Ps(1) Restricting Command Lines
Garance A Drosihn
drosih at rpi.edu
Mon Mar 29 18:37:00 PST 2004
At 1:20 PM -0800 3/29/04, Dave Tweten wrote:
>As of my STABLE upgrade to the 8:00 GMT Saturday version, I have
>noticed that ps(1) is behaving differently. Unless run by root,
>"ps -ax" refuses to print the command line associated with each
>process. I've checked a couple things:
Now that I have done a complete buildworld, I am seeing about the
same behavior. I *do* see the command-args for my own processes,
but if run as someone other than root then I don't see the
command-args for other people's processes.
>1. /bin/ps is not SGID kmem and /dev/kmem permission is set
> to 0640, but that isn't the cause of this problem (though
> it may cause others, since the ps(1) man page says it needs
> to read /dev/kmem).
Changing the group and adding 'chmod g+s' does not seem to help.
(it would not surprise me if the man page is a little out-of-date,
but I don't know that for sure).
>2. /proc/*/cmdline is owned by root:wheel and has 0444 permissions.
> It should therefore be usable by ps(1) regardless of who runs it.
Indeed, my non-root process can 'cat /dev/<pid>/cmdline', but the
`ps' command does not try to open those file(s). I imagine it that
would be a lot more expensive.
>So it looks like command lines should print, but they don't. Does
>anybody know what's happening here?
The thing is, I also compiled a verison of `ps' that is before
my recent barrage of MFC's, and it behaves the same way. In that
`ps', ps.c has a version of:
$FreeBSD: src/bin/ps/ps.c,v 1.30.2.6 2002/07/04 08:30:37 sobomax Exp $
So, whatever the issue is, it is not related to my recent string
of changes to `ps' itself
I also noticed:
sysctl -a | grep kern.ps
kern.ps_strings: 3217031152
kern.ps_arg_cache_limit: 256
kern.ps_argsopen: 1
kern.ps_showallprocs: 1
If I change kern.ps_showallprocs=0 on some older 4.x system, that
causes `ps' to behave the way I'm seeing on the latest buildworld.
If I change kern.ps_showallprocs=0 on the latest buildworld, the
only thing it seems to change is that it stops showing me the
command-line for processes where TPGID==0 (more precisely, it
changes the output for one 'sshd'-related process).
I'm no kernel developer, and I have no spare time, so that's
about as far as I can investigate it right now...
--
Garance Alistair Drosehn = gad at gilead.netel.rpi.edu
Senior Systems Programmer or gad at freebsd.org
Rensselaer Polytechnic Institute or drosih at rpi.edu
More information about the freebsd-stable
mailing list