CHECK PROCESS MATCHING does not work on 5.27.0 when monit runs as non-root

Issue #916 resolved
Artur Pedziwilk created an issue

On version 5.26.0 I have several working checks defined as for example.

check process ntp matching "ntpd"

Monit daemon runs as a monit user. After upgrade to 5.27.0 monit does not match those processes or any other process run as other user.

To reproduce. Correct behaviour of 5.26.0

[monit@host ~]$ /home/monit/monit-linux-x64-5.26.0.bin -c /opt/monitor/monit.conf procmatch ntp
List of processes matching pattern "ntp":
┌───┬───────┬───────┬──────────────────────────────────────────────────────────┐
│ │ PID │ PPID │ Command │
├───┼───────┼───────┼──────────────────────────────────────────────────────────┤
│ * │ 3226 │ 1 │ /usr/sbin/ntpd -u ntp:ntp -g │
└───┴───────┴───────┴──────────────────────────────────────────────────────────┘
Total matches: 1

Not working behaviour on 5.27.0

[monit@host ~]$ /home/monit/monit-linux-x64-5.27.0.bin -c /opt/monitor/monit.conf procmatch ntp
List of processes matching pattern "ntp":
Total matches: 0

Binaries for linux-64.

Comments (10)

  1. Artur Pedziwilk reporter

    On FreeBSD 12.x works correctly as expected.

    [monit@host ~]$ monit -V
    This is Monit version 5.26.0
    Built with ssl, with ipv6, with compression, with pam and with large files
    Copyright (C) 2001-2019 Tildeslash Ltd. All Rights Reserved.

    [monit@host ~]$ monit -c /home/monit/monitrc procmatch "/usr/local/sbin/ntpd"
    List of processes matching pattern "/usr/local/sbin/ntpd":
    ┌───┬───────┬───────┬──────────────────────────────────────────────────────────┐
    │ │ PID │ PPID │ Command │
    ├───┼───────┼───────┼──────────────────────────────────────────────────────────┤
    │ * │ 74578 │ 1 │ /usr/local/sbin/ntpd -f /usr/local/etc/ntpd.conf │
    └───┴───────┴───────┴──────────────────────────────────────────────────────────┘
    Total matches: 1

    [monit@host ~]$ monit -V
    This is Monit version 5.27.0
    Built with ssl, with ipv6, with compression, with pam and with large files
    Copyright (C) 2001-2020 Tildeslash Ltd. All Rights Reserved.

    [monit@host ~]$ monit -c /home/monit/monitrc procmatch "/usr/local/sbin/ntpd"
    List of processes matching pattern "/usr/local/sbin/ntpd":
    ┌───┬──────────┬──────────┬────────────────────────────────────────────────────┐
    │ │ PID │ PPID │ Command │
    ├───┼──────────┼──────────┼────────────────────────────────────────────────────┤
    │ * │ 74578 │ 1 │ /usr/local/sbin/ntpd -f /usr/local/etc/ntpd.conf │
    └───┴──────────┴──────────┴────────────────────────────────────────────────────┘
    Total matches: 1

  2. Lutz Mader

    Hello Artur,
    who is the owner of the process you checked with procmatch.

    As Long as the process is owned by the user I use to check the procmatch, the process will be found.
    But all other processes are not owned by the user are not found.

    It seems to me, Linux check the process owner only, on AIX I find all processes with the name matching to procmatch. On Linux I get my processes are matching only.

    Nice to see,
    Lutz

  3. Artur Pedziwilk reporter

    Hello Lutz,
    this is exactly as you are describing. The newest version of monit, when run as non-root user is not able to match any process wich is not running as the same user as monit daemon. I do not find this mentioned in the change log so that is why I registered this issue.

  4. Lutz Mader

    Hello Tildeslash,
    I think the process list does not contain all processes as long as monit does not run as root,
    initprocesstree_sysdep does not collect some processes because

    Sometimes _parseProcPidIO(&proc) failed, this was ignored in the past and
    _parseProcFdCount(&proc) is new and failed sometime too.

    This is nice, the process tree try to contain useful data only, but unfortunately some processes are ignored now.

    Someone should check the reason for something like this (see src/process/sysdep_LINUX.c)

    // parse /proc/PID/io
    static bool _parseProcPidIO(Proc_T proc) {
            char buf[4096];
            char *tmp = NULL;
            if (_statistics.hasIOStatistics) {
                    if (file_readProc(buf, sizeof(buf), "io", proc->data.pid, NULL)) {
                            // read bytes (total)
            :
                    } else {
                            // file_readProc() already printed a DEBUG() message
                            return false;
                    }
            }
            return true;
    }
    

    All PIDs without any io data are ignored now.

    And for this

    int initprocesstree_sysdep(ProcessTree_T **reference, ProcessEngine_Flags pflags) {
            ASSERT(reference);
    :
    
            for (size_t i = 0; i < globbuf.gl_pathc; i++) {
                    proc.data.pid = atoi(globbuf.gl_pathv[i] + 6); // skip "/proc/"
                    if (_parseProcPidStat(&proc) && _parseProcPidStatus(&proc) && _parseProcPidIO(&proc) && _parseProcPidCmdline(&proc, pflags) && _parseProcFdCount(&proc)) {
                            // Non-mandatory statistics (may not exist)
                            _parseProcPidAttrCurrent(&proc);
    

    _parseProcFdCount(&proc) should moved to the non mandatory statistics, sometimes not all Information are available.

    A short look to the code only, I try do do some more testing in some of my Linux systems.

    In the passt, some data was missing for a process, but the process tree was complete. Now, I missed no data but some processes.

    With regards,
    Lutz

  5. Lutz Mader

    Hello,
    I got a test Linux system and do some tests based on the suggested modifications, for src/process/sysdep_LINUX.c.

    monit -v -B procmatch ssh
    
    system statistic error -- opendir /proc/978/fd: Permission denied
    Cannot open proc file '/proc/98/io' -- Permission denied
    system statistic error -- opendir /proc/98/fd: Permission denied
    Cannot open proc file '/proc/983/io' -- Permission denied
    system statistic error -- opendir /proc/983/fd: Permission denied
    Cannot open proc file '/proc/990/io' -- Permission denied
    system statistic error -- opendir /proc/990/fd: Permission denied
    Cannot open proc file '/proc/998/io' -- Permission denied
    system statistic error -- opendir /proc/998/fd: Permission denied
    List of processes matching pattern "ssh":
        PID       PPID      Command
     *    101933         1  /usr/sbin/sshd -D -4
           56843    101933  sshd: j123456 [priv]
           56867     56843  sshd: j123456@notty
           56868     56867  logksh -c /usr/lib/ssh/sftp-server
           56869     56868  /usr/lib/ssh/sftp-server
           57289    101933  sshd: j123456 [priv]
           57340     57289  sshd: j123456@pts/0
    Total matches: 7
    
    WARNING:
    Multiple processes match the pattern. Monit will select the process with the
    highest uptime, the one highlighted.
    

    I got some information about other processes again and some error messages for the files the user can not read (I used the verbose mode to show this).
    This looks similar to the past, based on monit 5.26.0.

    ./monit -v -B procmatch ssh
    
    Cannot open proc file '/proc/973/io' -- Permission denied
    Cannot open proc file '/proc/974/io' -- Permission denied
    Cannot open proc file '/proc/978/io' -- Permission denied
    Cannot open proc file '/proc/98/io' -- Permission denied
    Cannot open proc file '/proc/983/io' -- Permission denied
    Cannot open proc file '/proc/990/io' -- Permission denied
    Cannot open proc file '/proc/998/io' -- Permission denied
    List of processes matching pattern "ssh":
        PID       PPID      Command
     *    101933         1  /usr/sbin/sshd -D -4
           56843    101933  sshd: j123456[priv]
           56867     56843  sshd: j123456@notty
           56868     56867  logksh -c /usr/lib/ssh/sftp-server
           56869     56868  /usr/lib/ssh/sftp-server
           57289    101933  sshd: j123456 [priv]
           57340     57289  sshd: j123456@pts/0
    Total matches: 7
    
    WARNING:
    Multiple processes match the pattern. Monit will select the process with the
    highest uptime, the one highlighted.
    

    With regards,
    Lutz

  6. Log in to comment