a simple solution. Enter the following command to give your Linux box a useful and convenient how: ln -s /usr/bin/man /usr/bin/how. And just like that, you have all of your Ws (and your H) covered.

Click Here!