Hidden PIDs in /proc

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* Hidden PIDs in /proc
@ 2004-03-23 16:08 Emiliano 'AlberT' Gabrielli
  2004-03-23 16:15 ` Miquel van Smoorenburg
  0 siblings, 1 reply; 4+ messages in thread
From: Emiliano 'AlberT' Gabrielli @ 2004-03-23 16:08 UTC (permalink / raw)
  To: linux-kernel


Hi all,

   I discovered some "hidden" pid dirs in /proc :

root@emc2:# ls -lha /proc/ | grep 4673
root@emc2:# ls -lha /proc/4673/
totale 0
dr-xr-xr-x    3 albert   albert          0 2004-03-23 17:02 .
dr-xr-xr-x  108 root     root            0 2004-03-23 16:10 ..
dr-xr-xr-x    2 albert   albert          0 2004-03-23 17:03 attr
-r--------    1 albert   albert          0 2004-03-23 17:03 auxv
-r--r--r--    1 albert   albert          0 2004-03-23 17:03 cmdline
lrwxrwxrwx    1 albert   albert          0 2004-03-23 17:02 cwd 
-> /home/albert
-r--------    1 albert   albert          0 2004-03-23 17:03 environ
lrwxrwxrwx    1 albert   albert          0 2004-03-23 17:02 exe 
-> /usr/lib/mozilla-firefox/firefox-bin
dr-x------    2 albert   albert          0 2004-03-23 17:03 fd
-r--r--r--    1 albert   albert          0 2004-03-23 17:03 maps
-rw-------    1 albert   albert          0 2004-03-23 17:03 mem
-r--r--r--    1 albert   albert          0 2004-03-23 17:03 mounts
lrwxrwxrwx    1 albert   albert          0 2004-03-23 17:03 root -> /
-r--r--r--    1 albert   albert          0 2004-03-23 17:03 stat
-r--r--r--    1 albert   albert          0 2004-03-23 17:03 statm
-r--r--r--    1 albert   albert          0 2004-03-23 17:03 status
dr-xr-xr-x    3 albert   albert          0 2004-03-23 17:03 task
-r--r--r--    1 albert   albert          0 2004-03-23 17:03 wchan


Obviously this is a persistent process, not a process living only for the 
second test lifetime.

After 2 days of headhake searching for possible rootkits, reinstalling all the 
basic system, libs and so on (from a clean live-CD boot) ...
I noticed that these process seem all to use pthreads ... so, the question is:

is my problem related/solved by the initramfs-search-for-init-zombie-fix.patch
in the -mm1 tree ??

thank you in advance

-- 
                       Emiliano `AlberT` Gabrielli  

E-Mail: AlberT@SuperAlberT.it  -  Web:    http://SuperAlberT.it
Membro dell'Italian Agile Movement - AlberT@agilemovement.it

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Hidden PIDs in /proc
  2004-03-23 16:08 Emiliano 'AlberT' Gabrielli
@ 2004-03-23 16:15 ` Miquel van Smoorenburg
  2004-03-23 16:40   ` Emiliano 'AlberT' Gabrielli
  0 siblings, 1 reply; 4+ messages in thread
From: Miquel van Smoorenburg @ 2004-03-23 16:15 UTC (permalink / raw)
  To: linux-kernel

In article <200403231708.15812.AlberT@agilemovement.it>,
Emiliano 'AlberT' Gabrielli <AlberT@agilemovement.it> wrote:
>
>Hi all,
>
>   I discovered some "hidden" pid dirs in /proc :
>
>root@emc2:# ls -lha /proc/ | grep 4673
>root@emc2:# ls -lha /proc/4673/
>totale 0
>dr-xr-xr-x    3 albert   albert          0 2004-03-23 17:02 .
>dr-xr-xr-x  108 root     root            0 2004-03-23 16:10 ..

It's just a thread. For a threaded process, only the thread group
leader is listed in /proc directly. The other threads are visible
under /proc/<tgid>/task  (try it).

>After 2 days of headhake searching for possible rootkits, reinstalling all the 
>basic system, libs and so on (from a clean live-CD boot) ...
>I noticed that these process seem all to use pthreads ... so, the question is:
>
>is my problem related/solved by the initramfs-search-for-init-zombie-fix.patch
>in the -mm1 tree ??

No, by upgrading to a more recent procps.

# ps ax | grep mozilla
16252 ?        S     10:21 /usr/lib/mozilla-firefox/firefox-bin
$ ps ax -T | grep moz
16252 16252 ?        S     10:21 /usr/lib/mozilla-firefox/firefox-bin
16252 16264 ?        S      0:01 /usr/lib/mozilla-firefox/firefox-bin
16252 16266 ?        S      0:03 /usr/lib/mozilla-firefox/firefox-bin
16252 21530 ?        S      0:00 /usr/lib/mozilla-firefox/firefox-bin

Also note:

# ls /proc/16252/task
16252/  16264/  16266/  21530/

Mike.
-- 
Netu, v qba'g yvxr gur cynvagrkg :)


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Hidden PIDs in /proc
  2004-03-23 16:15 ` Miquel van Smoorenburg
@ 2004-03-23 16:40   ` Emiliano 'AlberT' Gabrielli
  0 siblings, 0 replies; 4+ messages in thread
From: Emiliano 'AlberT' Gabrielli @ 2004-03-23 16:40 UTC (permalink / raw)
  To: linux-kernel

On Tuesday 23 March 2004 17:15, Miquel van Smoorenburg wrote:
> In article <200403231708.15812.AlberT@agilemovement.it>,
>
> Emiliano 'AlberT' Gabrielli <AlberT@agilemovement.it> wrote:
> >Hi all,
> >
> >   I discovered some "hidden" pid dirs in /proc :
> >
> >root@emc2:# ls -lha /proc/ | grep 4673
> >root@emc2:# ls -lha /proc/4673/
> >totale 0
> >dr-xr-xr-x    3 albert   albert          0 2004-03-23 17:02 .
> >dr-xr-xr-x  108 root     root            0 2004-03-23 16:10 ..
>
> It's just a thread. For a threaded process, only the thread group
> leader is listed in /proc directly. The other threads are visible
> under /proc/<tgid>/task  (try it).
>

I allready did it ... infact the second test I posted correctly shows the 
thread ... but, why ps ax -m does *not* show it ??  

uhmm ok under task I can see all the threads correcly... the question now 
is .. why to show also the secondary threads directly in /proc, even if not 
visible by readdir ? It is a confusing issue for chkrootkit and similar... 
creating only the /proc/<tgid> in /proc shoud suffice and be cleaner ... 
IMHO.

> >After 2 days of headhake searching for possible rootkits, reinstalling all
> > the basic system, libs and so on (from a clean live-CD boot) ...
> >I noticed that these process seem all to use pthreads ... so, the question
> > is:
> >
> >is my problem related/solved by the
> > initramfs-search-for-init-zombie-fix.patch in the -mm1 tree ??
>
> No, by upgrading to a more recent procps.
>
> # ps ax | grep mozilla
> 16252 ?        S     10:21 /usr/lib/mozilla-firefox/firefox-bin
> $ ps ax -T | grep moz
> 16252 16252 ?        S     10:21 /usr/lib/mozilla-firefox/firefox-bin
> 16252 16264 ?        S      0:01 /usr/lib/mozilla-firefox/firefox-bin
> 16252 16266 ?        S      0:03 /usr/lib/mozilla-firefox/firefox-bin
> 16252 21530 ?        S      0:00 /usr/lib/mozilla-firefox/firefox-bin
>
> Also note:
>
> # ls /proc/16252/task
> 16252/  16264/  16266/  21530/
>
> Mike.


uh oh .. my bad ...  but .. my ignorance now ask what is the real diff between 
-m and -T option for ps ...

thanks
-- 
                       Emiliano `AlberT` Gabrielli  

E-Mail: AlberT@SuperAlberT.it  -  Web:    http://SuperAlberT.it
Membro dell'Italian Agile Movement - AlberT@agilemovement.it

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Hidden PIDs in /proc
@ 2004-03-24  2:20 Albert Cahalan
  0 siblings, 0 replies; 4+ messages in thread
From: Albert Cahalan @ 2004-03-24  2:20 UTC (permalink / raw)
  To: linux-kernel mailing list; +Cc: AlberT, miquels

> I allready did it ... infact the second test I posted
> correctly shows the  thread ... but, why ps ax -m does
> *not* show it ??  

It does show the threads, but your "grep" missed them.
The built-in process selection and sorting features
are properly thread-aware.

> uh oh .. my bad ...  but .. my ignorance now ask
> what is the real diff between  -m and -T option for ps ...

-m  process followed by threads, Tru64 SysV style
m   process followed by threads, Tru64 BSD style
-T  grouped threads with TID column, Irix style
-L  grouped threads with LWP (and NLWP maybe), Solaris style
H   loose threads, FreeBSD style

I'll give you a few examples with a 2-thread process.
Note how the m option distinguishes signals that are
pending on a process from signals that are pending on
a thread. (some whitespace has been trimmed out too)
Also, the H option's PID column most likely should show
the thread ID instead; help with FreeBSD 5's thread
and MAC behavior would be appreciated.

$ ps -C clone-once sH
UID PID   PENDING   BLOCKED   IGNORED    CAUGHT STAT TTY   TIME COMMAND         
100 634  00000000  00000000 <00000000  00000001 S    pts/9 0:00 clone-once           
100 634  00000000  00000000 <00000000  00000001 S    pts/9 0:00 clone-once           
$ ps -C clone-once sm
UID PID   PENDING   BLOCKED   IGNORED    CAUGHT STAT TTY   TIME COMMAND         
100 634  00000000         -         -         - -    pts/9 0:00 clone-once           
100   -  00000000  00000000 <00000000  00000001 S    -     0:00 -         
100   -  00000000  00000000 <00000000  00000001 S    -     0:00 -         
$ ps -C clone-once -fm
UID    PID  PPID C STIME TTY       TIME CMD        
albert 634     1 0 20:42 pts/9 00:00:00 clone-once          
albert   -     - 0 20:42 -     00:00:00 -        
albert   -     - 0 20:42 -     00:00:00 -        
$ ps -C clone-once -fT
UID    PID  SPID  PPID C STIME TTY       TIME CMD        
albert 634 16634     1 0 20:42 pts/9 00:00:00 clone-once          
albert 634 16635     1 0 20:42 pts/9 00:00:00 clone-once          
$ ps -C clone-once -fL
UID    PID  PPID   LWP C NLWP STIME TTY       TIME CMD        
albert 634     1 16634 0    2 20:42 pts/9 00:00:00 clone-once          
albert 634     1 16635 0    2 20:42 pts/9 00:00:00 clone-once          
$ 



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2004-03-24  2:15 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-24  2:20 Hidden PIDs in /proc Albert Cahalan
  -- strict thread matches above, loose matches on Subject: below --
2004-03-23 16:08 Emiliano 'AlberT' Gabrielli
2004-03-23 16:15 ` Miquel van Smoorenburg
2004-03-23 16:40   ` Emiliano 'AlberT' Gabrielli

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox