4 Replies Latest reply: Jun 5, 2014 1:14 AM by 839715 RSS

    why empty process name by "ps -ef"?

    839715

      Hi,

       

      Have you ever seen the empty process name (CMD) by the command like "ps -ef"? See the following samples,

       

      From the terminal 1, do the sftp with user like cemslog(no home directory),

       

      [root@cnbjbcmuas7235 /export/home]# sftp cemslog@10.184.72.35

      Connecting to 10.184.72.35...

       

      This system is a restricted access system. All activity on this system is

      subject to monitoring. If information collected reveals possible criminal

      activity or activity that exceeds privileges, evidence of such activity may

      be provided to the relevant authorities for further action. By continuing

      past this point, you expressly consent to this monitoring.

       

      Password:

      Login is only allowed for authorized users

      sftp>

       

      From the terminal 2, try "ps -ef"

      [root@cnbjbcmuas7235 ~]# ps -ef |grep cemslog |grep -v grep

          root 10318  4177   0 16:30:26 pts/3       0:00 sftp cemslog@10.184.72.35

      cemslog 10321 10320   0 16:30:26 ?           0:00 /usr/lib/ssh/sshd

      cemslog 10371 10321   0 16:30:30 ?           0:00

       

      I'm confused why I can see the last process with empty process name?

       

      I tried the test with another user which has home directory, no empty process identified.

       

      Anyone can shed me any lights?

       

      Thanks

        • 1. Re: why empty process name by "ps -ef"?
          Shilpi C -Oracle

          Hi,

           

          Did you checked the ptree output for this process ID.

          I would request you to do this:

          Check which line has the last column blank in the output and do a ptree on PID.

          example:

          cemslog 10371 10321   0 16:30:30 ?           0:00


          #ptree 10371

           

          From this you will understand what is creating this PID. It will also help you to understand why its blank.

           

          P.S: Please mark all the relevant posts as correct/helful.

           

          Regards,

          Shilpi

          • 2. Re: why empty process name by "ps -ef"?
            839715

            Hi, Shilpi

             

            Thanks for your response very much.

             

            I did the ptree against the process and got the following result which still confused me quite a lot.

            [root@cnbjbcmuas7235 ~]# ps -ef |grep cemslog

            cemslog 22992 22991   1 09:21:26 ?           0:00 /usr/lib/ssh/sshd

            cemslog 23044 22992   0 09:21:29 ?           0:00

                root 22988 22569   0 09:21:26 pts/4       0:00 sftp cemslog@10.184.72.35

            [root@cnbjbcmuas7235 ~]# ptree 23044

            356   /usr/lib/ssh/sshd

              22991 /usr/lib/ssh/sshd

                22992 /usr/lib/ssh/sshd

                  23044 ftpsftp

            [root@cnbjbcmuas7235 ~]# ptree 22992

            356   /usr/lib/ssh/sshd

              22991 /usr/lib/ssh/sshd

                22992 /usr/lib/ssh/sshd

                  23044 ftpsftp

            [root@cnbjbcmuas7235 ~]# ptree 22988

            356   /usr/lib/ssh/sshd

              22544 /usr/lib/ssh/sshd

                22545 /usr/lib/ssh/sshd

                  22569 -bash

                    22988 sftp cemslog@10.184.72.35

                      22990 /usr/bin/ssh -oForwardX11 no -oForwardAgent no -oClearAllForwardings yes -lcems

             

            The process with empty process name had the exact same ptree output as the one with sshd as its process name.

             

            What's that mean?

            • 3. Re: why empty process name by "ps -ef"?
              Shilpi C -Oracle

              Hi,

               

              "The process with empty process name had the exact same ptree output as the one with sshd as its process name."

              Did you observed "23044 ftpsftp" in the output of ptree 23044. So the outputs are not exactly the same.

              It could be some unharmful bug or some corruption. What's the Solaris version of your server "uname -a" and "cat /etc/release".


              Regards,

              Shilpi

              • 4. Re: why empty process name by "ps -ef"?
                839715

                Hi,

                I did the test today, and still found that they were the same, see the following result

                 

                [root@cnbjbcmuas7235 ~]# ps -ef |grep cemslog|grep -v grep

                    root  9340 11099   0 14:03:37 pts/4       0:00 sftp cemslog@10.184.72.35

                cemslog  9391  9343   0 14:03:42 ?           0:00

                cemslog  9343  9342   0 14:03:37 ?           0:00 /usr/lib/ssh/sshd

                [root@cnbjbcmuas7235 ~]# ptree 9391

                356   /usr/lib/ssh/sshd

                  9342  /usr/lib/ssh/sshd

                    9343  /usr/lib/ssh/sshd

                      9391  ftpsftp

                [root@cnbjbcmuas7235 ~]# ptree 9343

                356   /usr/lib/ssh/sshd

                  9342  /usr/lib/ssh/sshd

                    9343  /usr/lib/ssh/sshd

                      9391  ftpsftp

                 

                Besides, I found that if I use command like below, the command name can be displayed,

                [root@cnbjbcmuas7235 ~]# ps -o user,pid,fname -e |grep cemslog

                cemslog  9391 ftpsftp

                cemslog  9343 sshd

                 

                The CMD colomn with -f option means that the full command name. While the fname means that "The first 8 bytes of the  base  name  of the process's executable file. I'm confused why they are totally different? I tried the option like comm, it's empty again...

                [root@cnbjbcmuas7235 ~]# ps -o user,pid,fname,comm -e |grep cemslog

                cemslog  9391 ftpsftp

                cemslog  9343 sshd     /usr/lib/ssh/sshd

                 

                The Solaris version you requested,

                SunOS cnbjbcmuas7235 5.10 Generic_150400-04 sun4u sparc SUNW,Netra-440

                [root@cnbjbcmuas7235 ~]# cat /etc/release

                                   Oracle Solaris 10 8/11 s10s_u10wos_17b SPARC

                  Copyright (c) 1983, 2011, Oracle and/or its affiliates. All rights reserved.

                                            Assembled 23 August 2011