BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
DJWanna
Obsidian | Level 7

Hi All,

Recently we have been observing that our users have processes that are shown as ROOT as the process owner. In contacting the User they say that they are only running Grid processes. What part of SAS or Grid could this process be? For example this is what we are seeing:

root      5819 12073  0 Jul28 ?        00:00:00 sshd: userid [priv]
userid   6231  5819  0 Jul28 ?        00:00:02 sshd: userid@pts/2
userid   6232  6231  0 Jul28 pts/2    00:00:00 -ksh
root     26386 12073  0 Jul28 ?        00:00:00 sshd: userid [priv]
thisisme 26989 25006  0 14:55 pts/4    00:00:00 grep userid
userid  29603  4321  0 Jul28 ?        01:11:46 /sas/sys/sasconfig_prod/lsf9/9.1/linux2.6-glibc2.3-x86_64/etc/res -d /sas/sys/sasconfig_prod/lsf9/conf -m svcksa69901mpk.us.bank-dns.com /home/userid/.lsbatch/1501098689.316759
userid  29650 29603  0 Jul28 ?        00:00:00 /bin/sh /home/userid/.lsbatch/1501098689.316759
userid  29689 29650  5 Jul28 ?        17:02:15 /sas/sys/sasinstall_prod/compute/SASFoundation/9.4/sasexe/sas -noterminal -netencryptalgorithm TripleDES -metaserver svcksa69901mpk.us.bank-dns.com -metaport 8561 -metarepository Foundation -locale en_US -objectserver -objectserverparms delayconn sph=svcksa69901mpk.us.bank-dns.com protocol=bridge spawned spp=12832 cid=3470 pb classfactory=440196D4-90F0-11D0-9F41-00A024BB830C server=OMSOBJ:SERVERCOMPONENT/A51QZNX6.AY00000B cel=everything lb recon grid keepalive=500 -METAUSER
userid  31582 26386  0 Jul28 ?        00:00:26 sshd: userid@pts/0
userid  31654 31582  0 Jul28 pts/0    00:00:00 -ksh
userid  31853 31654  0 Jul28 pts/0    01:03:41 top

 

It is line 1 and 3 we are concerned about. Did we just stumble across this user logged in as ROOT or is this a SAS process creating this process?

 

Thank you for your insight.

1 ACCEPTED SOLUTION

Accepted Solutions
Kurt_Bremser
Super User

The SSH port is a so-called privileged port (<1024), which can only be used by the superuser. Therefore the master sshd daemon runs as root and spawns children for every connection (which stay under userid 0); once login is completed (either by password or public/private key), another child running with the login user's identity is spawned. This child then starts the shell.

12073 should be your master sshd with parent process 1.

View solution in original post

2 REPLIES 2
Kurt_Bremser
Super User

The SSH port is a so-called privileged port (<1024), which can only be used by the superuser. Therefore the master sshd daemon runs as root and spawns children for every connection (which stay under userid 0); once login is completed (either by password or public/private key), another child running with the login user's identity is spawned. This child then starts the shell.

12073 should be your master sshd with parent process 1.

JuanS_OCS
Amethyst | Level 16

Indeed, as @Kurt_Bremser wisely said. On simple words: the initial process must be always be spawned as root, but just for connections to protected ports. Afterwards, any other process will be owned by the appropiate user.

 

On Linux there are many applications that run on the same way, and it is due to Linux security policies. A very common example are the web servers (such as Apache). If you want a web server to provide service on default ports 80 (http) or 443 (https), the inital process to listen on those ports must be owned by root. Any other child process will be owner by the user assigned to thr web server.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 2 replies
  • 1024 views
  • 2 likes
  • 3 in conversation