Recipe 5.15 Killing Processes via sudo

5.15.1 Problem

Allow a user to kill a certain process but no others.

5.15.2 Solution

Create a script that kills the process by looking up its PID dynamically and safely. Add the script to /etc/sudoers.

5.15.3 Discussion

Because we don't know a process's PID until runtime, we cannot solve this problem with /etc/sudoers alone, which is written before runtime. You need a script to deduce the PID for killing.

For example, to let users restart sshd :

#!/bin/sh pidfile=/var/run/sshd.pid sshd=/usr/sbin/sshd # sanity check that pid is numeric pid=`/usr/bin/perl -ne 'print if /^\d+$/; last;' $pidfile` if [ -z "$pid" ] then         echo "$0: error: non-numeric pid $pid found in $pidfile" 1>&2         exit 1 fi # sanity check that pid is a running process if [ ! -d "/proc/$pid" ] then         echo "$0: no such process" 1>&2         exit 1 fi # sanity check that pid is sshd if [ `readlink "/proc/$pid/exe"` != "$sshd" ] then         echo "$0: error: attempt to kill non-sshd process" 1>&2         exit 1 fi kill -HUP "$pid"

Call the script /usr/local/bin/sshd-restart and let users invoke it via sudo:

# /etc/sudoers: smith ALL = /usr/local/bin/sshd-restart ""

The empty double-quotes prevent arguments from being passed to the script. [Recipe 5.9]

Our script carefully signals only the parent sshd process, not its child processes for SSH sessions already in progress. If you prefer to kill all processes with a given name, use the pidof command:

# kill -USR1 `pidof mycommand`

or the skill command:

# skill -USR1 mycommand

5.15.4 See Also

kill(1), proc(5), pidof(8), skill(1), readlink(1).



Linux Security Cookbook
Linux Security Cookbook
ISBN: 0596003919
EAN: 2147483647
Year: 2006
Pages: 247

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net