Special File Types   «Prev  Next»
Lesson 6Monitoring processes
ObjectiveUse the ps command and its arguments to monitor running processes on the system.

How to monitor Processes using the ps command

ps command

The principal tool for monitoring processes on your system is the ps command. This command lists the running processes, together with useful information about their status. Use the ps command by itself to get a brief list of processes owned by the user who invoked the command. Like ls, the ps command has myriad options. Let’s look at two particularly useful ones. To obtain information on all processes on a system, use the command ps aux. On Solaris and AIX, the corresponding command is ps –ef, and the output has a slightly different form. The relevant information is still there. To obtain information on parent-child relationships, use the command ps aj.
Unix process ID 
$ ps
PID TTY STAT TIME COMMAND
1532 ps S 0:00 /bin/login -h 208.205.77.223 -p
1533 p3 S 0:00 -bash
1666 pS S 0:00 /bin/login -h 208.205.77.222 -p
1667 pS S 0:00 -bash

$ ps aux
USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND
daemon 195 0.8 1.3 780 408 ? S Jun 8 0:00 /usr/sbin/atd
usert 1532 0.8 3.0 1456 928 p3 S 13:32 0:00 /bin/login -h 208.205.77.223 -p
usert 1533 0.8 2.6 1200 804 p3 S 13:33 0:00 -bash
root 319 0.8 0.7 720 228 ? S Jun 8 0:00 update (bdflush)

$ ps aj
PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND
313 313 313 2 313 S 0 0:00 /sbin/mingetty tty2
1532 1533 1532 p3 1546 S 502 0:00 -bash
1533 1545 1532 p3 1546 S 0 0:00 su james
  1. The process ID
  2. The terminal to which the process is attached
  3. A status indicator
  4. The accumulated CPU time
  5. The command line which started the process
  6. The owner of the process
  7. Daemon processes have no controlling terminal (TTY is ?)
  8. Login shells have an initial
  9. Processes that are swapped out are marked in parentheses
  10. Parent process IDs
  11. User ID numbers

Using ps command

View the image below to examine the output of the ps, ps aux, and ps aj commands.
Process Monitor
Output from Unix-like operating system commands that display process information. Here's a breakdown of the text and its relevant features:
  1. `ps` Command Output:
    • PID: Process ID
    • TTY: Terminal type the process is attached to
    • STAT: Process state
    • TIME: CPU time used
    • COMMAND: Command line that started the process
  2. `ps aux` Command Output:
    • USER: User ID of the process owner
    • %CPU: Percentage of the CPU that the process is using
    • %MEM: Percentage of the memory that the process is using
    • SIZE: Virtual memory size of the process
    • RSS: Resident Set Size or physical memory size
    • TTY: Terminal type
    • STAT: Process state
    • START TIME: Time when the process started
    • COMMAND: Command line that started the process
  3. `ps aj` Command Output:
    • PPID: Parent process ID
    • PID: Process ID
    • PGID: Process group ID
    • SID: Session ID
    • TTY: Terminal type
    • TPGID: Terminal process group ID
    • STAT: Process state
    • UID: User ID of the process owner
    • TIME: CPU time used
    • COMMAND: Command line that started the process

The image contains multiple sections of command output, possibly used for monitoring or debugging processes on a Unix-like system. The commands and outputs focus on detailed process management, including resources used, process ownership, and process state information.
  1. The process ID
  2. The terminal to which the process is attached
  3. A status indicator
  4. The accumulated CPU time
  5. The command line that started the process
  6. The owner of the process
  7. Daemon processes have no controlling terminal (TTY is ?)
  8. Login shells have an initial –
  9. Processes that are swapped out are marked in parentheses
  10. Parent process IDs
  11. User ID numbers


Look at the output of the ps, ps aux, and ps aj commands. Notice how they differ and what type of information the output of each contains. Notice that in the ps aj command output, you can obtain information about parent-child relationships. Parent process IDs are in the PPID column. This version of the ps command shows user ID numbers, not names, in the UID column. You can find your user ID number with the id command.
Sometimes, keeping track of your real identity is difficult. The whoami command will tell you the real user ID of your shell. Let us practice using the ps commands to monitor processes. Click the Start Simulation button to get started.
ps command 1
1) ps command 1
ps command 2
2) ps command 2
ps command 3
3) ps command 3
ps command 4
4) ps command 4
ps command 5
5) ps command 5
ps command 6
6) ps command 6
ps command 7
7) ps command 7
ps command 8
8) ps command 8
ps command 9
9) ps command 9
ps command 10
10) ps command 10

  1. Start a subshell of your login shell by typing the bash command. This will start the Bourne Again Shell.
  2. Start subshell
  3. Type ps aj. The a argument for ps will list all processes except group leaders and non-terminal processes. The j argument lists process group and session IDs.
  4. List processes
  5. ps aj
  6. Notice that the new shell has a PPID equal to the PID of your login shell. Now, exit this subshell.
  7. Exit subshell,
  8. exit
  9. Type exit. Remember that this is a subshell with exactly the same permissions as when you originally logged on.
  10. Assume root privileges.
  11. Assume root privileges,
  12. Type su to assume root privileges
  13. Enter rootpass for the password.
  14. rootpass
  15. You are now in a root shell. Type ps aj again.
  16. List processes
  17. Notice that a new shell with a PPID equal to your login shell's PID, but with owner root (UID number 0), has been created. Sometimes switching between shells becomes confusing. Issue a command to determine authoritatively the shell in which you are operating.
  18. Determine the shell,
  19. whoami
  20. Use the whoami command to determine the shell in which you are operating.
  21. Note that the output of the whoami command informs you that you are now root. Exit the root subshell.
  22. Exit root subshell
  23. exit
  24. Type exit to surrender root.
  25. Type ls -l /usr/bin/passwd to verify that the SUID bit has been set for the passwd program. Remember: You are not viewing the SUID bit on the etc/passwd file. You are viewing it on the passwd executable in the usr/bin directory.
  26. Verify
  27. ls -l /usr/bin/passwd
  28. Note that the SUID is set. If users have trouble changing their own passwords, you may have to change the file permissions using chmod. Let's issue a command that runs the passwd command and then suspends it. Type passwd &. You should not specify your own username, because only root has the ability to specify usernames. Even if the SUID is set, you cannot use passwd as freely as a user logged on as root.
  29. Run passwd command
  30. passwd
  1. Now, instead of entering your password, you would press CTRL+C to finish placing the passwd program into background mode. For the purposes of this simulation, just press the Enter key on your keyboard.
  2. Run ps aj again.
  3. ps aj
  4. View the processes, and verify that the password command is running with root permissions. This operation might seem odd because you are not in the root shell. You started passwd with only standard user permissions. However, the SUID bit allows normal users to execute programs using some root permissions. Also, note how the ps aj command you just executed does not have a root UID. Now, bring the passwd command back into the foreground of your shell.
  5. Bring passwd back to foreground
  6. fg
  7. Use the fg command to bring the passwd command back into the foreground of your shell.

Changing identities and monitoring with ps

  1. Start a subshell of your login shell by typing the bash command. This will start the Bourne Again Shell.
  2. Type ps aj. The a argument for ps will list all processes except group leaders and non-terminal processes. The j argument lists process group and session IDs.
  3. Notice that the new shell has a PPID equal to the PID of your login shell. Now exit this subshell.
  4. Assume root privileges.
  5. You are now in a root shell. Type ps aj again.
  6. Notice that a new shell with a PPID equal to your login shell's PID, but with owner root (UID number 0), has been created. Sometimes switching between shells becomes confusing. Issue a command to determine authoritatively the shell in which you are operating.
    Solution: whoami
  7. Note that the output of the whoami command informs you that you are now root. Exit the root subshell.
  8. Type ls -l /usr/bin/passwd to verify that the SUID bit has been set for the passwd program. Remember: You are not viewing the SUID bit on the etc/passwd file. You are viewing it on the passwd executable in the usr/bin directory.
  9. Note that the SUID is set. If users have trouble changing their own passwords, you may have to change the file permissions using chmod. Let us issue a command that runs the passwd command and then suspends it.
    Type passwd &. You should not specify your own username, because only root has the ability to specify usernames. Even if the SUID is set, you cannot use passwd as freely as a user logged on as root.
  10. Now, instead of entering your password, press CTRL+C to finish placing the passwd program into background mode.
  11. Run ps aj again.
  12. View the processes, and verify that the password command is running with root permissions. This operation might seem odd because you are not in the root shell. You started passwd with only standard user permissions. However, the SUID bit allows normal users to execute programs using some root permissions. Also, note how the ps aj command you just executed does not have a root UID. Now, bring the passwd command back into the foreground of your shell.
    Solution: fg
  13. To exit the shell without changing your password, press CTRL-C.
  14. Use the ps command with the argument that lists all processes on the system.
    Solution: ps aux
  15. According to this readout, five daemon processes are running on this particular system. UNIX marks daemon processes with a ? character.
  16. Now, issue the ps aux command, this time using a pipe and grep -c ?.
  17. You received a count of all daemon processes. Now, obtain a full listing of all the processes owned by root.
    Solution: ps aux | grep root
  18. For the purposes of this simulation, we’re showing you only a few of the processes. Normally, this listing would be quite long. Now, list all shells running on the system, using ps aux, a pipe, and grep. As part of the command, save the output to a file named loginshell.
    Solution: ps aux | grep login > loginshell
  19. Now, issue the whoami command again.

SEMrush Software 6 SEMrush Banner 6