I am just answering another question here 🙂 and thus had a look – wanted to have a look at /proc/$PID/fd
of ssh-agent
in order to find out which socket it uses. But I can't. I am quite surprised to notice that most files and directories belong to root. ssh-agent
runs as my user (so does its parent process) and is not installed SUID root. I wasn't able to find out where exactly KDE starts it. I am curious; can someone tell my what's happening here?
Or is this not about the user at all, can processes use some kernel magic in order to hide (most of) their /proc
info from the public (and even other processes of the same user)?
I just checked the /proc/$PID/fd
of all my processes and noticed that ssh-agent
is not the only process with this strange attribute. The others are the bunch of Chrome processes and kdesud
(no SUID root binary either).
Best Answer
[The following is adapted from text I'm just in the process of adding to the proc(5) manual page, which answers this question.]
The files under
/proc/PID
are normally owned by the effective user and effective group ID of the process. However, as a security measure, the ownership is maderoot:root
if the process's "dumpable" attribute is set to a value other than 1. [The default value of this attribute is 1. Setting this attribute to 0 causes a process not to produce core dumps, since they may contain sensitive information. Likewise, certain files in/proc/PID
can provide access to sensitive information.]This attribute may change for the following reasons:
prctl(2) PR_SET_DUMPABLE
operation./proc/sys/fs/suid_dumpable
.The default value in
/proc/sys/fs/suid_dumpable
is 0. The reasons that the dumpable attribute may be reset to the value in thesuid_dumpable
file are described in the prctl(2) manual page: