How to find out who (what process) is starting another process?

Solution 1:

A direct answer to your question (but not your problem) would be: ps -axjf. That's a and x to see "all" processes (see man page for a more elaborate explanation of these parameters), j for jobs format and f for the fancy ASCII art tree. The ppid (first column) shows the parent process ID.

A more direct approach to check the PPid of a specific process would be to check the PPid in /proc/<processid>/status, like this: grep PPid /proc/2774/status.

Now let's focus on your problem. With the information you provided, my guess is that you're trying to kill one of the mail delivery processes (in most configurations, exim spawns a separate process for each message to be delivered under user root). These processes use the -Mc option. From the Exim manual:

-MC <transport> <hostname> <sequence number> <message id>

This option is not intended for use by external callers. It is used internally by Exim to invoke another instance of itself to deliver a waiting message using an existing SMTP connection, which is passed as the standard input. This must be the final option, and the caller must be root or the Exim user in order to use it.

There is a queue runner process (often found in ps like: /usr/local/exim-in/bin/exim -bd -q 10m under user mail; not root). Probably that's the parent process. Note that exim often has more than one queue runner process. To inspect what's going on - process-wise - you can use the ps command mentioned earlier.

You might want to check what messages are queuing up in your mail queue (and why).