LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   ps aux shows process -:0 running with root priveleges (http://www.linuxquestions.org/questions/linux-general-1/ps-aux-shows-process-0-running-with-root-priveleges-609742/)

bjharker 12-28-2007 11:55 PM

ps aux shows process -:0 running with root priveleges
 
Interesting. The title says it all. Just wondering what the hell this is. Have been searching the filesystem for it and I'm pretty sure I'm escaping the characters correctly, but haven't found it. Any ideas?


openSUSE 10.1 on P4 (2.67 GHz) HP Pavilion zd7000 Notebook with 256 MB RAM.

Thanks

doc.nice 12-29-2007 05:28 AM

this is propably the init process, "your running kernel", kill it and your system will halt ;)

unSpawn 12-29-2007 06:39 AM

Quote:

Originally Posted by bjharker (Post 3004514)
Interesting. The title says it all.

No it doesn't. Better post the exact 'ps' line. Even better, having the PID, check with 'lsof -w -n -p $PID' and verify what files you find.


Quote:

Originally Posted by doc.nice (Post 3004721)
this is propably the init process

While this may not be problematic in this case I would like to warn for making the assumption that the argv[0] of a process has any relation to the process itself. Without going into rootkits and stuff, for a benign example of what I mean see 'man doexec'.

bjharker 12-29-2007 08:08 PM

Thanks for the replies...

Here's the offending line of output:

$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
...
root 3028 0.0 0.3 3656 1636 ? S 07:41 0:00 -:0
...


This "COMMAND" seems very odd to me. Here's the output of lsof:



PID=3028
$ lsof -w -n -p $PID
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
kdm 3028 root mem REG 3,5 136468 63416 /opt/kde3/bin/kdm
kdm 3028 root mem REG 0,0 0 [heap] (stat: No such file or directory)
kdm 3028 root mem REG 3,5 27300 20918 /usr/lib/libcrack.so.2.8.0
kdm 3028 root mem REG 3,5 53488 19511 /lib/libxcrypt.so.1.2.4
kdm 3028 root mem REG 3,5 3036 24188 /lib/security/pam_deny.so
kdm 3028 root mem REG 3,5 12896 32915 /lib/libresmgr.so.1.0.0
kdm 3028 root mem REG 3,5 6200 32916 /lib/security/pam_resmgr.so
kdm 3028 root mem REG 3,5 11840 25988 /lib/security/pam_devperm.so
kdm 3028 root mem REG 3,5 29556 25993 /lib/security/pam_pwcheck.so
kdm 3028 root mem REG 3,5 42109 15586 /lib/libnss_files-2.4.so
kdm 3028 root mem REG 3,5 41986 15590 /lib/libnss_nis-2.4.so
kdm 3028 root mem REG 3,5 87850 15580 /lib/libnsl-2.4.so
kdm 3028 root mem REG 3,5 31943 15582 /lib/libnss_compat-2.4.so
kdm 3028 root mem REG 3,5 53684 23872 /usr/X11R6/lib/libXext.so.6.4
kdm 3028 root mem REG 3,5 11692 24198 /lib/security/pam_limits.so
kdm 3028 root mem REG 3,5 52356 26052 /lib/security/pam_unix2.so
kdm 3028 root mem REG 3,5 10020 24190 /lib/security/pam_env.so
kdm 3028 root mem REG 3,5 4092 24216 /lib/security/pam_warn.so
kdm 3028 root mem REG 3,5 1404242 15569 /lib/libc-2.4.so
kdm 3028 root mem REG 3,5 12789 15603 /lib/libutil-2.4.so
kdm 3028 root mem REG 3,5 74278 15597 /lib/libresolv-2.4.so
kdm 3028 root mem REG 3,5 13814 15575 /lib/libdl-2.4.so
kdm 3028 root mem REG 3,5 44120 24179 /lib/libpam.so.0.81.2
kdm 3028 root mem REG 3,5 18056 23868 /usr/X11R6/lib/libXdmcp.so.6.0
kdm 3028 root mem REG 3,5 7724 23854 /usr/X11R6/lib/libXau.so.6.0
kdm 3028 root mem REG 3,5 1019208 23848 /usr/X11R6/lib/libX11.so.6.2
kdm 3028 root mem REG 3,5 14368 23874 /usr/X11R6/lib/libXfixes.so.3.0
kdm 3028 root mem REG 3,5 29836 23896 /usr/X11R6/lib/libXrender.so.1.2.2
kdm 3028 root mem REG 3,5 33552 23864 /usr/X11R6/lib/libXcursor.so.1.0.2
kdm 3028 root mem REG 3,5 124463 15562 /lib/ld-2.4.so

What do you guys think? Is this even anything to worry about?

bjharker 12-30-2007 05:12 PM

btw, I don't see this on my other machine running FC4 (kernel 2.6.23.11)

doc.nice 12-31-2007 04:07 AM

oh, sorry, this was really a quick shot, having new information and clearly reading the :0, I try another (imho much better) guess:

This is the kdm process spawned by init, awaiting your X-login...

bjharker 01-01-2008 09:20 PM

Thanks for the info...I was just a little suspicious, seeing references to security-related stuff from lsof.

Cheers!

archtoad6 01-02-2008 02:30 PM

Quote:

Originally Posted by doc.nice (Post 3006440)
This is the kdm process spawned by init, awaiting your X-login...

Maybe, at least very close -- to properly investigate this, you need to remember 2 things: the "tree" style output & that however dearly you love, & always use, the BSD forms/options w/ ps, the UNIX options are different & may be more useful in this case. Compare these partial outputs from ps auxf (BSD) & ps -ejH ("UNIX"):
Code:

TTY          TIME COMMAND
?            0:00 /usr/bin/kdm
tty7      201:22  \_ /usr/bin/X -br -dpi 100 -nolisten tcp :0 vt7
?            0:00  \_ -:0
?            0:00      \_ /bin/sh /usr/bin/x-session-manager
?            0:00          \_ /usr/bin/ssh-agent /usr/bin/dbus-launch ...
?            0:00          \_ kwrapper ksmserver

Code:

TTY          TIME CMD
?        00:00:00  kdm
tty7    03:21:38    Xorg
?        00:00:00    kdm
?        00:00:00      x-session-manag
?        00:00:00        ssh-agent
?        00:00:00        kwrapper

(Note: I have trimmed both lines & columns, including PID, PGID, & SID to get to the essence.)

I think that "-:0" is screen 0 of X Window System; or, perhaps, its root window.


All times are GMT -5. The time now is 02:36 PM.