From owner-freebsd-current@FreeBSD.ORG  Tue Oct 19 20:43:36 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 82A3016A4CE
	for <freebsd-current@freebsd.org>;
	Tue, 19 Oct 2004 20:43:36 +0000 (GMT)
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 277AB43D5E
	for <freebsd-current@freebsd.org>;
	Tue, 19 Oct 2004 20:43:36 +0000 (GMT)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.12.11/8.12.11) id i9JKhXsH056117;
	Tue, 19 Oct 2004 15:43:33 -0500 (CDT)
	(envelope-from dan)
Date: Tue, 19 Oct 2004 15:43:33 -0500
From: Dan Nelson <dnelson@allantgroup.com>
To: Martin Blapp <mb@imp.ch>
Message-ID: <20041019204333.GD83510@dan.emsphone.com>
References: <20041019105211.G5193@cvs.imp.ch>
	<20041019183938.GA83510@dan.emsphone.com> <20041019221826.O70496@cvs.imp.ch>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20041019221826.O70496@cvs.imp.ch>
X-OS: FreeBSD 5.3-BETA7
X-message-flag: Outlook Error
User-Agent: Mutt/1.5.6i
cc: freebsd-current@freebsd.org
Subject: Re: Showstopper ? Userland prozesses showing up as kernelprocesses
	with AMD opterons ?
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Oct 2004 20:43:36 -0000

In the last episode (Oct 19), Martin Blapp said:
> > What are you seeing that identifies it as a kernel process?  The
> > only way I know of determining that from ps is "ps axlo flags", and
> > looking for processes with the 0x200 bit set.
> 
> bind         729  0.0  0.8 17356 16808  ??  Ss    4:12PM   0:18.27 [rbldnsd]            100
> clamav      2672  0.0  1.8 37684 36644  ??  I     4:16PM   0:00.00 [mimedefang-mult     100
> clamav      2625  0.0  1.8 37684 36644  ??  I     4:16PM   0:00.00 [mimedefang-mult     100
> 
> Correct. Those are not kernel processes, they only have 0x100 as flag which
> means;
>                P_SUGID             0x00100      Had set id privileges since
>                                                 last exec
[...]
> It's still strange. Could this mean that modifing id privileges looses all
> cmdline args ? That's really bad if this is true.

That or something like it.  I have two processes that are doing the
same thing on my system, but when I run ps as root, I see the full
argument lists.  One has P_SUGID, one doesn't.  Something in the
kern.proc. sysctl code is probably deciding not to return the argument
list for those processes when you're not root.  Maybe there's some
hidden flag separate from P_SUGID it's checking?

-- 
	Dan Nelson
	dnelson@allantgroup.com