- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Limiting "sudo kill" to killing only user processe...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-20-2011 06:23 AM
тАО07-20-2011 06:23 AM
Re: Limiting "sudo kill" to killing only user processes
@TheJuiceman wrote:Would there be an easy way to limit the processes being killed to those being started by someone/something in a particular group (ie. only processes started by someone in group "users")?
Well, again, using the UNIX95 behavior allows you to collect various views of *group* information. For that matter, the 'ps' can specify group numbers or names given in a 'gidlist' argument ('-G gidlist).
You should really look at the manpages for 'ps(1)'.
Regards!
...JRF...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-20-2011 06:24 AM
тАО07-20-2011 06:24 AM
Re: Limiting "sudo kill" to killing only user processes
The man pages are your friend. Looking at "man (1) ps", you will see the "-G gidlist" option, which will "Select processes whose real groupd ID numbers or group names are given in gidlist"
Pete
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-20-2011 07:23 AM
тАО07-20-2011 07:23 AM
Re: Limiting "sudo kill" to killing only user processes
The default properties of the OS protect system protect system processes from kill. I recommend a wrapper script as Patrick suggests.
Give sudo rights to the wrapper script not kill. Set the permissions very carefully on the script.
Regards,
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-20-2011 08:40 AM
тАО07-20-2011 08:40 AM
Re: Limiting "sudo kill" to killing only user processes
Thanks. It looks like the "UNIX95= ps -G <group>" route may be the way to go for me.
How could I best write a "wrapper" so that when someone calls my "kill" script via sudo such as....
sudo kill 123 456 789 12345 ... ...
that the script will determine that processes "123", "456", etc are GID of the group I am allowing kill access and allow the kill?
Thank you again for your help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-20-2011 08:46 AM
тАО07-20-2011 08:46 AM
Re: Limiting "sudo kill" to killing only user processes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-20-2011 09:02 AM
тАО07-20-2011 09:02 AM
Re: Limiting "sudo kill" to killing only user processes
@TheJuiceman wrote:Thanks. It looks like the "UNIX95= ps -G <group>" route may be the way to go for me.
How could I best write a "wrapper" so that when someone calls my "kill" script via sudo such as....
sudo kill 123 456 789 12345 ... ...
that the script will determine that processes "123", "456", etc are GID of the group I am allowing kill access and allow the kill?
Hi:
Why do you need another script to call your script? I assume that you simply need an argument that denotes the GID of processes you want to kill. All you need do is collect the PIDs that match your criteria and issue a 'kill' for that list.
For that matter, if you are running 11.31, have a look at 'pkill(1)'.
Regards!
...JRF...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-20-2011 09:35 AM
тАО07-20-2011 09:35 AM
Re: Limiting "sudo kill" to killing only user processes
Unfortunately, this is a 11.23 box.
You are correct. I just need a way to limit the kill command to executing against PID's that fit my GID criteria.
Example:
sudo scriptkill 123 456 7890
- Do these EXACT processes 123, 456, and 7890 exist?
- If so, do they meet the GID requirement?
- If so, perform a kill on these EXACT PID's, no wildcards or partial returns (ie. allow a kill on process "123" but not "1234" or "2123" ).
- If the criterias are not met, do not allow a kill.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-20-2011 09:58 AM
тАО07-20-2011 09:58 AM
Re: Limiting "sudo kill" to killing only user processes
Hi (again):
@TheJuiceman wrote:You are correct. I just need a way to limit the kill command to executing against PID's that fit my GID criteria.
Example:sudo scriptkill 123 456 7890
- Do these EXACT processes 123, 456, and 7890 exist?
- If so, do they meet the GID requirement?
- If so, perform a kill on these EXACT PID's, no wildcards or partial returns (ie. allow a kill on process "123" but not "1234" or "2123" ).- If the criterias are not met, do not allow a kill
Leveraging the '-p PID' argument to first find candidates:
# ps -p <PID> -o pid= -o gid=
This gives you a list (in two columns) of PIDs and GIDs. If you like, you can fetch a list of processes like:
# ps -p 123,456,7890 -o pid= -o gid=
The "=" sign after each specification suppresses the header line making further parsing of the list easier.
Add any additional columns as necessary; walk the list; match what you want; extract the first field (column) for a PID to kill()'
Regards!
...JRF...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-20-2011 10:37 AM - edited тАО07-20-2011 12:08 PM
тАО07-20-2011 10:37 AM - edited тАО07-20-2011 12:08 PM
Re: Limiting "sudo kill" to killing only user processes
>- If so, do they meet the GID requirement?
Just take my script above and use "-ogid=" and then check for equality:
gid=$(UNIX95=EXTENDED_PS ps -p $pid -ogid=)
if [ "$gid" != some-magic-gid ]; then
echo "skip wrong group process" 2>&1
continue
fi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-21-2011 08:58 AM
тАО07-21-2011 08:58 AM
Re: Limiting "sudo kill" to killing only user processes
You guys are the best!!!!
This is really close now. Just one last piece.....is there a way to prevent wildcards? I would like to prevent someone from executing something like "sudo scriptkill * " or "sudo scriptkill abcd". The latter returns a nasty message. The wildcard, however, is returning a lot of "interesting" possiblities....yikes!!! Is there a way to restrict the input to accept only numerical entries and no wildcards?
Thanks again!!!