Introduction
In Linux system administration, knowing who is logged in and what information each account holds is essential for auditing, debugging, and permission management tasks. The finger command offers a quick and readable way to obtain data such as the full name, terminal, idle time, and each user’s personal plan. Although more advanced tools exist today, finger remains useful in environments where an immediate and simple view of user status is required.
What is finger?
Finger is a network utility originating from early Unix systems that allows querying information about both local and remote users. Its operation is based on the Finger protocol (RFC 742), which listens on port 79 and responds with data stored in files such as .plan and .project in the user’s home directory. The output includes the login, real name, home directory, shell, login time, and, if available, the contents of the .plan file.
Installation
In many modern distributions, finger is not installed by default due to security concerns. To add it, simply use the corresponding package manager. On Debian or Ubuntu: sudo apt-get update && sudo apt-get install finger. On Fedora: sudo dnf install finger. On Arch Linux: sudo pacman -S finger. After installation, the command will be immediately available from any terminal.
Basic syntax
The simplest format is finger [opciones] [usuario]. If no user is specified, finger shows information for all users logged into the system. Some useful options are: -s for a brief format, -l for a long format (default), -p to avoid displaying the contents of .plan and .project, and -m to avoid partial username matches. Example: finger -s juan shows only login, name, terminal, and idle time.
Usage examples
- See all active users:
finger - Get detailed information for a specific user:
finger -l marta - List users in brief format:
finger -s - Query information for a user on a remote machine (if the finger service is enabled):
finger @servidor.example.com - Show only a user’s plan without other data:
finger -p lola - Combine options to exclude plans and show long format:
finger -l -p carlos
Interpretation of output
The typical finger output includes several columns: Login, Name, Tty, Idle, Login Time, Office, Office Phone, and, when available, the contents of the .plan file. The Idle field indicates how long the user has been idle; an old value may signal an abandoned session. The Login Time field shows the date and time the session started. If the user has a .project file, its contents may appear after the plan, depending on the implementation.
Limitations and alternatives
Although finger is convenient, it poses security risks because it reveals information that could be exploited by attackers (e.g., full names, login times, and personal plans). For this reason, many systems disable the finger service on port 79 or restrict its use to local queries. Safer alternatives include w, who, last, and monitoring tools like htop or glances. For detailed auditing, it is recommended to review the logs in /var/log/auth.log or use auditd.
Conclusion
The finger command remains a valuable tool for quickly obtaining user information on Linux systems, especially in trusted environments where transparency does not pose a risk. Knowing its syntax, options, and how to interpret its output allows administrators to perform quick session checks and detect possible anomalies. However, it is essential to evaluate the risks of data exposure and, when necessary, resort to safer alternatives or disable the remote service.
This post is also available in ESPAÑOL.