Solved

kill processes of another user

Posted on 2001-08-30
17
300 Views
Last Modified: 2013-12-26
We have multiple users.  For example "crt100", "crt101", "crt102".  We need to have user "crt100"  kill any running processes associated with "crt101" and "crt102".  Do you have any suggestions?  I can't just change them all to be "root" in /etc/passwd because then I loose the true user ID that I need for other things.
0
Comment
Question by:dorinda
  • 6
  • 5
  • 3
  • +2
17 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6442636
ps aux|awk '($1=="ah"){print "kill -9 "$2}'|sh
# or (depending on your OS)
ps -ef|awk '($1=="ah"){print "kill -9 "$2}'
0
 

Author Comment

by:dorinda
ID: 6442652
Could you explain what your doing.  I am familiar with the ps -ef, and pipe, but what/how are is "crt100" able to kill "crt102" processes?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6442668
oops, please replace "ah" by "crt100", was typo, sorry
0
 

Author Comment

by:dorinda
ID: 6442711
What is in $2
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6442729
$2 in awk's input should be PID (produced by ps)
0
 
LVL 4

Expert Comment

by:newmang
ID: 6442955
ahoffmann

I understand your code but how can a user kill a task he does not own. Unless the user is root then he cannot kill tasks other than his own. At least this is the case on all the Unixes I administer (Solaris / AIX / Linux).

dorinda

You face a dilemma here. You can grant each user root access by changing their UID/GID in /etc/passwd to 0 (this is what gives the user root priveleges not the name of the account) but this is VERY dangerous to do as it destroys any concept of security in your system. It is not the way to go!

I suspect the best way out of this is to write a program that the user can invoke which would examine the task that the user wants to kill, check that it is a task invoked by another user, not root, and the kill that task. This program would be made setuid so it operates as a root authority program thus temporarily granting a non-root user the power of root just to do this particular function.

This is the method employed by the passwd program which allows non root users to update the password files which are not accessible by non-root users.

Cheers - Gavin
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6444415
newmang, you're right: must be done by root. That's obvious, so I didn't mention it, simle use my commands as follows:
   su root -c "command from previous comment"
(keep in mind to excape " inside su)

dorinda,
to allow crt100 to kill processes of user crt101 (and vice versa), you may use rsh (or better ssh) and do what you like.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6445121
Another good solution here is sudo, which lets you specify exactly who's allowed to do what to whom.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 4

Expert Comment

by:newmang
ID: 6449377
ahoffmann

Surely if you invoke su root -c "command" then the user has to know the root password thereby still bypassing security.

sudo could do the job but if you give sudo access to the kill command then there is nothing to stop the user from accidentally or maliciously killing a process you don't really want killed - such as a system process.

If you create a script and then let the user use sudo to run that then you have the security problems associated with running scripts under root access.

I still think that a carefully written setuid program would be the answer as it addresses both the root problem and the ability of the user to do things you would rather not allow them to do while they have temporary root access.

Cheers - Gavin
0
 
LVL 5

Expert Comment

by:Droby10
ID: 6451889
you could write a wrapper to perform the necessary checks on the process prior to killing it, then allow the user to run the wrapper with sudo.

0
 

Author Comment

by:dorinda
ID: 6453509
I agree that setting the UID to root is not a good solution that is the reason I posted the question.  I guess I need more info on "sudo"  since I am not familiar with using that.  Or does anyone have a "wrapper" to change the setuid temporary so that the user can kill a process?
0
 
LVL 5

Expert Comment

by:Droby10
ID: 6454030
i think i wasn't as clear as i could have been.  the wrapper i was refering to was not a setuid wrapper. (sudo takes care of that)  i just meant a binary/script component that encapsulates the call to kill.

if you set the script with run only permissions for root and add the desired users to run that script within sudo then the script will execute as root and allow them access to kill...it's no different that running kill under sudo except that you can create your own checks and balances on what processes can and can't be killed prior to sending the actual signal.
0
 

Author Comment

by:dorinda
ID: 6454164
How do you use sudo?  I tried doing a man page on sudo but it didn't come back with anything.  I am using AT&T Unix System 5
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6454557
nothing to say against sudo, but setting up rsh/ssh would be a quick solution too.
0
 
LVL 4

Expert Comment

by:newmang
ID: 6454960
SUDO is not a standard part of Unix - you would have to load it down from the net and install it.

Droby10's suggestion about creating a script executable by root and then allowing certain users to run it unser sudo exposes a security weakness in that once the user is executing the shell script under sudo (as root) they can break out of the script and then they become a root user and can do what they like on the system (rm -rf / springs to mind!)

The problems inherent with such processes are the reasons why I suggested a c program to tackle the problem, this gives you control over what the user can do as long as the program is well written and assumes root capabilities for as short a time as possibel within the code.

Cheers - Gavin
0
 

Author Comment

by:dorinda
ID: 6471829
Does anyone have a "C" routine that will do this?
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 250 total points
ID: 6472468
system("ps -ef|awk '($1==\"crt101\"){print \"kill -9 \"$2}|sh'");
/*  :-))  */
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction: Database storage, where is the exe actually on the disc? Playing a game selected randomly (how to generate random numbers).  Error trapping with try..catch to help the code run even if something goes wrong. Continuing from the seve…
If you use Adobe Reader X it is possible you can't open OLE PDF documents in the standard. The reason is the 'save box mode' in adobe reader X. Many people think the protected Mode of adobe reader x is only to stop the write access. But this fe…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now