Bug 80611 - possible bug in procps-2.0.7-25.i386.rpm?
possible bug in procps-2.0.7-25.i386.rpm?
Product: Red Hat Linux
Classification: Retired
Component: procps (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Alexander Larsson
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2002-12-28 13:22 EST by Need Real Name
Modified: 2007-04-18 12:49 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-01-06 08:02:15 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2002-12-28 13:22:32 EST
Description of problem:

ps is accused of possibly being infected with the lkm worm by the latest

Version-Release number of selected component (if applicable):

How reproducible:
Run the latest chkrootkit-0.38

Steps to Reproduce:
1. run chkrootkit-0.38.
2. look at things with kpm.
3. note kpm see's processes that ps -ea doesn't.
Actual results:

With gkrellm and mozilla-1.01 running, chkrootkits './chkproc -v -v'
will report 6 processes that are hidden by ps.  One will be a 2nd copy of
gkrellm, and 5 will be mozilla children.

Expected results:

No hidden processes.

Additional info:

gnorpm's verify function says procps is exactly the same as the rpm installed it.
Reverting to the 7.3 supplied version of procps-2.0.7-12.i386.rpm apparently
fixes everything.
Comment 1 Miloslav Trmac 2002-12-28 16:08:14 EST
If you read the release notes, you would notice that
ps hides threads of a single process by default, unless
you use the -m parameter (IIRC).
Comment 2 Alexander Larsson 2003-01-06 08:02:15 EST
Yes, the pids hidden are the threads. Use -m to see them.

Note You need to log in before you can comment on or make changes to this bug.