The utmp file cannot be kept accurate as long as you have users that crash their sessions, turn off their PCs or otherwise do not type exit to close their session. So the bug is that you are allowing untrained users or unreliable connections to attach to your computer.
Here's the problem: utmp only has login and termination records (plus some global records about the kernel) and who is trying to put the beginning and ending records together. Since the records are sometimes incomplete (because of the user) who is just guessing.
Additionally, applications can write to utmp and corrupt the contents. So, who is just a simplistic command to track begin/end records. Note that a 'session' is not as fancy as it sounds. Unix simply takes an incoming connection (telnet, rlogin, ssh, etc) and attaches the login program and if validated, attaches a shell to the tty device file which runs profiles and shows a prompt. A sysadmin can (wrongfully) use kill -9 to get rid of the shell and now you have an orphaned start record.
So to determine the users that are currently logged on, you need to define logins. Some users may have a shell prompt, others may be running a menu program. But start by running the ps command through sort as in:
ps -ef | grep -v ^root | sort
You can do some other filters to narrow down the actual login shells. ps is always correct.
Bill Hassell, sysadmin
