B.2 Signals | Practical Unix & Internet Security, 3rd Edition

Signals are a simple Unix mechanism for controlling processes. A signal is a 5-bit message to a process that requires immediate attention. Each signal has a default action associated with it; for some signals, you can change this default action. Signals are generated by exceptions, which include:

Attempts to use illegal instructions
Certain kinds of mathematical operations
Window resize events
Predefined alarms, including expiration of a timer
The user pressing an interrupt key on a terminal
Another program using the kill( ) or killpg( ) system calls
A program running in the background attempting to read from or write to its controlling terminal
A child process calling exit or terminating abnormally

The system default may be to ignore the signal, to terminate the process receiving the signal (and, optionally , generate a core file), or to suspend the process until it receives a continuation signal. Some signals can be caught ”that is, a program can specify a particular function that should be run when the signal is received. As originally designed, Unix supports exactly 31 signals. Some vendors , such as Sun, have extended this set to include more signals. The signals and types are usually listed in the files /usr/include/signal.h and /usr/include/sys/signal.h . Table B-6 contains a summary of the 31 standard signals.

Table B-6. Unix signals

Signal name	Number ^[10]	Key ^[11]	Meaning
SIGHUP	1		Hangup (sent to a process when a modem or network connection is lost)
SIGINT	2		Interrupt (typically generated by Ctrl-C)
SIGQUIT	3	*	Quit
SIGILL	4	*	Illegal instruction; usually caused by executing data
SIGTRAP	5	*	Trace trap
SIGIOT	6	*	I/O trap instruction; used on PDP-11 Unix
SIGEMT	7	*	Emulator trap instruction; used on some computers without floating-point hardware support
SIGFPE	8	*	Floating-point exception
SIGKILL	9	!	Kill
SIGBUS	10	*	Bus error (invalid memory reference, such as an attempt to read a full word on a half-word boundary)
SIGSEGV	11	*	Segmentation violation (invalid memory reference, such as an attempt to read outside a process's mapped memory)
SIGSYS	12	*	Bad argument to a system call
SIGPIPE	13		Write on a pipe that has no process to read it
SIGALRM	14		Timer alarm
SIGTERM	15		Software termination signal (default kill signal)
SIGURG	16	@	Urgent condition present
SIGSTOP	17	+!	Stop process
SIGTSTP	18	+	Stop signal generated by keyboard
SIGCONT	19	@	Continue after stop
SIGCHLD	20	@	Child process state has changed
SIGTTIN	21	+	Read attempted from control terminal while process is in background
SIGTTOU	22	+	Write attempted to control terminal while process is in background
SIGIO	23	@	Input/output event
SIGXCPU	24		CPU time limit exceeded
SIGXFSZ	25		File size limit exceeded
SIGVTALRM	26		Virtual time alarm
SIGPROF	27		Profiling timer alarm
SIGWINCH	28	@	tty window has changed size
SIGLOST	29		Resource lost
SIGUSR1	30		User-defined signal #1
SIGUSR2	31		User-defined signal #2

^[10] The signal number varies on some systems.

^[11] The default action for most signals is to terminate.

The symbols in the "Key" column of Table B-6 have the following meanings:

*: If signal is not caught or ignored, generates a core image dump
@: Signal is ignored by default
+: Signal causes process to suspend
!: Signal cannot be caught or ignored

Signals are normally used between processes for process control. They are also used within a process to indicate exceptional conditions that should be handled immediately (for example, floating-point overflows).

B.2.1 Unix Signals and the kill Command

The Unix superuser can use the kill command to terminate any process on the system. One of the most common uses of the kill command is to kill a "runaway" process that is consuming CPU and memory for no apparent reason. You may also want to kill the processes belonging to an intruder.

Despite its name, the kill command can be used for more than simply terminating processes. The kill command can send any signal to any process. Although some signals do indeed result in processes being terminated , others can cause a process to stop, restart, or perform other functions.

The syntax of the kill command is:

 kill [-   signal   ]   process-IDs

The kill command allows signals to be specified by number or name. To send a hangup to process #1, for example, type:

 #  kill -HUP 1

With some older versions of Unix, signals could be specified only by number; all versions of the kill command still accept this syntax as well:

 #  kill -1 1

The superuser can kill any process; other users can kill only their own processes. You can kill many processes at a time by listing all of their PIDs on the command line:

 #  kill -HUP 1023 3421 3221

By default, kill sends SIGTERM (signal 15), the process-terminate signal.

B.2.2 Killing Multiple Processes at the Same Time

Modern Unix systems allow you to send a signal to multiple processes at the same time with the kill command:

If you specify 0 as the PID, the signal is sent to all the processes in your process group .
If you specify -1 as a PID and you are not the superuser, the signal is sent to all processes having the same UID as you.
If you specify -1 as a PID and you are the superuser, the signal is sent to all processes except system processes, process #1, and yourself.
If you specify any other negative value, the signal is sent to all processes in the process group numbered the same as the absolute value of your argument.

B.2.3 Catching Signals

Many signals, including SIGTERM, can be caught by programs. When catching a signal, a programmer has three choices of what to do with the signal:

Ignore it.
Perform the default action.
Execute a program-specified function, often called a signal handler .

Signal handling gives Unix programs a lot of flexibility. For example, some programs catch SIGINT (signal 2), sent when the user types Ctrl-C, to save their temporary files before exiting; other programs perform the default action and simply exit.

There are two signals that cannot be caught: SIGKILL (signal 9) and SIGSTOP (signal 17). SIGKILL terminates a program, no questions asked. SIGSTOP causes a program to stop execution dead in its tracks.

One signal that is very often sent is SIGHUP (signal 1), which simulates a hangup on a modem. Because having a modem accidentally hung up was once a common occurrence, many programs catch SIGHUP and perform a clean shutdown. Standard practice when killing a process is to send signal 1 (hangup) first; if the process does not terminate, then send it signal 15 (software terminate), and finally signal 9 (sure kill).

Many system programs catch SIGHUP and use it as a signal to re-read their configuration files. This has become a common programming convention, particularly in programs that don't expect to interact with a modem, such as network daemons.

B.2.4 Killing Rogue or Questionable Processes

Sometimes simply killing a rogue process is the wrong thing to do: you can learn more about a process by stopping it and examining it with some of Unix's debugging tools than by "blowing it out of the water." Sending a process a SIGSTOP will stop the process but will not destroy the process's memory image. This will allow you to examine the process using the tools we describe in the next section.