今天在使用lsof查找那些进程使用libwrap的时候发现结果如下

>>> lsof | grep libwrap

...
lsof: no pwd entry for UID 33
lsof: no pwd entry for UID 33
lsof: no pwd entry for UID 33
lsof: no pwd entry for UID 33
lsof: no pwd entry for UID 33
lsof: no pwd entry for UID 33
lsof: no pwd entry for UID 33
lsof: no pwd entry for UID 33
lsof: no pwd entry for UID 33
lsof: no pwd entry for UID 33
lsof: no pwd entry for UID 33
lsof: no pwd entry for UID 33
lsof: no pwd entry for UID 33
lsof: no pwd entry for UID 33
lsof: no pwd entry for UID 33
sshd       5915           root  mem       REG              253,1     42520    1054255 /usr/lib64/libwrap.so.0.7.6
sshd       9512           root  mem       REG              253,1     42520    1054255 /usr/lib64/libwrap.so.0.7.6

之所以出现大量‘lsof: no pwd entry for UID 33’的情况，原因有二：

1. 进程在用户被删除之前启动，并且从那以后一直在运行；
2. 进程在容器内被启动

查看后发现UID 33的进程仅有nginx的worker进程，而这台服务器的nginx只在容器内启动，所以应该是第二个原因导致的。

>>> ps -ef | grep 33

...
33        4334  4333  0 Feb07 ?        00:00:00 nginx: worker process
33        4335  4333  0 Feb07 ?        00:00:00 nginx: worker process
...

但为什么会出现这么多条‘lsof: no pwd entry for UID 33’，原因还未可知。

使用’-w’参数可以过滤掉这些信息

>>> lsof -w | grep libwrap

auditd      464           root  mem       REG              253,1     42520    1054255 /usr/lib64/libwrap.so.0.7.6
auditd      464   465     root  mem       REG              253,1     42520    1054255 /usr/lib64/libwrap.so.0.7.6
sshd       5915           root  mem       REG              253,1     42520    1054255 /usr/lib64/libwrap.so.0.7.6
sshd       9512           root  mem       REG              253,1     42520    1054255 /usr/lib64/libwrap.so.0.7.6

参考：
https://www.cnblogs.com/diyunpeng/archive/2012/06/30/2571307.html
https://unix.stackexchange.com/questions/193911/lsof-no-pwd-entry-for-uid#:~:text=Can%20also%20be,%E2%80%93%C2%A0