dtrace discuss - Jul 2009 - Question about ID from trace

Hello,

	Trying to track down what application is causing the system to reboot by
turning the uadmin system call''s reboot into a panic, we are running
the following script:

-x-x- start of uadmin.d -x-x-
> #!/usr/sbin/dtrace -s
>
> #pragma D option destructive
>
> syscall::uadmin:entry
> /arg0 == 1 && uid == 0/
> {
>   panic();
> }
>
> syscall::uadmin:entry
> {
>        trace("I am not root")
> }
> -x-x- end of uadmin.d -x-x-
	We are getting a string of output:


dtrace: script ''/usr/local/bin/uadmin.d'' matched 2 probes
dtrace: allowing destructive actions
CPU     ID                    FUNCTION:NAME
258   8063                     uadmin:entry   I am not root
258   8063                     uadmin:entry   I am not root
258   8063                     uadmin:entry   I am not root
258   8063                     uadmin:entry   I am not root
258   8063                     uadmin:entry   I am not root
261   8063                     uadmin:entry   I am not root
256   8063                     uadmin:entry   I am not root
256   8063                     uadmin:entry   I am not root
259   8063                     uadmin:entry   I am not root
257   8063                     uadmin:entry   I am not root
257   8063                     uadmin:entry   I am not root
256   8063                     uadmin:entry   I am not root
256   8063                     uadmin:entry   I am not root
256   8063                     uadmin:entry   I am not root
257   8063                     uadmin:entry   I am not root
258   8063                     uadmin:entry   I am not root
...
...

	I thought that the ID should be a PID, but 

# ps -ef|grep 8063

<<dores not find it>>

Any suggestions on how to track down this rouge entity which is futilely  trying
to do something with uadmin?

thanks,
Robert



-- 

If you would prefer to be contacted via phone or e-mail.  Please 
let me know.

=================================================================================================================================
 Robert Alatalo ~ Technical Support Engineer
 Sun Microsystems, Burlington, MA 01803 
 Phone:781-442-1301, Fax:781-442-1655 , E-mail:RAlatalo at Sun.com 
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ 
   ONLINE SUPPORT CENTER: http://www.sun.com/service/online
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ 
 All information in this e-mail is Sun Microsystems privileged, 
  confidential information and intended for addressee(s) only.

On Fri, Jul 10, 2009 at 10:01 AM, Robert Alatalo<Robert.Alatalo at
sun.com> wrote:
>
> ? ? ? ?We are getting a string of output:
>
>
> dtrace: script ''/usr/local/bin/uadmin.d'' matched 2 probes
> dtrace: allowing destructive actions
> CPU ? ? ID ? ? ? ? ? ? ? ? ? ?FUNCTION:NAME
> 258 ? 8063 ? ? ? ? ? ? ? ? ? ? uadmin:entry ? I am not root
> 258 ? 8063 ? ? ? ? ? ? ? ? ? ? uadmin:entry ? I am not root
>
> ? ? ? ?I thought that the ID should be a PID, but
> # ps -ef|grep 8063
>
> <<dores not find it>>
>
The ID is the probe ID, not the process ID.  If you want the process
ID, try, "trace(pid)".  Or some variant of printf() where you
explicitly access the pid variable.

Chad

I guess that the ID you see it''s the ID of the provider not the PID

On 07/10/09 16:01, Robert Alatalo wrote:
> Hello,
>
>     Trying to track down what application is causing the system to 
> reboot by turning the uadmin system call''s reboot into a panic, we
are
> running the following script:
>
> -x-x- start of uadmin.d -x-x-
>> #!/usr/sbin/dtrace -s
>>
>> #pragma D option destructive
>>
>> syscall::uadmin:entry
>> /arg0 == 1 && uid == 0/
>> {
>>   panic();
>> }
>>
>> syscall::uadmin:entry
>> {
>>        trace("I am not root")
>> }
>> -x-x- end of uadmin.d -x-x-
>
>     We are getting a string of output:
>
>
> dtrace: script ''/usr/local/bin/uadmin.d'' matched 2 probes
> dtrace: allowing destructive actions
> CPU     ID                    FUNCTION:NAME
> 258   8063                     uadmin:entry   I am not root
> 258   8063                     uadmin:entry   I am not root
> 258   8063                     uadmin:entry   I am not root
> 258   8063                     uadmin:entry   I am not root
> 258   8063                     uadmin:entry   I am not root
> 261   8063                     uadmin:entry   I am not root
> 256   8063                     uadmin:entry   I am not root
> 256   8063                     uadmin:entry   I am not root
> 259   8063                     uadmin:entry   I am not root
> 257   8063                     uadmin:entry   I am not root
> 257   8063                     uadmin:entry   I am not root
> 256   8063                     uadmin:entry   I am not root
> 256   8063                     uadmin:entry   I am not root
> 256   8063                     uadmin:entry   I am not root
> 257   8063                     uadmin:entry   I am not root
> 258   8063                     uadmin:entry   I am not root
> ...
> ...
>
>     I thought that the ID should be a PID, but
> # ps -ef|grep 8063
>
> <<dores not find it>>
>
> Any suggestions on how to track down this rouge entity which is 
> futilely  trying to do something with uadmin?
>
> thanks,
> Robert
>
>
>

-- 

     /\               Andrea Cucciarre''
    \\ \              Systems Engineer
   \ \\ /
  / \/ / /            Sun Microsystems Italia SpA
 / /   \//\           Viale Fulvio Testi, 327
 \//\   / /           20162 Milano
  / / /\ /
   / \\ \             phone: 800 605228
    \ \\              e-mail: andrea.cucciarre at Sun.COM
     \/

It''s the ID of the probe, not the provider.

/jim


Andrea Cucciarre'' wrote:
> I guess that the ID you see it''s the ID of the provider not the
PID
>
> On 07/10/09 16:01, Robert Alatalo wrote:
>> Hello,
>>
>>     Trying to track down what application is causing the system to 
>> reboot by turning the uadmin system call''s reboot into a
panic, we
>> are running the following script:
>>
>> -x-x- start of uadmin.d -x-x-
>>> #!/usr/sbin/dtrace -s
>>>
>>> #pragma D option destructive
>>>
>>> syscall::uadmin:entry
>>> /arg0 == 1 && uid == 0/
>>> {
>>>   panic();
>>> }
>>>
>>> syscall::uadmin:entry
>>> {
>>>        trace("I am not root")
>>> }
>>> -x-x- end of uadmin.d -x-x-
>>
>>     We are getting a string of output:
>>
>>
>> dtrace: script ''/usr/local/bin/uadmin.d'' matched 2
probes
>> dtrace: allowing destructive actions
>> CPU     ID                    FUNCTION:NAME
>> 258   8063                     uadmin:entry   I am not root
>> 258   8063                     uadmin:entry   I am not root
>> 258   8063                     uadmin:entry   I am not root
>> 258   8063                     uadmin:entry   I am not root
>> 258   8063                     uadmin:entry   I am not root
>> 261   8063                     uadmin:entry   I am not root
>> 256   8063                     uadmin:entry   I am not root
>> 256   8063                     uadmin:entry   I am not root
>> 259   8063                     uadmin:entry   I am not root
>> 257   8063                     uadmin:entry   I am not root
>> 257   8063                     uadmin:entry   I am not root
>> 256   8063                     uadmin:entry   I am not root
>> 256   8063                     uadmin:entry   I am not root
>> 256   8063                     uadmin:entry   I am not root
>> 257   8063                     uadmin:entry   I am not root
>> 258   8063                     uadmin:entry   I am not root
>> ...
>> ...
>>
>>     I thought that the ID should be a PID, but
>> # ps -ef|grep 8063
>>
>> <<dores not find it>>
>>
>> Any suggestions on how to track down this rouge entity which is 
>> futilely  trying to do something with uadmin?
>>
>> thanks,
>> Robert
>>
>>
>>
>
>