0

I am currently on a mac and haven't been able to try it on another mac so I'm not sure if the exact process numbers will change. I've written a C program that gives me process lists and it is stumbling over these two and is returning me '?' instead. I used the command line command ps aux to list all the processes on my system and, unlike the others, both process 11558 and 16290 have their paths in parenthesis and are quite peculiar. What is going on here? What are paths (dd) and (security_authra)? Is there a way I can access the "actual" paths?

Thanks

lelephantt
  • 169
  • 1
  • 1
  • 10

1 Answers1

0

This happens when a process changes its command line arguments. For example on my system I have this process:

$ ps aux -q 1478
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
rich      1478  0.0  0.0  99208  3340 ?        S    19:14   0:00 (sd-pam)

But ps is just reporting the command line arguments in /proc:

$ strings /proc/1478/cmdline
(sd-pam)

However it's still possible to find out the executable that the process is running:

$ sudo ls -l /proc/1478/exe
lrwxrwxrwx. 1 root root 0 Jun  5 16:19 /proc/1478/exe -> /usr/lib/systemd/systemd
Richard Fearn
  • 25,073
  • 7
  • 56
  • 55
  • What do you mean by changes it's command line arguments? And why would that change/hide the path? – lelephantt Jun 03 '17 at 21:51
  • @lelephantt The command-line arguments are stored in memory as an array of strings. That array can be changed. See this question for example: https://stackoverflow.com/questions/963493/is-it-possible-to-change-argv-or-do-i-need-to-create-an-adjusted-copy-of-it Or see the way that systemd does it: https://github.com/systemd/systemd/blob/3e7d14d78c4d15ec7789299216cbf5c58e61547b/src/basic/process-util.c#L278 – Richard Fearn Jun 05 '17 at 16:19