Re: Hidden PIDs in /proc

[Miquel van Smoorenburg]

In article <200403231708.15812.AlberT@xxxxxxxxxxxxxxxx>,
Emiliano 'AlberT' Gabrielli <AlberT@xxxxxxxxxxxxxxxx> wrote:
>
>Hi all,
>
>   I discovered some "hidden" pid dirs in /proc :
>
>root@emc2:# ls -lha /proc/ | grep 4673
>root@emc2:# ls -lha /proc/4673/
>totale 0
>dr-xr-xr-x    3 albert   albert          0 2004-03-23 17:02 .
>dr-xr-xr-x  108 root     root            0 2004-03-23 16:10 ..

It's just a thread. For a threaded process, only the thread group
leader is listed in /proc directly. The other threads are visible
under /proc/<tgid>/task  (try it).

>After 2 days of headhake searching for possible rootkits, reinstalling all the 
>basic system, libs and so on (from a clean live-CD boot) ...
>I noticed that these process seem all to use pthreads ... so, the question is:
>
>is my problem related/solved by the initramfs-search-for-init-zombie-fix.patch
>in the -mm1 tree ??

No, by upgrading to a more recent procps.

# ps ax | grep mozilla
16252 ?        S     10:21 /usr/lib/mozilla-firefox/firefox-bin
$ ps ax -T | grep moz
16252 16252 ?        S     10:21 /usr/lib/mozilla-firefox/firefox-bin
16252 16264 ?        S      0:01 /usr/lib/mozilla-firefox/firefox-bin
16252 16266 ?        S      0:03 /usr/lib/mozilla-firefox/firefox-bin
16252 21530 ?        S      0:00 /usr/lib/mozilla-firefox/firefox-bin

Also note:

# ls /proc/16252/task
16252/  16264/  16266/  21530/

Mike.
-- 
Netu, v qba'g yvxr gur cynvagrkg :)

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/