Is it possible to hide process args from 'ps -ef'?? (Recap)
Richard Todd
rmtodd at servalan.uucp
Mon Apr 22 08:50:44 AEST 1991
guy at auspex.auspex.com (Guy Harris) writes:
>> The problem with method 2 above is,
>The problem with method 2 above is that, unless ISC UNIX is fairly
>different from S5 as it comes from AT&T, "ps" doesn't *look* at the
>argument list on the stack - it looks at the argument list as set up in
>a string in the U area at startup, so your program can twiddle the argv
>list until the cows come home and it won't affect what "ps" sees.
I must admit to not having great experience with "unadulterated" SysV, but
on two SysV-derived systems I've used (A/UX and ISC Unix), ps by default
only looks at the program name in the U area, but with the "f" flag will
go ahead and find the program's stack and read the arg. list. Also, by
default the U area "u_comm" field contains only argv[0] and none of the
other argv[i]. Example (on my home system, running A/UX 2.0):
---------------------------------------------------------------------------
9 servalan ~[5:46pm] % ps -p 358
PID TTY TIME COMMAND
358 console 0:07 xdm
10 servalan ~[5:46pm] % ps -fp 358
UID PID PPID C STIME TTY TIME COMMAND
root 358 129 0 15:34:03 console 0:07 /usr/bin/X11/xdm -nodaemon -udpPort 0
11 servalan ~[5:46pm] %
---------------------------------------------------------------------------
It works the same way on ISC Unix. I thought this was standard System V
behaviour. (I find it a tad unlikely that Apple and ISC would both add the
ability to read the stack arglist to ps, and do so with the exact same flag...)
--
Richard Todd rmtodd at uokmax.ecn.uoknor.edu rmtodd at chinet.chi.il.us
rmtodd at servalan.uucp
"Elvis has left Bettendorf!"
More information about the Comp.unix.wizards
mailing list