27 Aug
2014
27 Aug
'14
12:03 a.m.
On Wed, Aug 27, 2014 at 1:54 AM, Mark Lee <mark@markelee.com> wrote:
I was wondering regarding the killing of a zombie process. As far as I know, a zombied process is inherited by root when it's parent is killed. The kernel periodically calls wait() which reaps the zombie process and frees its memory. I was wondering if a possible attack could be mounted by the zombie process when it is inherited by root.
No, since a zombie process is dead and cannot execute any code. Also, "root" in this case refers to the process hierarchy root (PID 1; init or systemd) and not the user "root". Not the kernel but PID 1 is responsible for reaping.