This post is originally the contribution article of Conanloveu, transferred to the forum by WaterCloud.
Linux Security Raiders - Zombie Process
Author: Jiang Chao
Microsoft's series is now very popular, especially his unique humanized operation, it makes everyone love to release, but he is also known as the king of vulnerabilities, so large-scale servers such as the government, enterprises are absolutely no one dare to use Windows series products. of. In contrast, Linux is very strong in terms of security. And after the future development trend, Linux will have an absolute advantage in various fields. This era is hard to understand Linux. So today I will take you into the most basic security field of Linux - "Process".
Everyone knows that Linux is the same as Win2K, which is a multitasking operating system, that is, in the same time, there can be multiple processes simultaneously. If you have a certain understanding of the hardware system, we will know that the CPU of the personal computer (PC) we use is only one instruction in a time piece, then how is Linux implementing multiple processes simultaneously? Here Linux uses a weapon called "Process Scheduling", first assigns a certain runtime for each process, this time is usually very short, short to milliseconds, and then according to some rules, Select a put into operation from many processes, other processes are temporarily waiting, when running is exhausted, or to exit, or suspended for some reason, Linux will re-scheduled, select the next process to put into operation . Because the time slice occupied by each process is very short, in our way, it seems that multiple processes are running the same. We learned that after the Linux multi-process concept, let's take a look at what process?
I. Process concept:
When running any a UNIX / Linux command, shell will at least create a process to run this command (this process is also called a parent process), so you can call any programs running in the UNIX / Linux system; but the process is not a program The process is dynamic, and the program is static, and multiple processes (in addition to the parent process in multiple processes, the other is a sub-process) to call the same program. Figure (1) shows the process tree.
Each process in the system contains a Task_Struct data structure, all of which integrates a process vegeter of these data structures, and the system default process vector data size is 512, indicating that the system can accommodate 512 processes. The TASK_STRUCT data structure of the process includes information, scheduling information, process identifier, etc.
Since the UNIX system is a multi-process operating system, each process is independent, all have its own permissions and tasks, so when a process fails, it will not lead to other processes fail. The system is distinguished by a process identifier, and the process identifier is a non-negative positive number. He is unique at any time. When a process ends, his process identifier can be assigned to another new process. The system assigns the identifier 0 to the schedule process, the identifier 1 assigns the initialization process. Let me show you a flow chart of the process by birth to death.
Process Liveframe:
Born: Plan fork (), Mom (Parent Process) is born, and inherits all things in the parents, we can also see him as a clone.
Life: Then with the exec (), children grow up (new processes), they are independent of home, starting to serve the people's career. Death: People have life and old, the process is the same, it can be nature death, that is, the last "}" running to the main function, which is easy to leave us; it can be suicide, there is 2 ways, one is called The EXIT function, one is to use return in the main function, no matter which way, it can leave the suicide note, put it in the return value; it can also be murdered, and the other process ends through other ways His life (here is somewhat different from people, in the process, if the parent process is dead, then all the sub-process he created is also dead together).
After the death, the process is also a thing: this process is also necessary, can't say that people will not wait for him, do not move the body! After the process died, he would leave a zombie, and the Wait () function acts as a corpse, pushing the zombie into the invisible.
This is the complete life of the process.
The process uses many resources during operation, including the most valuable CPU resources. When a process takes up the CPU resource, other processes must wait after the running process idle CPU can run, because there are many processes waiting, so The kernel decides which process to assign the CPU through the scheduling algorithm. After the concept is clear, we will look at Linux, which is the state of the process.
Second, the process in Linux is fundamentally:
1. Execute (R) Status: The CPU is executing, ie the process is occupying the CPU.
2. Ready (W) Status: All conditions performed by the process already have, waiting for the processing of the CPU.
3, stop (S) status: The process cannot use the CPU.
Everyone sees in Linux, it is normal to have such a state, but there will be more states in special circumstances, which is what we have to say "Zombie". Below we will explain carefully, then introduce the management of the process.
Third, the process management in Linux
Manage two kinds, one is how to start the process, and the other is how the process is scheduled.
1, start process
Type the program name of the program that you need to run, execute a program, in fact, is starting a process. Each process in the Linux system has a process number (PID) for system identification and scheduling process. There are two main ways to start a process: manual start and schedule start, the latter is set in advance, starting according to the user's request. Enter commands by the user, start a process directly, is a manual startup process. However, the manual start process can be divided into many kinds, depending on the type of process started, the nature is different, and the actual results are different.
(1) Launch at the front desk
The front desk start is the most common way to manually start a process. Generally speaking, the user enters a command "Test", which starts a process at the front desk. At this time, the system is actually in a multi-process state. There are many processes that are running automatically when running in the background. When the system starts, it is quietly running. At this time, if you use "PS -X" to view after entering the "Test" command, but did not find this process because this process ended too fast, the process has been completed using the PS. So if you want to see the process, you have to enter a time-consuming program, let's talk below.
(2) Background start
Starting directly from the background a process is less used, unless the process is very time consuming, and the user does not have the result of the results. Suppose the user wants to start a process that needs to be run in a long time. In order not to make the entire shell in the formatting process, starting this process from the background is a wise choice. 2, process schedule
When you need to interrupt a reception process, you are usually used using a Ctrl C key key; but for a background process is not a combination of a combination, you must use a kill command. This command can terminate the background process. As for There are many reasons for the termination of the background process, perhaps the CPU time occupied by the process; maybe this process has been hanged. This situation often occurs. The working principle of the kill command is to send a system operation signal and a process identification number of a program to the kernel of the Linux system, and then the system kernel can operate the process specified by the license number.
Ok, the basic concept of the process is familiar with everyone will ask so what is the so-called "zombie process"? In any case, a zombie process will cause a zombie process? No need to worry, let's first familiarize yourself with the programming of the Linux process.
First of all, I will introduce you a few very important functions:
Fork (); function: Create a new process. (Fork () <0 [error], fork () == 0 [child process], fork ()> 0 [parent process]
Wait (); Function: True End Process (Caving).
Exec (); function: Execute an external program.
Ok, I now let everyone see what our mysterious zombie process looks like. Let me use C to write the code for generating the processes of the Parent process:
/ **************************************************************************************** ****************************** /
#include
#include
Main ()
{
Fork (); / * Started to create a child process * /
IF (fork ()> 0) / * If it is a parent process * /
Wait (NULL); / * Collect zombie process * /
}
After you read the code, you will feel that this code is what the process I just said is good. After the process died, you must pay for him, otherwise he will program the zombie process. Let's take a look at what you can't get the dead process.
/ ******************************** Zombie process ***** zombie.c **** ********************************************************* /
#include
#include
Main ()
{
Fork (); / * Started to create a child process * /
IF (fork> 0) / * If it is a parent process * /
Sleep (30); / * Sleep for 30 seconds, during this time, the father process can't do * /
Wait (null); / * Collect zombie process * /
/ * Because the parent process is dead, the child process has to be accused, then we let the parent process sleep for 30 seconds, in which we can see the zombie process in these 30 seconds.
After 30 seconds, the parent process will die after waking up, so the child is still dead. * /
}
/ ************************************************** ************************************************** /
In order to let everyone see the zombie process, we will compile this zombie process code, then execute,
#gcc -o zombie Zombie.c After success, we started to perform this program because the Sleep (30) in the code is allowed to sleep for 30 seconds, if we execute our program in the front desk, then you can't do other shell commands, So here we add a & representative to the background run here.
#. / zomber &
Ok, let's perform the view process command in 30 seconds to see what we are this ZOMBIE process?
#ps -aux | GREP ZOMBIE
This command is to display all information about Zombie. Please see Figure (2) for details.
After seeing this here, the smart friend will ask, since the sub-process created by the parent process, then if a parent program is exported, the child process does not have a zombie process, because the father process is dead. Well. So this will not cause more harm? If everyone thinks it is wrong, when we just use the PS command to observe the execution status of the process, see the status bar of some processes is defunct, which is the so-called "zombie" process. The "zombie" process is a process that has already died, but it still accounts for a position in the process table. Since the capacity of the process table is limited, the Defunct process not only occupies the system's memory resources, but also affects the performance of the system, and if there is too much, it will cause the system to be paralyzed, please see the following code:
/ *************************************************************************************************** ***************************************** /
#include
#include
Main ()
{
For (;;) / * Make a dead cycle * /
Fork (); / * Started to create a child process * /
}
/ ************************************************** ************************************************** /
Friends who know C language will know for for (;;) is a dead cycle. Then this only 2 lines of code can crash your Linux instantly, because his role is unlimited to add new child processes in the memory, and a system will allocate the maximum limit of the process according to the capacity of the memory, once The number of processes running is super, then your machine will inevitably crash.
I have used 2 users to test, one is a user of normal privileges, one is the root user, the test result is "Any user will let the machine die as long as the user will die." The reason is that the default Linux system does not limit the usual process of ordinary users. So this is a big threat to the system, then how we avoid ordinary users illegally perform excessive resources or processes cause the system to drag, so our restrictions on the root users.
Limit ordinary users:
Step 1: First enter the Linux terminal with the VI editing / etc / security /limits.conf file, add:
* Hard Core 0
* HARD RSS 5000
* Hard NPROC 20
Here * represents all users in addition to root, (* hard core 0) is disabled Core Files "Core 0", (* HARD RSS 5000) is limited to 5MB "RSS 5000", (* Hard Nproc 20) is limit The number of processes is "NPROC 50". Everyone can make a reasonable configuration according to their own system memory size.
Step 2: Edit the /etc/pam.d/login file with VI, then add the following line to save exit. Session Required /LIB/Security/Pam_Limits.so
Ok, now we have limited the usage of the process and memory usage, and you can use root and ordinary users to test separately, and the result is of course the procedure we have made by ordinary users.
The security of a system is not dependent and does not play patch, although it is very important to make the patch, but it is also important to make the system.
If you have any questions, you can contact QQ: 15052570
