SUMMARY: Kill command

From: Esther Muller (emr@wcomp.gov.za)
Date: Wed Feb 04 1998 - 09:03:44 CST


Thanks for all the great response

Orriginal message:

>I want to know if there is some way to give a user (other than root)
> the rights to kill processes that doesn't belong to him.
>
>We have a client-server setup with Solaris 2.5.1, 2.5, 2.4 and 2.3.
> Whenever the client PC's (win95) hangs or loses a network connection
> the related processes floats around on the Unix servers.
>
>I've tried a script with the setuid and setgid : owner - root : group - bin
>script:
> #!/bin/sh -p
> ps -u $1 | cut -c1-7 | xargs kill -1
>
>I know of a command "asroot" in SCO unix, but haven't been able
>to find something similar on Solaris.

Here's a summary of all the suggested options

Available programs:

1. sudo (came out tops)
        Logs every time they use it and what they did.
        This program can be configured to allow some user (or
        group of users) to execute either all programs except some, or
        no programs except some.
        Source is available at
        1. ftp.courtesan.com, in /pub/sudo. (If you need a compiler for the
                Solaris system, sunsite.unc.edu has a bunch of Solaris "packages",
                in /pub/packages/solaris/sparc.)
        2. http://www.courtesan.com/courtesan/products/sudo/
        3. Linux mirror sites
        4. Sunsites - sunsite.unc.edu somewhere out in /pub
        5. ftp://ftp.rootgroup.com
        6. http://smc.vnet.net.
        7. ftp.cs.colorado.edu in /pub/sysadmin/sudo .

2. su1
        This program can be configured to allow some user (or
        group of users) to execute either all programs except some, or
        no programs except some.

3. Power broker..
        provides key-stroke login to
        monitor the logs of the root-previliged members.

4. "su" (not the one supplied with the OS)
        unfortunately this is very configurable and can cause a security hole

5, "op"
        lets you create a list of commands that certain users may execute.

6. Super

OR

1. a small C prog will do :
                main
                {
                setuid(0);
                do whatever you want to do
                }
        Obviously you would name this executable something sensible & restrict
        access to it with permissions. Be careful though, if, for example, you
        run a shell script from the C prog, if that script allows the user to
        use "!ksh" or the like to get a command line, then your user has control
        of your system. If you are stuck, in ksh you can do this in a script to
        set up a safer environment :
                (SHELL=/dev/null; myscript)

2. Try using 'ksh' or 'csh -bf' as the command interpreter.

It is not advisable to setuid on a script. Definate security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Esther Muller
Unix System Administrator
Xcel Engineering & Management
Cel : 083 454 6117
Tel(w) : (012) 3199405
Fax : (012) 3219622
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:30 CDT