Hi, > What are you seeing that identifies it as a kernel process? The only > way I know of determining that from ps is "ps axlo flags", and looking > for processes with the 0x200 bit set. bind 729 0.0 0.8 17356 16808 ?? Ss 4:12PM 0:18.27 [rbldnsd] 100 clamav 2672 0.0 1.8 37684 36644 ?? I 4:16PM 0:00.00 [mimedefang-mult 100 clamav 2625 0.0 1.8 37684 36644 ?? I 4:16PM 0:00.00 [mimedefang-mult 100 Correct. Those are not kernel processes, they only have 0x100 as flag which means; P_SUGID 0x00100 Had set id privileges since last exec > > clamav 1568 0.0 1.8 37592 37008 ?? I 7:00PM 0:01.65 [mimedefang-multiple] > > clamav 1798 0.0 1.8 37592 37008 ?? I 7:00PM 0:00.00 [mimedefang-multiple] > > > > All cmdline args are gone. Any thoughts ? > > ps or libkvm out of sync with kernel? kern.ps_arg_cache_limit set to 0 > for some reason? World and kernel are in sync. Something # sysctl -a kern.ps_arg_cache_limit kern.ps_arg_cache_limit: 256 It's still strange. Could this mean that modifing id privileges looses all cmdline args ? That's really bad if this is true. MartinReceived on Tue Oct 19 2004 - 18:22:52 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:18 UTC