Say someone runs htop with sudo:
$sudo htop
I know we can get the user name of the htop process by:
$ps aux | grep htop
But in this case it only returns root as the username:
$ps aux | grep htop
root 21186 0.0 0.0 71256 4148 pts/2 S+ 17:16 0:00 sudo htop
root 21187 2.6 0.0 31460 5128 pts/2 S+ 17:16 0:21 htop
How can I find out which user is behind root?
This might work for you. It grabs the commands executed with sudo from /var/log/auth.log:
awk '/sudo/&&/COMMAND/ {
print gensub(/sudo: ([^ ]*).*USER=([^ ]*).*COMMAND=([^ ]*)/,
"\\1 (as \\2) command: \\3", 1)
}' /var/log/auth.log
Simply use grep on /var/log/secure or /var/log/auth.log (depends on the distro):
$ sudo grep sudo /var/log/secure
(or)
$ sudo grep sudo /var/log/auth.log
If these two doesn't work then use sudo journalctl _COMM=sudo
It will give output as:
Apr 14 00:23:35 hell-abhi sudo[14519]: hell_abhi : TTY=pts/1 ; PWD=/home/hell_abhi ; USER=root ; COMMAND=/bin/journalctl _COMM=sudo
Apr 14 00:21:43 hell-abhi sudo[14348]: hell_abhi : TTY=pts/0 ; PWD=/home/hell_abhi ; USER=root ; COMMAND=/bin/nano
The table shows: date, time, user, pid, teminal, directory, command used.
Here you can see: hell_abhi ran sudo nano from /home/hell_abhi(his home directory).
Related
I installed Cygwin for 64 bit versions of Windows.and I run "Cygwin64 Terminal" in order to confirm whole process' state. As far as I know, ps command must show STAT column but It is impossible to find STAT column Whenever I execute "ps -l" or "ps aux" ,"ps -ef", "ps axj"..
I really want to view STAT column in ps command because a source code which I practice recently request me to check zombie process by means of ps command.
screenshot of ps command without STAT column
Use procps
$ /usr/bin/procps.exe ax
PID TTY STAT TIME COMMAND
1580 pty1 Ss 0:00 -bash
1624 pty0 R 0:00 /usr/bin/procps ax
1522 ? Ss 0:05 /usr/bin/mintty -i /Cygwin-Terminal.ico -
1599 pty1 T 0:00 less .bashrc
1523 pty0 Ss 0:00 -bash
1579 ? Ss 0:00 /usr/bin/mintty -i /Cygwin-Terminal.ico -
you can find it in procps-ng package
$ cygcheck -f /usr/bin/procps
procps-ng-3.3.16-1
fuser can show you ONLY if original file is in use.
fuser DOESN'T SHOW YOU IF SYMLINK IS IN USE which calls original file. That's the issue. You don't know if symlink unused and can be removed.
I have started two processes (24261 opened original file and 24262 opened symlink) :
root#server DEV # ls -l /lib64/libgcc_s-4.4.7-20120601.so.1
-rwxr-xr-x 1 root root 93320 Sep 1 2014 /lib64/libgcc_s-4.4.7-20120601.so.1
root#server DEV # ls -l /usr/lib/gcc/x86_64-redhat-linux/4.4.4/libgcc_s.so
lrwxrwxrwx. 1 root root 20 Oct 19 2015 /usr/lib/gcc/x86_64-redhat-linux/4.4.4/libgcc_s.so -> /lib64/libgcc_s.so.1
root#server DEV #
root#server DEV # tail -f /lib64/libgcc_s.so.1 &
[1] 24261
root#server DEV #
root#server DEV # cd /usr/lib/gcc/x86_64-redhat-linux/4.4.4
root#server DEV # tail -f libgcc_s.so &
[2] 24262
root#server DEV #
root#server DEV # ps -ef | grep tail
root 24261 3265 0 13:39 pts/1 00:00:00 tail -f /lib64/libgcc_s.so.1
root 24262 3265 0 13:39 pts/1 00:00:00 tail -f libgcc_s.so
root 24492 3265 0 13:40 pts/1 00:00:00 grep tail
root#server DEV #
In both cases fuser tells that symlink and original file is in use (there are two processes for each command):
root#server DEV # fuser /lib64/libgcc_s.so.1
/lib64/libgcc_s.so.1: 24261 24262
root#server DEV # fuser /usr/lib/gcc/x86_64-redhat-linux/4.4.4/libgcc_s.so
/usr/lib/gcc/x86_64-redhat-linux/4.4.4/libgcc_s.so: 24261 24262
root#server DEV #
But we know that symlink was not used for the first process. It can be even removed and will not affect first process.
Let's say I want to remove 'gcc' package if the package is not in use.
Original file comes from 'libgcc' package.
root#server DEV # rpm -qf /lib64/libgcc_s.so.1
libgcc-4.4.7-11.el6.x86_64
Symlink comes from 'gcc' package:
root#server DEV # rpm -qf /usr/lib/gcc/x86_64-redhat-linux/4.4.4/libgcc_s.so
gcc-4.4.7-11.el6.x86_64
If I will remove 'gcc' package which contains only symlink, I will affect second process! How I can see if symlink is unused?
In my case 'ps -ef' shows that I used command:
root 24262 3265 0 13:39 pts/1 00:00:00 tail -f libgcc_s.so
So ps cannot even tell you that symlink was used.
Any Linux guru?
EDITED:
There is partial solution checking cwd - current working directory:
root#server DEV # ls -l /proc/24262/cwd
lrwxrwxrwx 1 root root 0 Jun 20 13:57 /proc/24262/cwd -> /usr/lib/gcc/x86_64-redhat-linux/4.4.4
root#server DEV #
So from here you see the path "/usr/lib/gcc/x86_64-redhat-linux/4.4.4" and you can get file name from ps.
This doesn't work if you do:
root#server DEV # cd /root
root#server DEV # cat script.sh
/usr/bin/tail -f /usr/lib/gcc/x86_64-redhat-linux/4.4.4/libgcc_s.so
root#server DEV #
root#server DEV # nohup ./script.sh &
[2] 26713
root#server DEV #
root#server DEV # ls -l /proc/26713/cwd
lrwxrwxrwx 1 root root 0 Jun 20 14:32 /proc/26713/cwd -> /root
It shows cwd for /root, but symlink is inside the script/program. So then you need to check ps chill process for /usr/lib/gcc/x86_64-redhat-linux/4.4.4/libgcc_s.so.
root#server DEV # ps -ef | grep 26713
root 26713 3265 0 14:32 pts/1 00:00:00 /bin/sh ./script.sh
root 26714 26713 0 14:32 pts/1 00:00:00 /usr/bin/tail -f /usr/lib/gcc/x86_64-redhat-linux/4.4.4/libgcc_s.so
root 26780 3265 0 14:38 pts/1 00:00:00 grep 26713
root#server DEV #
This is very confusing when you want to automate package removal (if the package is not in use).
It will be great if someone can see simpler way of this. Also if someone can confirm the accuracy of using cwd and ps child processes for symlink in use detection.
What will happen if script.sh would be binary file? Will I still able to see full symlink path in 'ps' or cwd?
Symlinks are not usual files: they cannot be opened with open() like regular files or directories. Symlink actually is just a constant string, which is automatically interpreted internally during path resolution.
Because of that symlinks are not "used" in the sence of utilities like fuser. When you call fuser for symlink, it actually shows info about file pointed by the link.
If by "in use" you mean "one or more programs is using the link as its path name for the file", then there is no way to tell. It could have been used yesterday, and it might be used tomorrow. Unix is designed so that, unless you are specifically using tools designed for that specific purpose, a symlink looks just like the file it points to. Programs like fuser or lsof will just go right through the links without even telling you it's a link.
If by "in use" you mean "points to a valid file", then there are ways to tell. The simplest being ls -L
$ ls -l foo
/bin/ls: cannot access foo: No such file or directory
$ ls -l g
lrwxrwxrwx 1 hymie users 3 2016-06-20 10:09 g -> foo
$ ls -lL g
/bin/ls: cannot access g: No such file or directory
Unfortunately, Linux kernel is designed to assign original file from the symlink in the start up phase. So when the process is running there is no possibility to check if file called directly or through symlink.
All you can do is to check what was current working directory ls -l /proc/<process_id>/cwd, command line arguments strings /proc/<process_id>/cmdline, what user started the process ps -ef | grep <process_id> then you can check user startup scripts and $PATH, ldd can show you which libraries are called from particular library. If you want to restart the process to see if symlink called then strace is your friend.
The premise of this question (identifying unused packages with fuser / lsof) is fundamentally flawed:
Not every file your system needs to work properly will referenced by an open file descriptor at any random time.
For example, you would have a bad time if you removed /bin/systemctl (since things like /sbin/shutdown are symlinks to it), but lsof shows nothing using it.
It's easy to come up with many more examples, like /bin/grep on my system. It's used all over the place in shell scripts, but I don't happen to have any long-running instances of it.
Trying to stop Apache2 service, but get PID error:
#service apache2 stop
[FAIL] Stopping web server: apache2 failed!
[....] There are processes named 'apache2' running which do not match your pid file which are left untouched in the name of safety, Plea[warnview the situation by hand. ... (warning).
Trying to kill, those processes:
#kill -9 $(ps aux | grep apache2 | awk '{print $2}')
but they get re-spawned again:
#ps aux | grep apache2
root 19279 0.0 0.0 4080 348 ? Ss 05:10 0:00 runsv apache2
root 19280 0.0 0.0 4316 648 ? S 05:10 0:00 /bin/sh /usr/sbin/apache2ctl -D FOREGROUND
root 19282 0.0 0.0 91344 5424 ? S 05:10 0:00 /usr/sbin/apache2 -D FOREGROUND
www-data 19284 0.0 0.0 380500 2812 ? Sl 05:10 0:00 /usr/sbin/apache2 -D FOREGROUND
www-data 19285 0.0 0.0 380500 2812 ? Sl 05:10 0:00 /usr/sbin/apache2 -D FOREGROUND
And though the processes are running i can't connect to the server on port 80. /var/log/apache2/error.log.1 has no new messages when i do the kill -9.
Before I tried to restart everything worked perfectly.
Running on Debian: Linux adara 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 GNU/Linux
UPD:
also tried apache2ctl:
#/usr/sbin/apache2ctl -k stop
AH00526: Syntax error on line 76 of /etc/apache2/apache2.conf:
PidFile takes one argument, A file for logging the server process ID
Action '-k stop' failed.
The Apache error log may have more information.
but there is no pid file in /var/run/apache2
I'm new to linux, looks like it has to do something with startup scripts, but can't figure out what exactly.
Below is the command to find out the process running on port 80
lsof -i tcp:80
Kill the process with PID.Restart the system once to check if their is any start up script executing and using the Port 80 which is preventing you to start your service.
For start up scripts you can check
/etc/init.d/ or /etc/rc.local or crontab - e
You can try Apache official documentation for stop/restart operations.
link
Is there a way to find what path a command has had it's output redirected to (if it has been)?
I tried using:
ps -p PID -o cmd
Thinking I could look for a > and extract the path from that, but the output doesn't have that part in it. I'm pretty sure it hasn't just been truncated.
You can use the proc file system /proc/self/fd for this
readlink /proc/self/fd/1
for stdout or 2 for stderr.
If you know the PID, just inspect /proc/ID/fd/1. It should be linked to the actual path:
$ watch date > /tmp/1 &
[1] 27346
$ ls -l /proc/27346/fd/1
l-wx------ 1 choroba users 64 2013-02-15 16:28 /proc/27346/fd/1 -> /tmp/1
Use the lsof (list open files) command to see what files a process has open for writing.
For example:
$ lsof -p 31714
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
bash 31714 dogbane 0u CHR 136,4 6 /dev/pts/4
bash 31714 dogbane 1w REG 8,1 15 2032202 /tmp/t
The w in the FD (file descriptor) column means that /tmp/t is open for writing.
How about it?
[root#us04 ~]# ls -l /proc/14170/exe
lrwxrwxrwx 1 root root 0 Feb 15 10:36 /proc/14170/exe -> /usr/sbin/httpd
One more example:
[root#us04 ~]# readlink -f /proc/5352/exe
/sbin/syslogd
I'm trying to run the command, chown -R apache:apache xyz
But I'm getting error, chown: apache:apache': invalid user
Then I tried for the user www-data, but with same results.
Then I tried to check who owns the apache process by running, ps -Af |grep httpd.
I get the following,
root 29577 1 0 18:00 ? 00:00:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5
nobody 29754 29577 0 18:00 ? 00:00:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5
nobody 29756 29577 0 18:00 ? 00:00:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5
nobody 29757 29577 0 18:00 ? 00:00:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5
nobody 29758 29577 0 18:00 ? 00:00:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5
nobody 29759 29577 0 18:00 ? 00:00:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5
nobody 29760 29577 0 18:00 ? 00:00:00 /opt/lampp/bin/httpd -k start -DSSL -DPHP5
root 29785 29358 0 18:04 pts/0 00:00:00 grep httpd
So, where is the apache user?
Thanks.
Your apache runs as the user called "nobody" (Yes nobody is a username).
I have newer seen a linux where the apache user were called apache but you can configure the name in the apache config. Which linux version are you using?
look in the configuration for apache - httpd.conf. The following lines should give you the needed informations.
For the user do:
find / -name httpd.conf | xargs grep -i "^user"
and for the group do:
find / -name httpd.conf | xargs grep -i "^group"
-Martin
the user called "www-data" in apache2
Not all linux servers use apache and group apache. It looks like the server is running the process as nobody.
Are you root on the server? If so you can look in the /etc/groups file to see what groups are defined.
I've got the same problem when triyng to make the chroot with only some libraries. When I tried to su the same message was happened:
su: user xxxxxdoes not exist
Seems not all libraries was copied to the chroot subdirectory, so you can try to copy all if you've prepared the chroot dir
cp --parent -avR /usr/lib64 /CHROOT_DIR
cp --parent -avR /usr/lib /CHROOT_DIR
ln -s /CHROOT_DIR/usr/lib64 /CHROOT_DIR/lib64
ln -s /CHROOT_DIR/usr/lib64 /CHROOT_DIR/lib64
This ps aux | egrep '(apache|httpd)' OR apachectl -S can also help you see what the user is. For me it was www-data