topic Re: Limiting "sudo kill" to killing only user processes in Operating System - HP-UX

Limiting "sudo kill" to killing only user processes

TheJuiceman — Fri, 03 Jun 2011 02:09:43 GMT

Hey gang,

Has anyone come up with a way to allow a user to sudo kill but restricting it so it cannot kill system processes, etc? Basically I want the user to be able to kill only user processes.

Thanks

Re: Limiting "sudo kill" to killing only user processes

Patrick Wallek — Fri, 03 Jun 2011 02:21:21 GMT

You would have to write a wrapper script for kill. The script would take the pid that you provide and make sure that it is allowed to be killed.

Re: Limiting "sudo kill" to killing only user processes

TheJuiceman — Fri, 03 Jun 2011 02:23:13 GMT

Agreed. How would be the best way to write a script like that? Thanks

Re: Limiting "sudo kill" to killing only user processes

TheJuiceman — Fri, 03 Jun 2011 02:26:00 GMT

And it doesn't have to be "kill" per se. I could have them run a different script called, say, "killuser" to perform the task. I'm just not sure how to put in all the "safety guards" to make sure the script works without accidents or loopholes. Thanks.

Re: Limiting "sudo kill" to killing only user processes

Steven E. Protter — Fri, 03 Jun 2011 05:01:57 GMT

Shalom,

The OS is set up to only let users kill processes they would have permissions to. Their own, stuff launched by their own group.

Give sudo kill they can of course do anything.

To have a granular kill, you need a script to take care of the decision to kill or not to kill.

Someone may want to write that script for you, but its a project and if I can't write the script in a few minutes, or have it in inventory, I usually refer you to a consultant (sometimes me).

I would in such a script check the process table and kill based on characteristics I find there.

I mean if you only want to kill user scripts a simple way is to check for root and other system users, those are system, and any other user have at it.

Give your users this power and they will crash something important. I can almost give you a warranty on that.

SEP

Re: Limiting "sudo kill" to killing only user processes

Dennis Handly — Fri, 03 Jun 2011 05:55:21 GMT

>I want the user to be able to kill only user processes.

What's your definition of a user process? Anyone that isn't root, lp or sfmdb?
Or a UID < 1000?

#!/usr/bin/sh
# Kill a list of PIDs and skip ones for users
# with UID < 1000

for pid in $*; do
uid=$(UNIX95=EXTENDED_PS ps -p $pid -ouid=)
if [ $uid < 1000 ]; then
echo "skip system process" 2>&1
continue
fi
kill $pid
done

Re: Limiting "sudo kill" to killing only user processes

TheJuiceman — Mon, 13 Jun 2011 13:10:45 GMT

Thanks Dennis. That is closer to what I am looking for. Just need to put in "safe guards" to eliminate possible mistakes or work-arounds. Any suggestions?

Re: Limiting "sudo kill" to killing only user processes

James R. Ferguson — Mon, 13 Jun 2011 14:03:44 GMT

Hi:

> Just need to put in "safe guards" to eliminate possible mistakes or work-arounds.

By setting UNIX95 (XPG4) behavior you have the ability to create custom 'ps' queries as the manpages document. As Dennis suggested, you could limit candidates to those whose UID is in an acceptable range. You might want to evaluate based on elapsed runtime and or combinations of parameters (e.g. uid, etime and command name).

WIth the 'UNIX95' behavior, selection by command name can be made "exactly" with the '-C' option:

# UNIX95= ps -C sh -opid -ouid= -oetime=

...which would return a list of 'sh' processes where the list consists of the 'pid', 'uid' and elapsed time without a heading (which is what the "=" suppresses. You could then further parse this output to collect a subset of pids to kill.

Regards!

...JRF...

Re: Limiting "sudo kill" to killing only user processes

TheJuiceman — Wed, 20 Jul 2011 13:07:03 GMT

Thank you for the responses. Would there be an easy way to limit the processes being killed to those being started by someone/something in a particular group (ie. only processes started by someone in group "users")? This would be a better (and safer) solution for me than limiting UID's to under 1000, etc. Thanks!!!!

Re: Limiting "sudo kill" to killing only user processes

TheJuiceman — Wed, 20 Jul 2011 13:22:49 GMT

errr.....I mean UID > 1000.....you know what I mean ha

Re: Limiting "sudo kill" to killing only user processes

James R. Ferguson — Wed, 20 Jul 2011 13:23:12 GMT

@TheJuiceman wrote:
Would there be an easy way to limit the processes being killed to those being started by someone/something in a particular group (ie. only processes started by someone in group "users")?

Well, again, using the UNIX95 behavior allows you to collect various views of *group* information. For that matter, the 'ps' can specify group numbers or names given in a 'gidlist' argument ('-G gidlist).

You should really look at the manpages for 'ps(1)'.

Regards!

...JRF...

Re: Limiting "sudo kill" to killing only user processes

Pete Randall — Wed, 20 Jul 2011 13:24:30 GMT

The man pages are your friend. Looking at "man (1) ps", you will see the "-G gidlist" option, which will "Select processes whose real groupd ID numbers or group names are given in gidlist"

Re: Limiting "sudo kill" to killing only user processes

Steven E. Protter — Wed, 20 Jul 2011 14:23:58 GMT

Shalom,

The default properties of the OS protect system protect system processes from kill. I recommend a wrapper script as Patrick suggests.

Give sudo rights to the wrapper script not kill. Set the permissions very carefully on the script.

Regards,

SEP

Re: Limiting "sudo kill" to killing only user processes

TheJuiceman — Wed, 20 Jul 2011 15:40:29 GMT

Thanks. It looks like the "UNIX95= ps -G <group>" route may be the way to go for me.

How could I best write a "wrapper" so that when someone calls my "kill" script via sudo such as....

sudo kill 123 456 789 12345 ... ...

that the script will determine that processes "123", "456", etc are GID of the group I am allowing kill access and allow the kill?

Thank you again for your help.

Re: Limiting "sudo kill" to killing only user processes

TheJuiceman — Wed, 20 Jul 2011 15:46:00 GMT

the "sudo kill" would not be for the actual "kill" command. I was just using that to demonstrate what I wish to do. Thanks!!!

Re: Limiting "sudo kill" to killing only user processes

James R. Ferguson — Wed, 20 Jul 2011 16:02:46 GMT

@TheJuiceman wrote:
Thanks. It looks like the "UNIX95= ps -G <group>" route may be the way to go for me.
How could I best write a "wrapper" so that when someone calls my "kill" script via sudo such as....
sudo kill 123 456 789 12345 ... ...
that the script will determine that processes "123", "456", etc are GID of the group I am allowing kill access and allow the kill?

Hi:

Why do you need another script to call your script? I assume that you simply need an argument that denotes the GID of processes you want to kill. All you need do is collect the PIDs that match your criteria and issue a 'kill' for that list.

For that matter, if you are running 11.31, have a look at 'pkill(1)'.

Regards!

...JRF...

Re: Limiting "sudo kill" to killing only user processes

TheJuiceman — Wed, 20 Jul 2011 16:35:02 GMT

Unfortunately, this is a 11.23 box.

You are correct. I just need a way to limit the kill command to executing against PID's that fit my GID criteria.

Example:

sudo scriptkill 123 456 7890

- Do these EXACT processes 123, 456, and 7890 exist?

- If so, do they meet the GID requirement?

- If so, perform a kill on these EXACT PID's, no wildcards or partial returns (ie. allow a kill on process "123" but not "1234" or "2123" ).

- If the criterias are not met, do not allow a kill.

Thanks

Re: Limiting "sudo kill" to killing only user processes

James R. Ferguson — Wed, 20 Jul 2011 16:58:57 GMT

Hi (again):

@TheJuiceman wrote:
You are correct. I just need a way to limit the kill command to executing against PID's that fit my GID criteria.
Example:
sudo scriptkill 123 456 7890

- Do these EXACT processes 123, 456, and 7890 exist?
- If so, do they meet the GID requirement?
- If so, perform a kill on these EXACT PID's, no wildcards or partial returns (ie. allow a kill on process "123" but not "1234" or "2123" ).- If the criterias are not met, do not allow a kill

Leveraging the '-p PID' argument to first find candidates:

# ps -p <PID> -o pid= -o gid=

This gives you a list (in two columns) of PIDs and GIDs. If you like, you can fetch a list of processes like:

# ps -p 123,456,7890 -o pid= -o gid=

The "=" sign after each specification suppresses the header line making further parsing of the list easier.

Add any additional columns as necessary; walk the list; match what you want; extract the first field (column) for a PID to kill()'

Regards!

...JRF...

Re: Limiting "sudo kill" to killing only user processes

Dennis Handly — Wed, 20 Jul 2011 19:08:30 GMT

>- If so, do they meet the GID requirement?

Just take my script above and use "-ogid=" and then check for equality:

gid=$(UNIX95=EXTENDED_PS ps -p $pid -ogid=)
if [ "$gid" != some-magic-gid ]; then
echo "skip wrong group process" 2>&1
continue

Re: Limiting "sudo kill" to killing only user processes

TheJuiceman — Thu, 21 Jul 2011 15:58:25 GMT

You guys are the best!!!!

This is really close now. Just one last piece.....is there a way to prevent wildcards? I would like to prevent someone from executing something like "sudo scriptkill * " or "sudo scriptkill abcd". The latter returns a nasty message. The wildcard, however, is returning a lot of "interesting" possiblities....yikes!!! Is there a way to restrict the input to accept only numerical entries and no wildcards?

Thanks again!!!