Georgy Karageogiev

Q: Stray processes after a user logout

I tried this on a couple of the machines updated to Mac OS X 10.9.4. I log in as a particular user, let's say user1, and then log out, and login as another user, let's say user2. After inspecting the system processes, I find a bunch of processes running on behalf of user1 and these don't seem to want to terminate:

/sbin/launchd

/usr/sbin/distnoted agent

/usr/sbin/cfprefsd agent

/usr/libexec/xpcd

/System/Library/PrivateFrameworks/TCC.framework/Resources/tccd

com.apple.IconServicesAgent

com.apple.imdpersistence.IMDPersistenceAgent

/usr/libexec/secd

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychain Proxy.bundle/Contents/MacOS/CloudKeychainProxy

com.apple.NotesMigratorService

com.apple.InputMethodKit.UserDictionary

/System/Library/PrivateFrameworks/CloudServices.framework/Resources/com.apple.sb d

com.apple.DataDetectorsDynamicData

/System/Library/PrivateFrameworks/SyncedDefaults.framework/Support/syncdefaultsd

com.apple.iCloudHelper

 

Can anybody help me to find decent documentation about these processes and if I can disable or safely terminate as many of them as possible? I didn't manage to find anything useful in the man pages or searching with google. I haven't observed such a behavior with OS X 10.7 and older versions.

OS X Mavericks (10.9.4)

Posted on Jul 27, 2014 7:20 PM

Close

Q: Stray processes after a user logout

  • All replies
  • Helpful answers

Page 1 Next
  • by Eric Root,

    Eric Root Eric Root Jul 28, 2014 12:54 PM in response to Georgy Karageogiev
    Level 9 (71,155 points)
    iTunes
    Jul 28, 2014 12:54 PM in response to Georgy Karageogiev

    Are you having a specific problem you are trying to fix or are you just concerned about the log? If everything is working okay, I wouldn't worry about it.

  • by Georgy Karageogiev,

    Georgy Karageogiev Georgy Karageogiev Jul 28, 2014 1:57 PM in response to Eric Root
    Level 1 (13 points)
    Jul 28, 2014 1:57 PM in response to Eric Root

    I am helping with the administration of a couple of mac machines, laptops and servers. I have some concerns:

    • Security: the stray processes may cache sensitive information in the time the user has logged out. The owners of the laptops wouldn't like such a situation.
    • Performance: I can't judge the impact of such processes on the performance currently, but I want to keep the running environments as simple as possible, especially on server machines.
    • Battery life
    • You guessed it right, I want simpler logs.

    Also the insufficient or completely missing documentation about these processes amplifies my concerns.

  • by micahwkb,

    micahwkb micahwkb Aug 13, 2014 1:32 PM in response to Georgy Karageogiev
    Level 1 (0 points)
    Aug 13, 2014 1:32 PM in response to Georgy Karageogiev

    Glad to have found this post, I've noticed the same problem.

     

    This is a big problem after updating 2009-2010 Macs to 10.9 in our environment -- after several users login to a shared machine, it crawls because most or all RAM is allocated to user processes of logged-out accounts. A reboot fixes this, but it's a frustration to the users since the machines never needed reboots under 10.6 or 10.7.

     

    For users who use multiple Macs, some things simply can't run unless a machine is rebooted at logout. Thunderbird, for example, fails to work if a user logs out (having used Tbird) from one Mac and launches the app on another machine, which I confirmed was caused by the leftover processes. This tells me that the stray processes are actually tying up active files in the user's home directory, which confirms a potential security risk.


    In case it matters, we use a "hybrid" infrastructure of sorts, where home folders reside in network locations and are aliased by startup scripts, so the Mac "thinks" they are present in /Users but on login the home folder is mounted in their respective filesystem via NFS.

     

    I'm trying to hunt down a way to close all user processes either as a logout hook or as a system daemon.

     

    Any progress on your end?

  • by Georgy Karageogiev,

    Georgy Karageogiev Georgy Karageogiev Aug 16, 2014 4:58 AM in response to micahwkb
    Level 1 (13 points)
    Aug 16, 2014 4:58 AM in response to micahwkb

    I didn't find any reasonable documentation, but I did some experiments.

     

    If you run the Activity Monitor app or some utility in the terminal (I built myself and used pstree), you can see the hierarchy of the processes:

    |-+= <process_id_0> user1 /sbin/launchd

    | |--= <process_id_1> user1 /usr/sbin/distnoted agent

    | |--= <process_id_2> user1 /usr/sbin/cfprefsd agent

    | |--= <process_id_3> user1 /System/Library/PrivateFrameworks/TCC.framework/Resources/tccd

    | |--= <process_id_4> user1 /usr/libexec/secd

    | |--= <process_id_5> user1 /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychai nProxy.bundle/Contents/MacOS/CloudKeychainProxy

    | \--= <process_id_6> user1 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /Versions/A/Support/mdflagwriter

    |--= <process_id_7> user1 /usr/libexec/xpcd

    |--= <process_id_8> user1 com.apple.IconServicesAgent

    |--= <process_id_9> user1 com.apple.imdpersistence.IMDPersistenceAgent

     

    Here <process_id_n> represents a number, the ID of the corresponding process. It turned out that I can kill the whole process tree started by the launchd for this particular user, as a superuser. The command from the terminal I used (note the '-' before the process ID of the launchd):

    sudo kill -- -<process_id_0>

     

    Then a couple of processes left, that don't belong to this tree that apparently have started separately:

    |--= <process_id_7> user1 /usr/libexec/xpcd

    |--= <process_id_8> user1 com.apple.IconServicesAgent

    |--= <process_id_9> user1 com.apple.imdpersistence.IMDPersistenceAgent


    An ordinary kill didn't stop these. I had to use the KILL signal:

    sudo kill -KILL <process_id_7> <process_id_8> <process_id_9>


    Now I cannot guarantee 100% that we can safely use this approach to stop the stray user processes without corrupting files, because we cannot find documentation, BUT something like this has to happen automatically when you shut the computer down. So you can try it at your own risk (and please share your experience).

     

    Still waiting for a better solution or explanation from Apple.

  • by Georgy Karageogiev,

    Georgy Karageogiev Georgy Karageogiev Aug 16, 2014 6:06 AM in response to Georgy Karageogiev
    Level 1 (13 points)
    Aug 16, 2014 6:06 AM in response to Georgy Karageogiev

    Important correction (sorry, pasted and didn't test): Use bash built-in kill command to terminate the process tree. Instead of:

    sudo kill -- -<process_id_0>

    use:

    sudo bash -c "kill -- -<process_id_0>"

  • by colbruA,

    colbruA colbruA Sep 4, 2014 12:19 AM in response to Georgy Karageogiev
    Level 1 (0 points)
    Sep 4, 2014 12:19 AM in response to Georgy Karageogiev

    I'd like to give this one a bump.

     

    I too have noticed this problem.

     

    My Network Home users suffer from randomly corrupted local keychain. The symtoms are Mail is not able to receive or send emails because the password can't be stored in the keychan. And we have random freezing of systems when using Word 2011.

    This might be related to the processes of prior users not being terminated.

     

    Was someone able to write a daemon to terminate the stray processes automatically?

     

    I have found the following https://github.com/mkuron/mountclean-osx but was not able to make it work.

    May I ask the coders in this thread for help?!

     

    Thanks

  • by Georgy Karageogiev,

    Georgy Karageogiev Georgy Karageogiev Sep 4, 2014 1:05 AM in response to colbruA
    Level 1 (13 points)
    Sep 4, 2014 1:05 AM in response to colbruA

    I gave it a try. I created a script that can be installed as a cron job and I will paste it at the end of the post. You can try to use it at your own risk.

     

    Mini manual: The script will kill all the stray processes for a particular user on a machine, the user has logged out. Additionally the script would not kill the user processes in case it detects presence of a optional specified file in the command line (helpful if the user has automated processes). I'd recommend it to execute it periodically as a root user, in its crontab for example. Executing the script without command line arguments will result in a display of its usage.

     

    Installation (ask a technical person if unsure): Copy the script source below and paste it in some script file, say as /usr/local/bin/kill_stray_processes, then give it executable rights. From the terminal it would look like something similar:

    # Create /usr/local/bin in case it doesn't exist

    sudo mkdir -p /usr/local/bin

    # Use your favourite editor to paste the source of the script, here for example vi

    sudo vi /usr/local/bin/kill_stray_processes

    # After pasting the source, saving and closing the editor, set executable rights of the script

    sudo chmod a+x /usr/local/bin/kill_stray_processes

     

    The cron job to check and kill stray processes for user myuser every hour would look like this:

    0 * * * * /usr/local/bin/kill_stray_processes myuser

     

    Suppose an automated process creates temporarily a file /tmp/mylock and you don't want to kill processes at the time it runs. The cron job would look like this:

    0 * * * * /usr/local/bin/kill_stray_processes myuser /tmp/mylock

     

    The source of the script starts below (no empty line in the beginning):

    #!/bin/bash

    # SYNOPSIS:

    #     This is a command line utility that would kill processes belonging

    # to a particular user which does not have login session. Additionally

    # the script can take as a command line argument files which when present

    # can cause it not to proceed with killing the stray processes.

    #

    # USAGE:

    #     kill_stray_user_processes <user> [<lock_file>...]

    #

    COMMAND=$0

    COMMAND_PATH=`dirname $COMMAND`

    pushd . > /dev/null

    cd $COMMAND_PATH

    COMMAND_PATH=`pwd`

    COMMAND_NAME=`basename $0`

    popd > /dev/null

    #

    USER="$1"

    if [ -z "$USER" ]; then

        echo "USAGE: $COMMAND_NAME <user> [<lock_file>...]"

        exit 0

    fi

    shift 1

    # In case of specified lock files check for their presence and exit if any

    while [ -n "$1" ]; do

        if [ -f "$1" ]; then

            exit 0

        fi

        shift 1

    done

    # Make sure the user has logged out

    if w | grep -q -i "^${USER}[[:space:]]"; then

        exit 0

    fi

    # Kill the stray launchd's and all their subprocesses

    for pid in `ps -jaxwww | grep -i "^${USER}[[:space:]]" | grep "/sbin/launchd" | awk '{print $2}'`; do

        bash -c "kill -- -${pid}"

    done

    # Try to kill gracefully everything else

    for pid in `ps -jaxwww | grep -i "^${USER}[[:space:]]" | awk '{print $2}'`; do

        bash -c "kill -- -${pid}" 2> /dev/null

    done

    # Kill forcefully everything that has left

    for pid in `ps -jaxwww | grep -i "^${USER}[[:space:]]" | awk '{print $2}'`; do

        kill -9 $pid 2> /dev/null

    done

  • by colbruA,

    colbruA colbruA Sep 4, 2014 9:52 PM in response to Georgy Karageogiev
    Level 1 (0 points)
    Sep 4, 2014 9:52 PM in response to Georgy Karageogiev

    Thank you Georgy

     

    As you state the usage is as followed:

    # USAGE:

    #     kill_stray_user_processes <user> [<lock_file>...]

     

    Since there are different users using the computer how do I do that?

    your script relys on the external input of <user> to kill the correct processes.

    To take into account the ever changing users I somehow need $USER to input into the script.

    But if we run the script as root will $USER  not return root and this will kill root processes?

  • by Georgy Karageogiev,

    Georgy Karageogiev Georgy Karageogiev Sep 5, 2014 1:11 AM in response to colbruA
    Level 1 (13 points)
    Sep 5, 2014 1:11 AM in response to colbruA

    You can ignore name mismatch in the script comment, excuses for the confusion. You can name the script as you wish. If you want to use the script without modifying it, you have to schedule automated jobs as root for every user you want to check. Example in the root crontab considering the usage above:

    0 * * * * /usr/local/bin/kill_stray_processes user1

    0 * * * * /usr/local/bin/kill_stray_processes user2 /tmp/lock2

    0 * * * * /usr/local/bin/kill_stray_processes user3


  • by colbruA,

    colbruA colbruA Sep 5, 2014 2:07 AM in response to Georgy Karageogiev
    Level 1 (0 points)
    Sep 5, 2014 2:07 AM in response to Georgy Karageogiev

    ups... I've got 400 users...

    mhhh.....

  • by Georgy Karageogiev,

    Georgy Karageogiev Georgy Karageogiev Sep 5, 2014 2:18 AM in response to colbruA
    Level 1 (13 points)
    Sep 5, 2014 2:18 AM in response to colbruA

    The script served my case because I had not that many users per computer to deal with. You can reuse parts of it in a script that would cover your needs. I wouldn't recommend trying this for all the users on a machine, because the operating system has own designated users that run various processes. And last but not least, I'd expect that Apple will eventually address this issue. Hope this helps.

  • by colbruA,

    colbruA colbruA Sep 5, 2014 7:54 AM in response to Georgy Karageogiev
    Level 1 (0 points)
    Sep 5, 2014 7:54 AM in response to Georgy Karageogiev

    Yes of course I understand your situation is different.

    I really appreciate your work. Thank you very much for your Help Georgy!

  • by myrkridianrhapspody,

    myrkridianrhapspody myrkridianrhapspody Oct 1, 2014 8:54 AM in response to Georgy Karageogiev
    Level 1 (4 points)
    Oct 1, 2014 8:54 AM in response to Georgy Karageogiev

    I would like to resurrect this post... this issue is killing me here at my college where I administrate the Macs. The kiosks/library machines are bound to active directory, so users login/logout with their AD credentials and have new profiles created on a daily basis, sometimes 50 users a day. Since the 10.9 upgrade, these machines have been freezing because old users are stealing valuable RAM particularly because of the com.apple.IconServicesAgent which takes 50-200 MB of RAM per user. It took me a while to figure this out. I was testing this:

     

    sudo pkill -9 -fx com.apple.IconServicesAgent

     

    Which seems to kill them all, and I put it as a logout script for my MCX controls, but there are a host of other processes (as noted above by previous posters) that are hanging around, almost like zombies but still using system resources. I never had this problem back in 10.7/10.8, so this seems like an inherent problem with the OS. I can't use the script written by Georgy Karageogiev above because I've got thousands of users on campus visiting the machines. Not sure where to go at this point.

  • by myrkridianrhapspody,

    myrkridianrhapspody myrkridianrhapspody Oct 1, 2014 9:24 AM in response to myrkridianrhapspody
    Level 1 (4 points)
    Oct 1, 2014 9:24 AM in response to myrkridianrhapspody

    I just figured I should also note that I found /private/var/folders is creating a new directory for every new user on the machine, and within these folders it seems there are cache.db files with correspond with all of the zombie-like processes which we are seeing.

Page 1 Next