- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Limiting "sudo kill" to killing only user processe...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-02-2011 07:09 PM
тАО06-02-2011 07:09 PM
Has anyone come up with a way to allow a user to sudo kill but restricting it so it cannot kill system processes, etc? Basically I want the user to be able to kill only user processes.
Thanks
Solved! Go to Solution.
- Tags:
- sudo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-02-2011 07:21 PM
тАО06-02-2011 07:21 PM
Re: Limiting "sudo kill" to killing only user processes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-02-2011 07:23 PM
тАО06-02-2011 07:23 PM
Re: Limiting "sudo kill" to killing only user processes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-02-2011 07:26 PM
тАО06-02-2011 07:26 PM
Re: Limiting "sudo kill" to killing only user processes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-02-2011 10:01 PM
тАО06-02-2011 10:01 PM
Re: Limiting "sudo kill" to killing only user processes
The OS is set up to only let users kill processes they would have permissions to. Their own, stuff launched by their own group.
Give sudo kill they can of course do anything.
To have a granular kill, you need a script to take care of the decision to kill or not to kill.
Someone may want to write that script for you, but its a project and if I can't write the script in a few minutes, or have it in inventory, I usually refer you to a consultant (sometimes me).
I would in such a script check the process table and kill based on characteristics I find there.
I mean if you only want to kill user scripts a simple way is to check for root and other system users, those are system, and any other user have at it.
Give your users this power and they will crash something important. I can almost give you a warranty on that.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-02-2011 10:55 PM
тАО06-02-2011 10:55 PM
Re: Limiting "sudo kill" to killing only user processes
What's your definition of a user process? Anyone that isn't root, lp or sfmdb?
Or a UID < 1000?
#!/usr/bin/sh
# Kill a list of PIDs and skip ones for users
# with UID < 1000
for pid in $*; do
uid=$(UNIX95=EXTENDED_PS ps -p $pid -ouid=)
if [ $uid < 1000 ]; then
echo "skip system process" 2>&1
continue
fi
kill $pid
done
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-13-2011 06:10 AM
тАО06-13-2011 06:10 AM
Re: Limiting "sudo kill" to killing only user processes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-13-2011 07:03 AM
тАО06-13-2011 07:03 AM
Re: Limiting "sudo kill" to killing only user processes
> Just need to put in "safe guards" to eliminate possible mistakes or work-arounds.
By setting UNIX95 (XPG4) behavior you have the ability to create custom 'ps' queries as the manpages document. As Dennis suggested, you could limit candidates to those whose UID is in an acceptable range. You might want to evaluate based on elapsed runtime and or combinations of parameters (e.g. uid, etime and command name).
WIth the 'UNIX95' behavior, selection by command name can be made "exactly" with the '-C' option:
# UNIX95= ps -C sh -opid -ouid= -oetime=
...which would return a list of 'sh' processes where the list consists of the 'pid', 'uid' and elapsed time without a heading (which is what the "=" suppresses. You could then further parse this output to collect a subset of pids to kill.
Regards!
...JRF...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-20-2011 06:07 AM
тАО07-20-2011 06:07 AM
Re: Limiting "sudo kill" to killing only user processes
Thank you for the responses. Would there be an easy way to limit the processes being killed to those being started by someone/something in a particular group (ie. only processes started by someone in group "users")? This would be a better (and safer) solution for me than limiting UID's to under 1000, etc. Thanks!!!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-20-2011 06:22 AM
тАО07-20-2011 06:22 AM