1

I've started using urxvt and noticed that it starts 2 PIDs each time opened. They are consecutive. I do not include bash.

ps

PID    %CPU %MEM   VSZ   RSS TTY      STAT START   TIME COMMAND
21193  0.1  0.3 113368 29340 ?        Ss   12:13   0:00 rxvt
21194  0.0  0.0  31932  3716 ?        S    12:13   0:00 rxvt

pstree

├─rxvt─┬─bash
       └─rxvt

I tried urxvtd (the rxvt daemon), it also starts 2 PIDs. I haven't seen this behaviour on st or xterm. They open for themselves one process and bash. Is it normal?

Debian 10, rxvt-unicode package.

Krackout
  • 2,642
  • 12
  • 26

1 Answers1

3

urxvt runs setuid/setgid to work with utmp/wtmp (the feature which lets you use the who and last commands). Doing this directly is considered a potential vulnerability. xterm generally uses utempter, to guard against that. st has no direct support for utmp/wtmp. According to its FAQ, you can make that work using another program:

## Why does st not handle utmp entries?

Use the excellent tool of utmp for this task

urxvt's documentation explains the fork in a different manner:

I need to make it setuid/setgid to support utmp/ptys on my OS, is this safe?

It should be, starting with release 7.1. You are encouraged to properly install urxvt with privileges necessary for your OS now.

When rxvt-unicode detects that it runs setuid or setgid, it will fork into a helper process for privileged operations (pty handling on some systems, utmp/wtmp/lastlog handling on others) and drop privileges immediately. This is much safer than most other terminals that keep privileges while running (but is more relevant to urxvt, as it contains things as perl interpreters, which might be "helpful" to attackers).

This forking is done as the very first within main(), which is very early and reduces possible bugs to initialisation code run before main(), or things like the dynamic loader of your system, which should result in very little risk.

One easy way to see if a terminal supports utmp/wtmp is to run the w command. The resulting output will show that w command if the terminal supports the feature. I see this in xterm:

 09:57:14 up  2:34,  5 users,  load average: 0.05, 0.01, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
tom      pts/1    192.168.1.8:S.0  07:24    5:45   7.49s  7.46s vile
tom      pts/2    192.168.1.8:S.1  07:25   42:02   0.13s  0.10s ded /usr/build/
tom      pts/3    192.168.1.8:S.2  09:15    7:45   0.41s  0.38s ded rpmbuild//S
tom      pts/4    192.168.1.8:S.3  09:51   12.00s  0.16s  0.00s sh -c uxterm-de
tom      pts/5    localhost:10.0   09:57    0.00s  0.04s  0.00s w

and this in st:

 09:59:07 up  2:36,  4 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
tom      pts/1    192.168.1.8:S.0  07:24    7:38   7.58s  7.55s vile
tom      pts/2    192.168.1.8:S.1  07:25   43:55   0.13s  0.10s ded /usr/build/
tom      pts/3    192.168.1.8:S.2  09:15    9:38   0.41s  0.38s ded rpmbuild//SOURCES/
tom      pts/4    192.168.1.8:S.3  09:51   27.00s  0.39s  0.00s sh -c stterm
Thomas Dickey
  • 76,765
  • Interesting. Yet st returns result from who and last commands, same as when executed from urxvt. – Krackout Oct 25 '20 at 13:11
  • who and last will return output, but checking here, running w (which would show the command being run in particular) shows nothing relevant for st: its source mentions a helper program which can be run. – Thomas Dickey Oct 25 '20 at 14:01