Summer 1996 - Lesson 5
Rootly Powers, Process Management
Rootly Powers
A. Taking on root identity confers certain powers
1. mount and unmount file systems
2. root can set "virtual root" via chroot()
3. creating device files (/dev)
4. setting system clock
5. can access any local file (one way or another)
6. change file ownership
7. raise resource limits (datasize, stacksize)
8. lowering nice values (raising priority)
9. changing system's hostname
10. running halt, shutdown
11. running lpc, lprm (all jobs)
12. others?
B. What limitations are there on root powers?
0. UNIX suffers from "one account has all powers", so
root account is focus of security breakins.
1. usually root on another machine won't trust you
2. Should be careful that when "root" you know your $PATH!
C. How to become root?
1. login as "root", if allowed in /etc/ttytab:
#
# @(#)ttytab 1.7 92/06/23 SMI
#
# name getty type status
#
console "/usr/etc/getty cons8" sun on local secure
ttya "/usr/etc/getty std.9600" unknown off local secure
ttyb "/usr/etc/getty std.9600" unknown off local secure
ttyp0 none network off secure
ttyp1 none network off secure
Field 1: "/dev" device name (e.g., "/dev/ttya")
Field 2: program to monitor that line ("getty", "xdm")
Field 3: Type of terminal (in "/etc/termcap")
Field 4 and up: List of attributes for that line
"on" == start up process in field 2
"local" == use local connection line discipline (or lack thereof)
"secure" == "root" allowed to log on
2. su
- substitute user
- "su" with minus flag ("su - jtbauer") invokes a login session
3. sudo
- NOT usually a part of a vendor-supplied UNIX
- allows a class of users to execute a set of commands
with root privileges
- logs use
- does raise some vulnerabilities
System Load Average
0. "load average" == average size of ready queue over sample period
1. shows the 1, 5, and 15 minute load averages
2. can see with "w", "uptime" or "top"
3. doesn't account for scheduling priority
4. what's a reasonable load average?
Idle Time
1. percentage of time the system is idle
2. can see with "iostat -c 1", "top", or "vmstat 1" (my fave)
3. what do you want this number to be?
4. example "iostat -c 1"
cpu
us ni sy id
-----------
4 0 6 90
20 0 44 37
24 2 65 9
43 1 28 29
31 0 21 48
6 0 12 82
13 0 13 74
19 0 12 69
3 0 6 90
8 0 15 77
2 0 6 92
^C
Process Monitoring
A. ps - process status
- window into process table
- extremely rich command
1. process state
- First letter indicates the runnability of the process:
R - Runnable processes.
T - Stopped processes.
P - Processes in page wait.
D - Processes in non-interruptable waits;
S - Processes sleeping < about 20 seconds.
I - Processes sleeping > 20 seconds
Z - zombie (process with resources other than a proc slot)
2. Swapped?
- Second letter indicates whether a process is swapped out;
blank - loaded in memory
W - Process is swapped out.
'>' - Process has specified a soft limit on memory
(imposed by the "limit" command)
3. Niced?
- Third letter indicates whether a process is running with
altered CPU scheduling priority (nice, renice)
blank - normal
N - The process priority is reduced,
< - The process priority has been raised artificially.
# renice +19 PID <- lowest priority (nice)
# renice -19 PID <- highest priority (not nice)
4. Special paging requirements
- Fourth letter indicates any special treatment of the
process for virtual memory replacement. (see vadvise()
system call)
5. Example:
USER PID %CPU %MEM SZ RSS TT STAT START TIME COMMAND
-----------------------------------------------------------------------
kuncick 7467 40.1 1.3 124 364 pc D < 09:32 0:15 find / -name foo
kuncick 7419 16.6 1.3 124 364 pc D N 09:28 0:11 find ...
kuncick 7529 39.4 1.2 100 320 pc R 09:35 0:01 find / -name foo
kuncick 7528 35.8 1.2 112 324 pc R 09:35 0:15 find / -name foo
root 1 0.0 0.0 52 0 ? IW Dec 18 0:24 /sbin/init -
root 2 0.0 0.0 0 0 ? D Dec 18 0:08 pagedaemon
root 75 0.0 0.4 48 108 ? S Dec 18 12:09 in.routed
bynum 7328 0.0 0.1 48 24 pb S 09:24 0:00 rlogin -8 sed
tajdari 7041 0.0 0.0 68 0 p6 IW 08:59 0:00 -pclab-csh (csh)
leggett 19429 0.0 0.0 80 0 ? TW Jan 21 0:00 pico +7
kohout 7036 0.0 0.0 24 0 p3 TW 08:59 0:00 /bin/sh ltxview
kohout 7008 0.0 0.0 84 0 p3 IW 08:58 0:00 -reg-csh (csh)
root 24818 0.0 0.0 32 0 ? IW 20:46 0:07 in.telnetd
johnson 7297 0.0 0.7 80 192 p8 S 09:22 0:00 pico proj1b.f
root 6842 0.0 0.0 32 0 ? IW 08:52 0:02 in.telnetd
evans 6843 0.0 0.0 76 0 p9 IW 08:52 0:00 -reg-csh (csh)
bynum 7321 0.0 0.0 404 0 pb IW 09:24 0:01 -reg-tcsh (tcsh)
root 6695 0.0 0.2 32 44 ? S 08:47 0:04 in.telnetd
root 7007 0.0 0.0 24 0 ? IW 08:58 0:00 in.rlogind
kuncick 7422 0.0 1.9 264 512 pc R 09:29 0:00 ps -aux
naus 7167 0.0 1.4 1216 384 p4 S 09:10 0:03 tin
healy 7814 0.0 3.4 184 924 ? S 09:47 0:00 xclock -rv -update 1
6. Many more features to "ps"
- note that "ps" demonstrates the Heisenberg principle
B. top - NOT part of vendor's UNIX, typically
- dynamically shows processes, idle time, memory usage,
and load averages
C. monitor (AIX ONLY)
D. "pstree" - nice PD filter that shows family hierarchy of processes
E. "sa" - system accounting (BSD)
- Kernel must be enabled to do accounting and special accounting
commands must be executed first (see "accton")
- can summarize process process accounting files by user
or by command
- can fill up a file system (usually /var/adm)
- this gives us long-term information about which processes
and which users are using the system
Sample "sa" output from a SunOS 4.1.x machine:
average i/o
#execs %calls %real %cpu per exec command
------------------------------------------------------------
105 3.88% 11.49% 41.67% 701avio pico
24 0.89% 17.17% 4.70% 1882avio in.telnet
77 2.85% 0.08% 3.93% 10011avio ld
18 0.67% 0.71% 3.63% 7214avio xmap
12 0.44% 6.13% 3.54% 2292avio gmacs
93 3.44% 0.04% 3.26% 2646avio cpp
27 1.00% 0.04% 3.08% 3133avio ccom
49 1.81% 2.47% 2.27% 1399avio elm
2 0.07% 0.10% 2.23% 69524avio uqwk
6 0.22% 0.53% 1.95% 29770avio tin
38 1.40% 2.47% 1.91% 852avio vi
45 1.66% 19.29% 1.70% 304avio csh
55 2.03% 0.02% 1.69% 1400avio as
3 0.11% 2.14% 1.66% 38549avio trn
29 1.07% 0.02% 1.62% 318avio cc1
1 0.04% 5.42% 1.46% 21232avio xspim
55 2.03% 0.01% 1.44% 1174avio in.cfing
10 0.37% 3.93% 1.40% 3922avio in.rlogi
5 0.18% 0.89% 1.27% 5672avio lynx
3 0.11% 0.01% 1.25% 11148avio zip
11 0.41% 3.19% 1.15% 463avio tcsh
3 0.11% 0.01% 1.12% 17642avio sa
233 8.61% 0.01% 1.08% 16avio ls
"sa -m":
user #execs cpu min total i/o k-core sec
-------------------------------------------------------------
auger 23 4.96cpu 3814tio 2007763k*sec
liao 597 2.14cpu 980604tio 323673k*sec
root 215 1.21cpu 235394tio 120867k*sec
nanda 267 0.82cpu 150415tio 60734k*sec
pfeil 16 0.67cpu 57073tio 212587k*sec
decker 39 0.54cpu 216602tio 139192k*sec
lloyd 256 0.40cpu 88127tio 27740k*sec
hugg 161 0.36cpu 61257tio 46332k*sec
bin 90 0.26cpu 76937tio 5853k*sec
lacerte 83 0.25cpu 184599tio 20449k*sec
lacano 113 0.20cpu 74759tio 27958k*sec
brown 36 0.18cpu 62610tio 38403k*sec
jenkins 13 0.17cpu 10611tio 24619k*sec
thoman 9 0.15cpu 53762tio 42928k*sec
johnson 86 0.12cpu 48026tio 4583k*sec
huang 36 0.12cpu 50062tio 18535k*sec
tajdari 54 0.11cpu 76533tio 8892k*sec
keithlee 25 0.11cpu 5637tio 18212k*sec
mills 68 0.09cpu 38932tio 4528k*sec
colby 33 0.08cpu 14464tio 7761k*sec
brooks 29 0.08cpu 40675tio 12337k*sec
kevsmith 3 0.07cpu 52595tio 17897k*sec
ayala 77 0.07cpu 72498tio 1229k*sec
kuncick 52 0.06cpu 32691tio 2620k*sec
houston 29 0.05cpu 21763tio 3223k*sec
sukkert 15 0.04cpu 28598tio 6592k*sec
jia 24 0.04cpu 9635tio 4332k*sec
caldwell 50 0.04cpu 2884tio 2049k*sec
owens 23 0.03cpu 11961tio 917k*sec
williams 17 0.02cpu 2846tio 637k*sec
nobody 59 0.02cpu 9308tio 77k*sec
nayak 4 0.02cpu 564tio 2080k*sec
marshall 10 0.02cpu 12014tio 406k*sec
kirby 16 0.02cpu 2585tio 1221k*sec
System V accounting is, of course, different. See "man accton" for
an overview; more in Chapter 28.
Quick Remedies
1. system clogged by many identical jobs
2. one process has been running for a long time
Long-term Remedies
1. involve more performance analysis
2. may need faster CPU, more memory or faster I/O