{"id":4309,"date":"2022-07-30T12:30:25","date_gmt":"2022-07-30T12:30:25","guid":{"rendered":"https:\/\/nenadnoveljic.com\/blog\/?p=4309"},"modified":"2022-07-30T12:30:27","modified_gmt":"2022-07-30T12:30:27","slug":"changing-oswatcher-user","status":"publish","type":"post","link":"https:\/\/nenadnoveljic.com\/blog\/changing-oswatcher-user\/","title":{"rendered":"Changing OSWatcher User"},"content":{"rendered":"

Oracle Trace File Analyzer (TFA) starts OSWatcher under the user grid.<\/p>\n

ps -e -o pid,user,cmd | grep OSW\n5007 grid     \/bin\/sh .\/OSWatcher.sh 30 48 NONE \/u00\/oracle\/GI\/gridbase\/oracle.ahf\/data\/repository\/suptools\/host\/oswbb\/grid\/archive\n5689 grid     \/bin\/sh .\/OSWatcherFM.sh 48 \/u00\/oracle\/GI\/gridbase\/oracle.ahf\/data\/repository\/suptools\/host\/oswbb\/grid\/archive<\/code><\/pre>\n
From the security point of view, it’s correct to run a program with least necessary privileges. However, on Linux, OSWatcher can’t read from \/proc\/slabinfo<\/a> because the file is readable only by root:<\/p>\n
ls -l \/proc\/slabinfo\n-r--------. 1 root root 0 Jul 14 17:16 \/proc\/slabinfo<\/code><\/pre>\n
That’s the reason why the OSWatcher archive for slabinfo (oswslabinfo) is empty:<\/p>\n
ls \/u00\/oracle\/GI\/gridbase\/oracle.ahf\/data\/repository\/suptools\/host\/oswbb\/grid\/archive\/oswslabinfo\/<\/code><\/pre>\n
The historical slabinfo information is essential for troubleshooting kernel memory leaks like this one, caused by ACFS<\/a>.<\/p>\n
One way to solve the permissions problem is to make your Unix administrator extend the read privileges on slabinfo. Another is to run OSWatcher as root.<\/p>\n
I couldn’t find anything in the documentation on how to change the user. So, I traced TFA service start with the eBPF BCC utilities execsnoop<\/a> and opensnoop<\/a>. With both utilities you can inspect programs you know nothing about. execsnoop traces process creation, and opensnoop traces system calls for opening files. opensnoop is particularly useful to find out what kind of configuration files a process is reading. execsnoop records all created processes – even those that were running only for a short time, for example the TFA boot script. We can correlate the information in opensnoop and execsnoop output via PID.<\/p>\n
sudo  \/usr\/share\/bcc\/tools\/execsnoop > execsnoop.log\nsudo  \/usr\/share\/bcc\/tools\/opensnoop -u 0 > opensnoop.log<\/code><\/pre>\n
systemctl start oracle-tfa.service<\/code><\/pre>\n
execsnoop captured the process that starts TFA:<\/p>\n
PCOMM            PID    PPID   RET ARGS\nperl             73233  73214    0 \/bin\/perl \/opt\/oracle.ahf\/tfa\/bin\/tfactl.pl -initstart<\/code><\/pre>\n
The following shell script looks for a possible configuration entry in all the relevant files opened by the tfactl.pl script:<\/p>\n
for file in `egrep '^73233 ' opensnoop.log | awk '{print $5}' | sort | uniq | egrep 'config|prop|\\.xml'`\ndo\n  echo $file\n  grep grid $file\ndone<\/code><\/pre>\n
The following entry stands out:<\/p>\n
...\n\/u00\/oracle\/GI\/gridbase\/oracle.ahf\/data\/repository\/suptools\/host\/oswbb\/grid\/.osw.prop\nrunuser=grid<\/code><\/pre>\n
After changing the “runuser” parameter to root, killing the old OSWatcher processes and restaring TFA, OSWatcher indeed runs under root:<\/p>\n
ps -e -o pid,user,cmd | grep OSW\n92676 root     \/bin\/sh .\/OSWatcher.sh 30 48 NONE \/u00\/oracle\/GI\/gridbase\/oracle.ahf\/data\/repository\/suptools\/host\/oswbb\/root\/archive\n92954 root     \/bin\/sh .\/OSWatcherFM.sh 48 \/u00\/oracle\/GI\/gridbase\/oracle.ahf\/data\/repository\/suptools\/host\/oswbb\/root\/archive<\/code><\/pre>\n
The question we must ask is: who owns the OSWatcher executable? If it isn’t root, the owner could escalate the privileges to root. Fortunately, everything’s clean – the OSWatcher scripts belong to root:<\/p>\n
pwdx 92676\n92676: \/opt\/oracle.ahf\/tfa\/ext\/oswbb\npwdx 92954\n92954: \/opt\/oracle.ahf\/tfa\/ext\/oswbb\nls -l \/opt\/oracle.ahf\/tfa\/ext\/oswbb\/OSW\nls -l \/opt\/oracle.ahf\/tfa\/ext\/oswbb\/OSW*\n-rwxr-xr-x. 1 root root  8035 Jun 18  2021 \/opt\/oracle.ahf\/tfa\/ext\/oswbb\/OSWatcherFM.sh\n-rwxr-xr-x. 1 root root 55636 Jun 18  2021 \/opt\/oracle.ahf\/tfa\/ext\/oswbb\/OSWatcher.sh<\/code><\/pre>\n
It’s worth noting that prior to switching to root, some other OSWatcher files – belonging to grid – were executed:<\/p>\n
pwdx 5007\n5007: \/u00\/oracle\/GI\/gridbase\/oracle.ahf\/data\/repository\/suptools\/host\/oswbb\/grid\/oswbb\npwdx 5689\n5689: \/u00\/oracle\/GI\/gridbase\/oracle.ahf\/data\/repository\/suptools\/host\/oswbb\/grid\/oswbb\nls -l \/u00\/oracle\/GI\/gridbase\/oracle.ahf\/data\/repository\/suptools\/host\/oswbb\/grid\/oswbb\/OSW*\n-rwxr-xr-x. 1 grid oinstall  8035 Oct 19  2021 \/u00\/oracle\/GI\/gridbase\/oracle.ahf\/data\/repository\/suptools\/host\/oswbb\/grid\/oswbb\/OSWatcherFM.sh\n-rwxr-xr-x. 1 grid oinstall 55636 Oct 19  2021 \/u00\/oracle\/GI\/gridbase\/oracle.ahf\/data\/repository\/suptools\/host\/oswbb\/grid\/oswbb\/OSWatcher.sh<\/code><\/pre>\n
In conclusion, it’s safe to let OSWatcher run under root because Oracle switches to other OSWatcher scripts that are writable only by root.<\/p>\n
In summary, in the default setup, OSWatcher doesn’t collect the slabinfo information because it runs as the user grid, and grid doesn’t have the read rights for slabinfo. A possible workaround is to run OSWatcher as root. You can achieve that by changing “runas” parameter in the file .osw.prop. Disclaimer: this isn’t a documented procedure.<\/p>\n","protected":false},"excerpt":{"rendered":"
Tracing TFA to find out how to change user under under which OSWatcher ist started. Continue Reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[53,54,56],"tags":[],"class_list":["post-4309","post","type-post","status-publish","format-standard","hentry","category-ebpf","category-linux","category-tfa"],"yoast_head":"\nChanging OSWatcher User - All-round Database Topics<\/title>\n<meta name=\"description\" content=\"OSWatcher root\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/nenadnoveljic.com\/blog\/changing-oswatcher-user\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Changing OSWatcher User - All-round Database Topics\" \/>\n<meta property=\"og:description\" content=\"OSWatcher root\" \/>\n<meta property=\"og:url\" content=\"https:\/\/nenadnoveljic.com\/blog\/changing-oswatcher-user\/\" \/>\n<meta property=\"og:site_name\" content=\"All-round Database Topics\" \/>\n<meta property=\"article:published_time\" content=\"2022-07-30T12:30:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-07-30T12:30:27+00:00\" \/>\n<meta name=\"author\" content=\"Nenad Noveljic\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@NenadNoveljic\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Nenad Noveljic\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/changing-oswatcher-user\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/changing-oswatcher-user\\\/\"},\"author\":{\"name\":\"Nenad Noveljic\",\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/#\\\/schema\\\/person\\\/51458d9dd86dbbdd19f5add451d44efa\"},\"headline\":\"Changing OSWatcher User\",\"datePublished\":\"2022-07-30T12:30:25+00:00\",\"dateModified\":\"2022-07-30T12:30:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/changing-oswatcher-user\\\/\"},\"wordCount\":398,\"commentCount\":0,\"articleSection\":[\"eBPF\",\"Linux\",\"TFA\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/changing-oswatcher-user\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/changing-oswatcher-user\\\/\",\"url\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/changing-oswatcher-user\\\/\",\"name\":\"Changing OSWatcher User - All-round Database Topics\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/#website\"},\"datePublished\":\"2022-07-30T12:30:25+00:00\",\"dateModified\":\"2022-07-30T12:30:27+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/#\\\/schema\\\/person\\\/51458d9dd86dbbdd19f5add451d44efa\"},\"description\":\"OSWatcher root\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/changing-oswatcher-user\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/changing-oswatcher-user\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/changing-oswatcher-user\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Changing OSWatcher User\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/\",\"name\":\"All-round Database Topics\",\"description\":\"Nenad Noveljic\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/#\\\/schema\\\/person\\\/51458d9dd86dbbdd19f5add451d44efa\",\"name\":\"Nenad Noveljic\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a97b796613ea48ec8a7b79c8ffe1c685dcffc920c68121f6238d5caab5070670?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a97b796613ea48ec8a7b79c8ffe1c685dcffc920c68121f6238d5caab5070670?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a97b796613ea48ec8a7b79c8ffe1c685dcffc920c68121f6238d5caab5070670?s=96&d=mm&r=g\",\"caption\":\"Nenad Noveljic\"},\"sameAs\":[\"nenad-noveljic-9b746a6\",\"https:\\\/\\\/x.com\\\/NenadNoveljic\"],\"url\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/author\\\/nenad\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Changing OSWatcher User - All-round Database Topics","description":"OSWatcher root","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/nenadnoveljic.com\/blog\/changing-oswatcher-user\/","og_locale":"en_US","og_type":"article","og_title":"Changing OSWatcher User - All-round Database Topics","og_description":"OSWatcher root","og_url":"https:\/\/nenadnoveljic.com\/blog\/changing-oswatcher-user\/","og_site_name":"All-round Database Topics","article_published_time":"2022-07-30T12:30:25+00:00","article_modified_time":"2022-07-30T12:30:27+00:00","author":"Nenad Noveljic","twitter_card":"summary_large_image","twitter_creator":"@NenadNoveljic","twitter_misc":{"Written by":"Nenad Noveljic","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/nenadnoveljic.com\/blog\/changing-oswatcher-user\/#article","isPartOf":{"@id":"https:\/\/nenadnoveljic.com\/blog\/changing-oswatcher-user\/"},"author":{"name":"Nenad Noveljic","@id":"https:\/\/nenadnoveljic.com\/blog\/#\/schema\/person\/51458d9dd86dbbdd19f5add451d44efa"},"headline":"Changing OSWatcher User","datePublished":"2022-07-30T12:30:25+00:00","dateModified":"2022-07-30T12:30:27+00:00","mainEntityOfPage":{"@id":"https:\/\/nenadnoveljic.com\/blog\/changing-oswatcher-user\/"},"wordCount":398,"commentCount":0,"articleSection":["eBPF","Linux","TFA"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/nenadnoveljic.com\/blog\/changing-oswatcher-user\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/nenadnoveljic.com\/blog\/changing-oswatcher-user\/","url":"https:\/\/nenadnoveljic.com\/blog\/changing-oswatcher-user\/","name":"Changing OSWatcher User - All-round Database Topics","isPartOf":{"@id":"https:\/\/nenadnoveljic.com\/blog\/#website"},"datePublished":"2022-07-30T12:30:25+00:00","dateModified":"2022-07-30T12:30:27+00:00","author":{"@id":"https:\/\/nenadnoveljic.com\/blog\/#\/schema\/person\/51458d9dd86dbbdd19f5add451d44efa"},"description":"OSWatcher root","breadcrumb":{"@id":"https:\/\/nenadnoveljic.com\/blog\/changing-oswatcher-user\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/nenadnoveljic.com\/blog\/changing-oswatcher-user\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/nenadnoveljic.com\/blog\/changing-oswatcher-user\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/nenadnoveljic.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Changing OSWatcher User"}]},{"@type":"WebSite","@id":"https:\/\/nenadnoveljic.com\/blog\/#website","url":"https:\/\/nenadnoveljic.com\/blog\/","name":"All-round Database Topics","description":"Nenad Noveljic","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/nenadnoveljic.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/nenadnoveljic.com\/blog\/#\/schema\/person\/51458d9dd86dbbdd19f5add451d44efa","name":"Nenad Noveljic","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/a97b796613ea48ec8a7b79c8ffe1c685dcffc920c68121f6238d5caab5070670?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/a97b796613ea48ec8a7b79c8ffe1c685dcffc920c68121f6238d5caab5070670?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a97b796613ea48ec8a7b79c8ffe1c685dcffc920c68121f6238d5caab5070670?s=96&d=mm&r=g","caption":"Nenad Noveljic"},"sameAs":["nenad-noveljic-9b746a6","https:\/\/x.com\/NenadNoveljic"],"url":"https:\/\/nenadnoveljic.com\/blog\/author\/nenad\/"}]}},"_links":{"self":[{"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/posts\/4309","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/comments?post=4309"}],"version-history":[{"count":1,"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/posts\/4309\/revisions"}],"predecessor-version":[{"id":4313,"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/posts\/4309\/revisions\/4313"}],"wp:attachment":[{"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/media?parent=4309"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/categories?post=4309"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/tags?post=4309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}