Bug 77780

Summary: "ps ax" does not list all processes
Product: [Retired] Red Hat Linux Reporter: Aaron Sherman <ajs>
Component: procpsAssignee: Alexander Larsson <alexl>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: mustafa
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-11-13 15:02:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Aaron Sherman 2002-11-13 15:02:45 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/20020809

Description of problem:
Under Red Hat versions prior to 8.0, the output of "ps ax" and the list of
processes under /proc were roughly the same (given processes starting and
exiting during comparison) and some packages have been using this to evaluate ps
to determine if it has been compromised by a root kit. I have a tool that starts
with ps, then uses /proc then uses kill to look for hidden processes, and since
Red Hat 8.0 it's basically useless becuase it reports dozens of "hidden"
processes based on the output of ps.

I tried various other arguments (e.g. "ps agx", "ps ag", etc) and nothing seems
to work. Interestingly if I take one of the processes that are listed in /proc,
but not ps, and do a "ps ax --pid <pid>" it does not show up, but if I do a "ps
--pid <pid>" it does.


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. ps ax
2. ls -d /proc/[0-9]*
3. compare the two
	

Actual Results:  Differences occur.


Expected Results:  No or very few differences.


Additional info:
Comment 1 Alexander Larsson 2002-11-14 08:57:35 UTC 
This is a feature, and is mentioned in the release notes. If you want to see
every thread of each process, use the -m flag.
Comment 2 Alexander Larsson 2003-01-27 16:12:00 UTC 
*** Bug 82757 has been marked as a duplicate of this bug. ***