Return to BSD News archive
Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.uwa.edu.au!classic.iinet.com.au!news.uoknor.edu!news.ecn.uoknor.edu!paladin.american.edu!gatech!howland.reston.ans.net!spool.mu.edu!news.nd.edu!infoserv.illinois.net!news.cic.net!locust.cic.net!pauls From: pauls@locust.cic.net (Paul Southworth) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: Killing processes Date: 28 May 1995 23:38:55 GMT Organization: CICNet, Inc. Lines: 38 Message-ID: <3qb1if$gfe@spruce.cic.net> References: <3qarhc$f92@news.bu.edu> NNTP-Posting-Host: locust.cic.net In article <3qarhc$f92@news.bu.edu>, Mikhail Teterin <mi@cs.bu.edu> wrote: >Is it possible (must be, then how?) to set permitions so that people from >specified group will be able to kill process started by root (or another >user)? Yes, by making a setuid wrapper for the script doing the signalling. >Example: file netdown, says: > kill `cat /var/run/ppp0.pid` >(Just that one line) >When non-root executes it, the result is : >kill: <pid> : Operation not permitted >I tried permissions [0-7]755 on it with no success. I must be missing >something really stupid )-: Exactly. Filesystem permissions have nothing to do with who owns the process. The process is owned by the invoking user, and Unix has no conception of group ownership of processes. So, for example, we have a group "dns" on our DNS server, and they can edit all the zone files and the boot file. But when they need to send a signal to named (using the "ndc" script, part of the bind 4.9.3 distribution) they call a setuid C program which is a wrapper for "ndc". Look at the execl(3) man page for syntax. Here's the code: #include <sys/types.h> main (argc, argv) int argc; char **argv; { setuid(0); execl ("/usr/etc/in.ndc", "/usr/etc/in.ndc", "restart", (char *)0 ); } -- Paul Southworth CICNet Systems Support pauls@cic.net