Stray processes after a user logout

I am helping with the administration of a couple of mac machines, laptops and servers. I have some concerns:

• Security: the stray processes may cache sensitive information in the time the user has logged out. The owners of the laptops wouldn't like such a situation.
• Performance: I can't judge the impact of such processes on the performance currently, but I want to keep the running environments as simple as possible, especially on server machines.
• Battery life
• You guessed it right, I want simpler logs.

Also the insufficient or completely missing documentation about these processes amplifies my concerns.

I didn't find any reasonable documentation, but I did some experiments.

If you run the Activity Monitor app or some utility in the terminal (I built myself and used pstree), you can see the hierarchy of the processes:

|-+= <process_id_0> user1 /sbin/launchd

| |--= <process_id_1> user1 /usr/sbin/distnoted agent

| |--= <process_id_2> user1 /usr/sbin/cfprefsd agent

| |--= <process_id_3> user1 /System/Library/PrivateFrameworks/TCC.framework/Resources/tccd

| |--= <process_id_4> user1 /usr/libexec/secd

| |--= <process_id_5> user1 /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychai nProxy.bundle/Contents/MacOS/CloudKeychainProxy

| \--= <process_id_6> user1 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /Versions/A/Support/mdflagwriter

|--= <process_id_7> user1 /usr/libexec/xpcd

|--= <process_id_8> user1 com.apple.IconServicesAgent

|--= <process_id_9> user1 com.apple.imdpersistence.IMDPersistenceAgent

Here <process_id_n> represents a number, the ID of the corresponding process. It turned out that I can kill the whole process tree started by the launchd for this particular user, as a superuser. The command from the terminal I used (note the '-' before the process ID of the launchd):

sudo kill -- -<process_id_0>

Then a couple of processes left, that don't belong to this tree that apparently have started separately:

|--= <process_id_7> user1 /usr/libexec/xpcd

|--= <process_id_8> user1 com.apple.IconServicesAgent

|--= <process_id_9> user1 com.apple.imdpersistence.IMDPersistenceAgent

An ordinary kill didn't stop these. I had to use the

KILL

signal

sudo kill -

KILL

Now I cannot guarantee 100% that we can safely use this approach to stop the stray user processes without corrupting files, because we cannot find documentation, BUT something like this has to happen automatically when you shut the computer down. So you can try it at your own risk (and please share your experience).

Still waiting for a better solution or explanation from Apple.

Important correction (sorry, pasted and didn't test): Use bash built-in kill command to terminate the process tree. Instead of:

sudo kill -- -<process_id_0>

use:

sudo bash -c "kill -- -<process_id_0>"

I gave it a try. I created a script that can be installed as a cron job and I will paste it at the end of the post. You can try to use it at your own risk.

Mini manual: The script will kill all the stray processes for a particular user on a machine, the user has logged out. Additionally the script would not kill the user processes in case it detects presence of a optional specified file in the command line (helpful if the user has automated processes). I'd recommend it to execute it periodically as a root user, in its crontab for example. Executing the script without command line arguments will result in a display of its usage.

Installation (ask a technical person if unsure): Copy the script source below and paste it in some script file, say as /usr/local/bin/kill_stray_processes, then give it executable rights. From the terminal it would look like something similar:

# Create /usr/local/bin in case it doesn't exist

sudo mkdir -p /usr/local/bin

# Use your favourite editor to paste the source of the script, here for example vi

sudo vi /usr/local/bin/kill_stray_processes

# After pasting the source, saving and closing the editor, set executable rights of the script

sudo chmod a+x /usr/local/bin/kill_stray_processes

The cron job to check and kill stray processes for user myuser every hour would look like this:

0 * * * * /usr/local/bin/kill_stray_processes myuser

Suppose an automated process creates temporarily a file /tmp/mylock and you don't want to kill processes at the time it runs. The cron job would look like this:

0 * * * * /usr/local/bin/kill_stray_processes myuser /tmp/mylock

The source of the script starts below (no empty line in the beginning):

#!/bin/bash

# SYNOPSIS:

# This is a command line utility that would kill processes belonging

# to a particular user which does not have login session. Additionally

# the script can take as a command line argument files which when present

# can cause it not to proceed with killing the stray processes.

#

# USAGE:

# kill_stray_user_processes <user> [<lock_file>...]

#

COMMAND=$0

COMMAND_PATH=`dirname $COMMAND`

pushd . > /dev/null

cd $COMMAND_PATH

COMMAND_PATH=`pwd`

COMMAND_NAME=`basename $0`

popd > /dev/null

#

USER="$1"

if [ -z "$USER" ]; then

echo "USAGE: $COMMAND_NAME <user> [<lock_file>...]"

exit 0

fi

shift 1

# In case of specified lock files check for their presence and exit if any

while [ -n "$1" ]; do

if [ -f "$1" ]; then

exit 0

fi

shift 1

done

# Make sure the user has logged out

if w | grep -q -i "^${USER}[[:space:]]"; then

exit 0

fi

# Kill the stray launchd's and all their subprocesses

for pid in `ps -jaxwww | grep -i "^${USER}[[:space:]]" | grep "/sbin/launchd" | awk '{print $2}'`; do

bash -c "kill -- -${pid}"

done

# Try to kill gracefully everything else

for pid in `ps -jaxwww | grep -i "^${USER}[[:space:]]" | awk '{print $2}'`; do

bash -c "kill -- -${pid}" 2> /dev/null

done

# Kill forcefully everything that has left

for pid in `ps -jaxwww | grep -i "^${USER}[[:space:]]" | awk '{print $2}'`; do

kill -9 $pid 2> /dev/null

done

You can ignore name mismatch in the script comment, excuses for the confusion. You can name the script as you wish. If you want to use the script without modifying it, you have to schedule automated jobs as root for every user you want to check. Example in the root crontab considering the usage above:

0 * * * * /usr/local/bin/kill_stray_processes user1

0 * * * * /usr/local/bin/kill_stray_processes user2 /tmp/lock2

0 * * * * /usr/local/bin/kill_stray_processes user3

The script served my case because I had not that many users per computer to deal with. You can reuse parts of it in a script that would cover your needs. I wouldn't recommend trying this for all the users on a machine, because the operating system has own designated users that run various processes. And last but not least, I'd expect that Apple will eventually address this issue. Hope this helps.