Solved

kill processes of another user

Posted on 2001-08-30
17
286 Views
Last Modified: 2013-12-26
We have multiple users.  For example "crt100", "crt101", "crt102".  We need to have user "crt100"  kill any running processes associated with "crt101" and "crt102".  Do you have any suggestions?  I can't just change them all to be "root" in /etc/passwd because then I loose the true user ID that I need for other things.
0
Comment
Question by:dorinda
  • 6
  • 5
  • 3
  • +2
17 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6442636
ps aux|awk '($1=="ah"){print "kill -9 "$2}'|sh
# or (depending on your OS)
ps -ef|awk '($1=="ah"){print "kill -9 "$2}'
0
 

Author Comment

by:dorinda
ID: 6442652
Could you explain what your doing.  I am familiar with the ps -ef, and pipe, but what/how are is "crt100" able to kill "crt102" processes?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6442668
oops, please replace "ah" by "crt100", was typo, sorry
0
 

Author Comment

by:dorinda
ID: 6442711
What is in $2
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6442729
$2 in awk's input should be PID (produced by ps)
0
 
LVL 4

Expert Comment

by:newmang
ID: 6442955
ahoffmann

I understand your code but how can a user kill a task he does not own. Unless the user is root then he cannot kill tasks other than his own. At least this is the case on all the Unixes I administer (Solaris / AIX / Linux).

dorinda

You face a dilemma here. You can grant each user root access by changing their UID/GID in /etc/passwd to 0 (this is what gives the user root priveleges not the name of the account) but this is VERY dangerous to do as it destroys any concept of security in your system. It is not the way to go!

I suspect the best way out of this is to write a program that the user can invoke which would examine the task that the user wants to kill, check that it is a task invoked by another user, not root, and the kill that task. This program would be made setuid so it operates as a root authority program thus temporarily granting a non-root user the power of root just to do this particular function.

This is the method employed by the passwd program which allows non root users to update the password files which are not accessible by non-root users.

Cheers - Gavin
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6444415
newmang, you're right: must be done by root. That's obvious, so I didn't mention it, simle use my commands as follows:
   su root -c "command from previous comment"
(keep in mind to excape " inside su)

dorinda,
to allow crt100 to kill processes of user crt101 (and vice versa), you may use rsh (or better ssh) and do what you like.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6445121
Another good solution here is sudo, which lets you specify exactly who's allowed to do what to whom.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 4

Expert Comment

by:newmang
ID: 6449377
ahoffmann

Surely if you invoke su root -c "command" then the user has to know the root password thereby still bypassing security.

sudo could do the job but if you give sudo access to the kill command then there is nothing to stop the user from accidentally or maliciously killing a process you don't really want killed - such as a system process.

If you create a script and then let the user use sudo to run that then you have the security problems associated with running scripts under root access.

I still think that a carefully written setuid program would be the answer as it addresses both the root problem and the ability of the user to do things you would rather not allow them to do while they have temporary root access.

Cheers - Gavin
0
 
LVL 5

Expert Comment

by:Droby10
ID: 6451889
you could write a wrapper to perform the necessary checks on the process prior to killing it, then allow the user to run the wrapper with sudo.

0
 

Author Comment

by:dorinda
ID: 6453509
I agree that setting the UID to root is not a good solution that is the reason I posted the question.  I guess I need more info on "sudo"  since I am not familiar with using that.  Or does anyone have a "wrapper" to change the setuid temporary so that the user can kill a process?
0
 
LVL 5

Expert Comment

by:Droby10
ID: 6454030
i think i wasn't as clear as i could have been.  the wrapper i was refering to was not a setuid wrapper. (sudo takes care of that)  i just meant a binary/script component that encapsulates the call to kill.

if you set the script with run only permissions for root and add the desired users to run that script within sudo then the script will execute as root and allow them access to kill...it's no different that running kill under sudo except that you can create your own checks and balances on what processes can and can't be killed prior to sending the actual signal.
0
 

Author Comment

by:dorinda
ID: 6454164
How do you use sudo?  I tried doing a man page on sudo but it didn't come back with anything.  I am using AT&T Unix System 5
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6454557
nothing to say against sudo, but setting up rsh/ssh would be a quick solution too.
0
 
LVL 4

Expert Comment

by:newmang
ID: 6454960
SUDO is not a standard part of Unix - you would have to load it down from the net and install it.

Droby10's suggestion about creating a script executable by root and then allowing certain users to run it unser sudo exposes a security weakness in that once the user is executing the shell script under sudo (as root) they can break out of the script and then they become a root user and can do what they like on the system (rm -rf / springs to mind!)

The problems inherent with such processes are the reasons why I suggested a c program to tackle the problem, this gives you control over what the user can do as long as the program is well written and assumes root capabilities for as short a time as possibel within the code.

Cheers - Gavin
0
 

Author Comment

by:dorinda
ID: 6471829
Does anyone have a "C" routine that will do this?
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 250 total points
ID: 6472468
system("ps -ef|awk '($1==\"crt101\"){print \"kill -9 \"$2}|sh'");
/*  :-))  */
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Introduction: Hints for the grid button.  Nested classes, templated collections.  Squash that darned bug! Continuing from the sixth article about sudoku.   Open the project in visual studio. First we will finish with the SUD_SETVALUE messa…
Introduction: The undo support, implementing a stack. Continuing from the eigth article about sudoku.   We need a mechanism to keep track of the digits entered so as to implement an undo mechanism.  This should be a ‘Last In First Out’ collec…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now