1. Tildeslash Avatar Tildeslash
  2. Untitled project
  3. Monit
  4. Issues

Process check for a given user and group only

Issue #1020 new
Lutz Mader created an issue

Hello Tildeslash,
the process service check (and all other) allows command statements for a given user and group. But the process service check itself does not accept an additional user and/or group. Therefore I added an additional test in "_match" (in ProcessTree.c) to do this.

START | STOP | RESTART PROGRAM name [AS UID user] [AS GID group] [WITH TIMEOUT number SECONDS]

This allows me to use this (without starting the monitor as root).

CHECK PROCESS name PIDFILE path | MATCHING pattern [UID user] [GID group]

In general this works well for all MATCHING pattern test, because I added the used "userid" and "groupid" to the "matchlist". On the other hand, I can not find the right place to add the additional "userid" and "groupid" to "Service_T" to make the test available for the PIDFILE path test also.

A suggestion where to add this little test enhancement to the code.

My problem is, I use "CHECK PROGRAM" and some scripts to do a process test based on the additional userid and grouped information, but I think the monitor should do this.
This was the reason I add this to "MATCHING pattern", unfortunately I can not find a useful place to do this for "PIDFILE path".
This enhancement make the pattern handling more easy for me, because the right process will be found more easy on larger systems are starting several similar process in a different user context. This is the reason, I would like this enhancement became general available.

Thanks for some suggestions or comments,
Lutz

Comments (5)

  1. Lutz Mader reporter

    Hello everybody,
    I add the following enhancement to my repository and plan to make this available in the future, when tildeslash will do.

    Any suggestions or comments,
    Lutz

    p.s.

    PROCESS OWNER

    Monit allows easy testing of pattern for process match checking.
    The command takes regular expression as an argument and the matching
    parent with highest uptime is selected, so this form of check is most
    useful if the process name is unique.
    If the process name is not unique but the processes are executed
    with a different user and/or group the UID and GID can used as
    an additional selection criteria for the process owner.

    Example:

    check process apache matching "httpd"
    as uid "www" and gid "www"
    start program "/etc/init.d/httpd start" with timeout 60 seconds
    as uid "www" and gid "www"
    stop program "/etc/init.d/httpd stop"
    as uid "www" and gid "www"

    Please note that Monit can only run the program as a different user
    and/or group if Monit is running as superuser, otherwise Monit will
    simply ignore the request to change the user and/or group.

    The process check itself can regards the different user and/or group
    as user also, because the user and/or group from the process tree
    will checked only.

    Syntax:

    CHECK PROCESS <unique name> <PIDFILE <path> | MATCHING <regex>>
    [[AS] UID <number | string>]
    [[AS] GID <number | string>]

    Monit can regards the user and/or group with the process check also
    if Monit is not running as superuser. Therefore Monit can check the
    process name pattern for a given user.

  4. Lutz Mader reporter

    Hello,
    a more detailed explanation of the intention to add the additional test.

    Sometimes an application will be started several times on a system.
    To make the pattern matching of the “matching“ statement more easy it seems to be useful to add an additional test based on the uid/gid to limit the amount of tested command lines.

    In addition the “pidfile“ statement handling should test the pid similar. Therefore, the pid should be tested based on the uid/gid also.

    In a short word,
    a process can started based on a given uid/gid.
    With the new additional test the process can be tested based on a uid/gid also.

    The additional test will focus the test to the pids of a given user only.
    This could be misleading sometimes, unfortunately. On the other hand, if the content of the command line is similar or equal this is the only way to find the right process.
    And if a pid file contain a pid used by an other user, this is not the right process, the process is not started.

    With regards,
    Lutz

  5. Lutz Mader reporter

    Hello,
    I add the suggested changes to the pull request. The most changes depend to the "pidfile" handling only.

    With regards,
    Lutz

  6. Log in to comment
Assignee
Type
enhancement
Priority
minor
Status
new
Component
Monit
Version
5.29.0
Votes
1
Watchers
1