HPE Community
Operating System - HP-UX
1753779 Members
7703 Online
108799 Solutions
New Discussion юеВ

Limiting "sudo kill" to killing only user processes

 
SOLVED
Go to solution
James R. Ferguson
Acclaimed Contributor

тАО07-20-2011 06:23 AM

тАО07-20-2011 06:23 AM

Re: Limiting "sudo kill" to killing only user processes


@TheJuiceman wrote:
Would there be an easy way to limit the processes being killed to those being started by someone/something in a particular group (ie. only processes started by someone in group "users")?

Well, again, using the UNIX95 behavior allows you to collect various views of *group* information.  For that matter, the 'ps' can specify group numbers or names given in a 'gidlist' argument ('-G gidlist).

 

You should really look at the manpages for 'ps(1)'.

 

Regards!

 

...JRF...

Reply
Pete Randall
Outstanding Contributor

тАО07-20-2011 06:24 AM

тАО07-20-2011 06:24 AM

Re: Limiting "sudo kill" to killing only user processes

The man pages are your friend.  Looking at "man (1) ps", you will see the "-G gidlist" option, which will "Select processes whose real groupd ID numbers or group names are given in gidlist"


Pete
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО07-20-2011 07:23 AM

тАО07-20-2011 07:23 AM

Re: Limiting "sudo kill" to killing only user processes

Shalom,

The default properties of the OS protect system protect system processes from kill. I recommend a wrapper script as Patrick suggests.

Give sudo rights to the wrapper script not kill. Set the permissions very carefully on the script.

Regards,

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
TheJuiceman
Super Advisor

тАО07-20-2011 08:40 AM

тАО07-20-2011 08:40 AM

Re: Limiting "sudo kill" to killing only user processes

Thanks.  It looks like the "UNIX95= ps -G <group>" route may be the way to go for me.

 

How could I best write a "wrapper" so that when someone calls my "kill" script via sudo such as....

 

sudo kill 123 456 789 12345 ... ...

 

that the script will determine that processes "123", "456", etc  are GID of the group I am allowing kill access and allow the kill?

 

Thank you again for your help. 

0 Kudos
Reply
TheJuiceman
Super Advisor

тАО07-20-2011 08:46 AM

тАО07-20-2011 08:46 AM

Re: Limiting "sudo kill" to killing only user processes

the "sudo kill" would not be for the actual "kill" command. I was just using that to demonstrate what I wish to do. Thanks!!!
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО07-20-2011 09:02 AM

тАО07-20-2011 09:02 AM

Re: Limiting "sudo kill" to killing only user processes

@TheJuiceman wrote:

Thanks.  It looks like the "UNIX95= ps -G <group>" route may be the way to go for me.

How could I best write a "wrapper" so that when someone calls my "kill" script via sudo such as....

sudo kill 123 456 789 12345 ... ...

that the script will determine that processes "123", "456", etc  are GID of the group I am allowing kill access and allow the kill?

Hi:

 

Why do you need another script to call your script?  I assume that you simply need an argument  that denotes the GID of processes you want to kill.  All you need do is collect the PIDs that match your criteria and issue a 'kill' for that list.

 

For that matter, if you are running 11.31, have a look at 'pkill(1)'.

 

Regards!

 

...JRF...

0 Kudos
Reply
TheJuiceman
Super Advisor

тАО07-20-2011 09:35 AM

тАО07-20-2011 09:35 AM

Re: Limiting "sudo kill" to killing only user processes

Unfortunately, this is a 11.23 box. 

 

You are correct.  I just need a way to limit the kill command to executing against PID's that fit my GID criteria.


Example:

 

sudo scriptkill 123 456 7890

 

-  Do these EXACT processes 123, 456, and 7890 exist?

-  If so, do they meet the GID requirement?

-  If so, perform a kill on these EXACT PID's, no wildcards or partial returns (ie. allow a kill on process "123" but not "1234" or "2123" ).

-  If the criterias are not met, do not allow a kill.

 

Thanks

0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО07-20-2011 09:58 AM

тАО07-20-2011 09:58 AM

Re: Limiting "sudo kill" to killing only user processes

Hi (again):

@TheJuiceman wrote:

You are correct.  I just need a way to limit the kill command to executing against PID's that fit my GID criteria.
Example:

sudo scriptkill 123 456 7890

 

-  Do these EXACT processes 123, 456, and 7890 exist?

-  If so, do they meet the GID requirement?

-  If so, perform a kill on these EXACT PID's, no wildcards or partial returns (ie. allow a kill on process "123" but not "1234" or "2123" ).-  If the criterias are not met, do not allow a kill

Leveraging the '-p PID' argument to first find candidates:
# ps -p <PID> -o pid= -o gid=
This gives you a list (in two columns) of PIDs and GIDs.  If you like, you can fetch a list of processes like:
# ps -p 123,456,7890 -o pid= -o gid=
The "=" sign after each specification suppresses the header line making further parsing of the list easier.
Add any additional columns as necessary; walk the list; match what you want; extract the first field (column) for a PID to kill()'
Regards!
...JRF...
Reply
Dennis Handly
Acclaimed Contributor

тАО07-20-2011 10:37 AM - edited тАО07-20-2011 12:08 PM

тАО07-20-2011 10:37 AM - edited тАО07-20-2011 12:08 PM

Re: Limiting "sudo kill" to killing only user processes

>-  If so, do they meet the GID requirement?

 

Just take my script above and use "-ogid=" and then check for equality:

gid=$(UNIX95=EXTENDED_PS ps -p $pid -ogid=)
if [ "$gid" != some-magic-gid ]; then
    echo "skip wrong group process" 2>&1
    continue

fi

Reply
TheJuiceman
Super Advisor

тАО07-21-2011 08:58 AM

тАО07-21-2011 08:58 AM

Re: Limiting "sudo kill" to killing only user processes

You guys are the best!!!!

 

This is really close now.  Just one last piece.....is there a way to prevent wildcards?  I would like to prevent someone from executing something like "sudo scriptkill * " or "sudo scriptkill abcd".  The latter returns a nasty message.  The wildcard, however, is returning a lot of "interesting" possiblities....yikes!!!  Is there a way to restrict the input to accept only numerical entries and no wildcards?

 

Thanks again!!!

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.