How to kill a process started with a different user without being root or sudoer?
in a Linux environment, I need to kill a process which has been started by user2 if I am user1 without being sudoers or using root. Do you know if there is a way of setting that when launching the process? Such as a list of users allowed to kill the process?
The fact is that concurrent instances of the same process can be started from different users, that is why it is not convenient for me to set the group id to the process. Other users that are not in the group will not be able to start a second parallel process.
What I have is a list of users allowed to start the process, defined in the database, before starting the process I check that the current user in the list and, if yes, I start the process with the current user. If a second user allowed to do that wants to kill the process I'd like it to be allowed to do that but I don't want it to be sudoers.
Therefore, I was thinking to create a process running as root which receives the request to kill processes from a user, checks if the user is allowed to start/stop the process and kills the process.
Do you think it could be the best solution?
Solution 1:
I'm sorry, but this simply is not possible (that's by design). However, if members of a common group, user1 could write to a file that user2's process checks, indicating to the process that it should terminate.
Or, user2 could run something in the background that checks a file, then sends the appropriate signals. User1 then simply has to write to that file. This may be easier, as it would not require any modification of user2's programs.
Conventionally, no, user1 can not send POSIX signals to user2's process.
Solution 2:
Unless ACLs or SELinux or something else has a better way to do it, the way I've seen this done is with a SetUID script. As you can imagine, they're infamous for being security risks.
Regarding your case, say that procOwner is the username for the process owner, and userA (uid 1000), userB (uid 1201), and userC (uid 1450) are the folks allowed to kill the process.
killmyproc.bash:
#!/bin/bash
case ${UID} in
1000|1201|1450) ;;
*) echo "You are not allowed to kill the process."
exit 1;;
esac
kill ${PROCESS_ID}
# PROCESS_ID could also be stored somewhere in /var/run.
Then set the owner and permissions with:
chown procOwner:procGroup killmyproc.bash
chmod 6750 killmyproc.bash
And also put userA, userB, and userC in the group procGroup
.
Solution 3:
Not conventionally -- having any user come and kill of someone else's processes is the ultimate denial-of-service vulnerability.
It can be done if the target process cooperates. One way would be for it to monitor for an external event (like a file being created in /var/tmp, or a message on a socket), instructing it to kill itself. If you can't write it to do that, you could write a wrapper for it that starts it and then does the monitoring, killing the child process if the event occurs.