search

ddusnoki / jvmtop

Automatically exported from code.google.com/p/jvmtop
0 stars 0 forks source link

Unable to attach to other user`s JVMs, even if root #6

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1. start a JVM with user X
2. try to run jvmtop from another user, or root, it will not attach.
3. with JConsole I can attach to all JVMs when JConsole starts as root.

What is the expected output? What do you see instead?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
More of a nice to have really.  I have close to 10 JVMs running on a system, 
all owned by different users, and it would be nice if I could monitor all of 
them from a single instance of jvmtop.

What version of the product are you using? On what operating system?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

jvmtop 0.4.1

Mint 14, native install and inside VirtualBox, same results.

all JVMs use:
java version "1.7.0_21"
Java(TM) SE Runtime Environment (build 1.7.0_21-b11)
Java HotSpot(TM) 64-Bit Server VM (build 23.21-b01, mixed mode)

Please provide any additional information below.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Keep up the great work, I love this tool.

Sample output.
^^^^^^^^^^^^^^
# NOTE: 19563, 19509 and 19624 are all owned by a different user, running 
ZooKeeper.

inter01 jvmtop # id
uid=0(root) gid=0(root) groups=0(root)
inter01 jvmtop # ./jvmtop.sh
Error while attaching vm 19563
com.sun.tools.attach.AttachNotSupportedException: Unable to open socket file: 
target process not responding or HotSpot VM not loaded
    at sun.tools.attach.LinuxVirtualMachine.<init>(LinuxVirtualMachine.java:106)
    at sun.tools.attach.LinuxAttachProvider.attachVirtualMachine(LinuxAttachProvider.java:63)
    at com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:213)
    at com.jvmtop.VMInfo.processNewVM(VMInfo.java:138)
    at com.jvmtop.VMOverviewView.scanForNewVMs(VMOverviewView.java:132)
    at com.jvmtop.VMOverviewView.printView(VMOverviewView.java:25)
    at com.jvmtop.JvmTop.run(JvmTop.java:70)
    at com.jvmtop.JvmTop.main(JvmTop.java:41)
Error while attaching vm 19509
com.sun.tools.attach.AttachNotSupportedException: Unable to open socket file: 
target process not responding or HotSpot VM not loaded
    at sun.tools.attach.LinuxVirtualMachine.<init>(LinuxVirtualMachine.java:106)
    at sun.tools.attach.LinuxAttachProvider.attachVirtualMachine(LinuxAttachProvider.java:63)
    at com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:213)
    at com.jvmtop.VMInfo.processNewVM(VMInfo.java:138)
    at com.jvmtop.VMOverviewView.scanForNewVMs(VMOverviewView.java:132)
    at com.jvmtop.VMOverviewView.printView(VMOverviewView.java:25)
    at com.jvmtop.JvmTop.run(JvmTop.java:70)
    at com.jvmtop.JvmTop.main(JvmTop.java:41)
Error while attaching vm 19624
java.io.IOException: well-known file is not secure
    at sun.tools.attach.LinuxVirtualMachine.checkPermissions(Native Method)
    at sun.tools.attach.LinuxVirtualMachine.<init>(LinuxVirtualMachine.java:117)
    at sun.tools.attach.LinuxAttachProvider.attachVirtualMachine(LinuxAttachProvider.java:63)
    at com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:213)
    at com.jvmtop.VMInfo.processNewVM(VMInfo.java:138)
    at com.jvmtop.VMOverviewView.scanForNewVMs(VMOverviewView.java:132)
    at com.jvmtop.VMOverviewView.printView(VMOverviewView.java:25)
    at com.jvmtop.JvmTop.run(JvmTop.java:70)
    at com.jvmtop.JvmTop.main(JvmTop.java:41)

 JvmTop 0.4.1 alpha (expect bugs)  amd64, 12 cpus, Linux 3.5.0-28-
 http://code.google.com/p/jvmtop

  PID MAIN-CLASS      HPCUR HPMAX NHCUR NHMAX    CPU     GC    VM USERNAME   #T DL
19959 onsole.JConsole    8m 7134m   25m  130m  0.66%  0.24% O7U21     root   32 

20335 m.jvmtop.JvmTop   20m 7134m    8m  130m  0.41%  0.00% O7U21     root   14 

19563 .QuorumPeerMain [ERROR: Could not attach to VM] 
19509 .QuorumPeerMain [ERROR: Could not attach to VM] 
19624 .QuorumPeerMain [ERROR: Could not attach to VM]

inter01 jvmtop # ps -ef|grep java
zkadm1   19509     1  0 10:49 pts/2    00:00:02 
/inter/zkadm1/jdk1.7.0_21/bin/java [...]
zkadm2   19563     1  0 10:49 pts/2    00:00:02 
/inter/zkadm2/jdk1.7.0_21/bin/java [...]
zkadm3   19624     1  0 10:49 pts/2    00:00:06 
/inter/zkadm3/jdk1.7.0_21/bin/java [...]
root     20375 20288  0 11:05 pts/1    00:00:00 grep --colour=auto java

[...]: output cut, but it runs ZooKeeper instances.

Original issue reported on code.google.com by nicflatt...@gmail.com on 23 May 2013 at 3:11

GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago 
Unfortunately, this is not a jvmtop limitation/bug but a security restriction 
built in the (target) JVM to prevent other users to get insight in processes 
which they don't own, root included.

For the same reason you can't connect to these processes neither using the 
official monitoring tools like jconsole, even under root.

There might be a chance to spoof this security security check if jvmtop is 
running under root however further investigation is required to see if this is 
possible at all.

If you want to help you can look at the following question which is describing 
the details for such a spoof: 
http://stackoverflow.com/questions/15974356/unix-sockets-is-it-possible-to-spoof
-getsockopt-so-peercred

Original comment by patric.r...@gmail.com on 23 May 2013 at 4:15

GoogleCodeExporter commented 9 years ago 
One point about your response (thanks by the way), with root I can connect 
JConsole to all JVMs on the system, regardless who the owner is.

Original comment by nicflatt...@gmail.com on 23 May 2013 at 5:23

GoogleCodeExporter commented 9 years ago 
I just tried this - and you're right, it definitely works - at least on linux 
and the oracle jdk 6.
Thank you - no idea why I had this incorrect fact in my mind.

I'll investigate this further - stay tuned for an update.

Original comment by patric.r...@gmail.com on 23 May 2013 at 7:21

GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago 
Can you please retry this (under root), using the release candidate: 
http://jvmtop.googlecode.com/files/jvmtop-0.4.2.tar.gz

Original comment by patric.r...@gmail.com on 24 May 2013 at 10:24

GoogleCodeExporter commented 9 years ago 
Thank you sir!!!  It works perfectly!
I tried both the regular and detailed view, and as long as I am root, I can 
attach to everything.

I will definitely keep an active watch on this project as it is very good for 
my needs.

Regards, Nic.

Original comment by nicflatt...@gmail.com on 24 May 2013 at 1:20

GoogleCodeExporter commented 9 years ago 
Fixed in version 0.5.0

You're welcome - and thanks for your quick retest.

Original comment by patric.r...@gmail.com on 24 May 2013 at 1:33