HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.

Linux Linux Mystery: Disappearing Processes in systemd Services

dEEpEst

dEEpEst

☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
Joined
Mar 29, 2018
Messages
13,861
Solutions
4
Reputation
32
Reaction score
45,552
Points
1,813
Credits
55,350
‎7 Years of Service‎
 
56%
Linux Mystery: Disappearing Processes in systemd Services

🚀 Created for Hack Tools Dark Community

Disclaimer: This topic is intended for educational and debugging purposes in secure environments. Misconfiguration in service units can lead to unexpected behavior or vulnerabilities.
Click to expand...

❓ Issue: Vanishing Processes

You're running a daemon (e.g., mydaemon) on Ubuntu 22.04, started via a systemd unit.
systemctl status mydaemon says it’s active (running), yet:

  • ps aux | grep mydaemon shows nothing
  • top, htop, pgrep, pidof return no matches

But restarting it with systemctl restart mydaemon logs a clean start — no errors. Still no visible process.


🔍 Diagnosis

  • Check the unit type:
    INI: 
    Type=simple
ExecStart=/bin/bash -c 'sleep 9999'
  • Run:
    Bash: 
    systemctl show -p MainPID mydaemon
    This might return MainPID=0 or a PID that vanishes quickly.
  • Why? With Type=simple, systemd assumes the parent process launched by ExecStart is the main one — in this case, bash. But bash -c 'sleep 9999' spawns sleep and exits, leaving systemd tracking a non-existent PID.


✅ Solutions

  1. Avoid shell wrappers:
    Instead of using bash -c, directly run the binary:
    INI: 
    ExecStart=/usr/bin/sleep 9999
  2. Use Type=forking (if your daemon forks itself) and define a PIDFile:
    INI: 
    Type=forking
PIDFile=/var/run/mydaemon.pid
ExecStart=/usr/bin/mydaemon
  3. Use Type=exec (available in systemd v240+), which tracks the last process in the chain:
    INI: 
    Type=exec
ExecStart=/bin/bash -c 'sleep 9999'
  4. Use Type=notify if the daemon supports sd_notify:
    INI: 
    Type=notify
ExecStart=/usr/bin/mydaemon --notify-ready


🧠 Tips for Debugging systemd Services

  • Check MainPID:
    Bash: 
    systemctl show -p MainPID mydaemon
  • Inspect running processes and hierarchy:
    Bash: 
    ps -eo pid,ppid,cmd | grep mydaemon
  • Redirect logs to a file for more clarity:
    INI: 
    StandardOutput=file:/var/log/mydaemon.log
StandardError=file:/var/log/mydaemon.err


💬 Have you encountered similar stealthy behaviors in your services? Join the discussion and share your debugging techniques or unusual systemd cases.
 
You must log in or register to reply here.
Back
Top