Unable to attach to other user`s JVMs, even if root
GoogleCodeExporter opened this issue · comments
Google Code Exporter commented
What steps will reproduce the problem?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1. start a JVM with user X
2. try to run jvmtop from another user, or root, it will not attach.
3. with JConsole I can attach to all JVMs when JConsole starts as root.
What is the expected output? What do you see instead?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
More of a nice to have really. I have close to 10 JVMs running on a system,
all owned by different users, and it would be nice if I could monitor all of
them from a single instance of jvmtop.
What version of the product are you using? On what operating system?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
jvmtop 0.4.1
Mint 14, native install and inside VirtualBox, same results.
all JVMs use:
java version "1.7.0_21"
Java(TM) SE Runtime Environment (build 1.7.0_21-b11)
Java HotSpot(TM) 64-Bit Server VM (build 23.21-b01, mixed mode)
Please provide any additional information below.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Keep up the great work, I love this tool.
Sample output.
^^^^^^^^^^^^^^
# NOTE: 19563, 19509 and 19624 are all owned by a different user, running
ZooKeeper.
inter01 jvmtop # id
uid=0(root) gid=0(root) groups=0(root)
inter01 jvmtop # ./jvmtop.sh
Error while attaching vm 19563
com.sun.tools.attach.AttachNotSupportedException: Unable to open socket file:
target process not responding or HotSpot VM not loaded
at sun.tools.attach.LinuxVirtualMachine.<init>(LinuxVirtualMachine.java:106)
at sun.tools.attach.LinuxAttachProvider.attachVirtualMachine(LinuxAttachProvider.java:63)
at com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:213)
at com.jvmtop.VMInfo.processNewVM(VMInfo.java:138)
at com.jvmtop.VMOverviewView.scanForNewVMs(VMOverviewView.java:132)
at com.jvmtop.VMOverviewView.printView(VMOverviewView.java:25)
at com.jvmtop.JvmTop.run(JvmTop.java:70)
at com.jvmtop.JvmTop.main(JvmTop.java:41)
Error while attaching vm 19509
com.sun.tools.attach.AttachNotSupportedException: Unable to open socket file:
target process not responding or HotSpot VM not loaded
at sun.tools.attach.LinuxVirtualMachine.<init>(LinuxVirtualMachine.java:106)
at sun.tools.attach.LinuxAttachProvider.attachVirtualMachine(LinuxAttachProvider.java:63)
at com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:213)
at com.jvmtop.VMInfo.processNewVM(VMInfo.java:138)
at com.jvmtop.VMOverviewView.scanForNewVMs(VMOverviewView.java:132)
at com.jvmtop.VMOverviewView.printView(VMOverviewView.java:25)
at com.jvmtop.JvmTop.run(JvmTop.java:70)
at com.jvmtop.JvmTop.main(JvmTop.java:41)
Error while attaching vm 19624
java.io.IOException: well-known file is not secure
at sun.tools.attach.LinuxVirtualMachine.checkPermissions(Native Method)
at sun.tools.attach.LinuxVirtualMachine.<init>(LinuxVirtualMachine.java:117)
at sun.tools.attach.LinuxAttachProvider.attachVirtualMachine(LinuxAttachProvider.java:63)
at com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:213)
at com.jvmtop.VMInfo.processNewVM(VMInfo.java:138)
at com.jvmtop.VMOverviewView.scanForNewVMs(VMOverviewView.java:132)
at com.jvmtop.VMOverviewView.printView(VMOverviewView.java:25)
at com.jvmtop.JvmTop.run(JvmTop.java:70)
at com.jvmtop.JvmTop.main(JvmTop.java:41)
JvmTop 0.4.1 alpha (expect bugs) amd64, 12 cpus, Linux 3.5.0-28-
http://code.google.com/p/jvmtop
PID MAIN-CLASS HPCUR HPMAX NHCUR NHMAX CPU GC VM USERNAME #T DL
19959 onsole.JConsole 8m 7134m 25m 130m 0.66% 0.24% O7U21 root 32
20335 m.jvmtop.JvmTop 20m 7134m 8m 130m 0.41% 0.00% O7U21 root 14
19563 .QuorumPeerMain [ERROR: Could not attach to VM]
19509 .QuorumPeerMain [ERROR: Could not attach to VM]
19624 .QuorumPeerMain [ERROR: Could not attach to VM]
inter01 jvmtop # ps -ef|grep java
zkadm1 19509 1 0 10:49 pts/2 00:00:02
/inter/zkadm1/jdk1.7.0_21/bin/java [...]
zkadm2 19563 1 0 10:49 pts/2 00:00:02
/inter/zkadm2/jdk1.7.0_21/bin/java [...]
zkadm3 19624 1 0 10:49 pts/2 00:00:06
/inter/zkadm3/jdk1.7.0_21/bin/java [...]
root 20375 20288 0 11:05 pts/1 00:00:00 grep --colour=auto java
[...]: output cut, but it runs ZooKeeper instances.
Original issue reported on code.google.com by nicflatt...@gmail.com
on 23 May 2013 at 3:11
Google Code Exporter commented
[deleted comment]
Google Code Exporter commented
[deleted comment]
Google Code Exporter commented
Unfortunately, this is not a jvmtop limitation/bug but a security restriction
built in the (target) JVM to prevent other users to get insight in processes
which they don't own, root included.
For the same reason you can't connect to these processes neither using the
official monitoring tools like jconsole, even under root.
There might be a chance to spoof this security security check if jvmtop is
running under root however further investigation is required to see if this is
possible at all.
If you want to help you can look at the following question which is describing
the details for such a spoof:
http://stackoverflow.com/questions/15974356/unix-sockets-is-it-possible-to-spoof
-getsockopt-so-peercred
Original comment by patric.r...@gmail.com
on 23 May 2013 at 4:15
Google Code Exporter commented
One point about your response (thanks by the way), with root I can connect
JConsole to all JVMs on the system, regardless who the owner is.
Original comment by nicflatt...@gmail.com
on 23 May 2013 at 5:23
Google Code Exporter commented
I just tried this - and you're right, it definitely works - at least on linux
and the oracle jdk 6.
Thank you - no idea why I had this incorrect fact in my mind.
I'll investigate this further - stay tuned for an update.
Original comment by patric.r...@gmail.com
on 23 May 2013 at 7:21
Google Code Exporter commented
[deleted comment]
Google Code Exporter commented
Can you please retry this (under root), using the release candidate:
http://jvmtop.googlecode.com/files/jvmtop-0.4.2.tar.gz
Original comment by patric.r...@gmail.com
on 24 May 2013 at 10:24
Google Code Exporter commented
Thank you sir!!! It works perfectly!
I tried both the regular and detailed view, and as long as I am root, I can
attach to everything.
I will definitely keep an active watch on this project as it is very good for
my needs.
Regards, Nic.
Original comment by nicflatt...@gmail.com
on 24 May 2013 at 1:20
Google Code Exporter commented
Fixed in version 0.5.0
You're welcome - and thanks for your quick retest.
Original comment by patric.r...@gmail.com
on 24 May 2013 at 1:33
- Changed state: Fixed