SUMMARY: Kill command

Esther Muller (emr@wcomp.gov.za)
Wed, 04 Feb 1998 13:03:44 -0200

Thanks for all the great response

Orriginal message:

>I want to know if there is some way to give a user (other than root)
> the rights to kill processes that doesn't belong to him.
>
>We have a client-server setup with Solaris 2.5.1, 2.5, 2.4 and 2.3.
> Whenever the client PC's (win95) hangs or loses a network connection
> the related processes floats around on the Unix servers.
>
>I've tried a script with the setuid and setgid : owner - root : group - bin
>script:
> #!/bin/sh -p
> ps -u $1 | cut -c1-7 | xargs kill -1
>
>I know of a command "asroot" in SCO unix, but haven't been able
>to find something similar on Solaris.

Here's a summary of all the suggested options

Available programs:

1. sudo (came out tops)
Logs every time they use it and what they did.
This program can be configured to allow some user (or
group of users) to execute either all programs except some, or
no programs except some.
Source is available at
1. ftp.courtesan.com, in /pub/sudo. (If you need a compiler for the
Solaris system, sunsite.unc.edu has a bunch of Solaris "packages",
in /pub/packages/solaris/sparc.)
2. http://www.courtesan.com/courtesan/products/sudo/
3. Linux mirror sites
4. Sunsites - sunsite.unc.edu somewhere out in /pub
5. ftp://ftp.rootgroup.com
6. http://smc.vnet.net.
7. ftp.cs.colorado.edu in /pub/sysadmin/sudo .

2. su1
This program can be configured to allow some user (or
group of users) to execute either all programs except some, or
no programs except some.

3. Power broker..
provides key-stroke login to
monitor the logs of the root-previliged members.

4. "su" (not the one supplied with the OS)
unfortunately this is very configurable and can cause a security hole

5, "op"
lets you create a list of commands that certain users may execute.

6. Super

OR

1. a small C prog will do :
main
{
setuid(0);
do whatever you want to do
}
Obviously you would name this executable something sensible & restrict
access to it with permissions. Be careful though, if, for example, you
run a shell script from the C prog, if that script allows the user to
use "!ksh" or the like to get a command line, then your user has control
of your system. If you are stuck, in ksh you can do this in a script to
set up a safer environment :
(SHELL=/dev/null; myscript)

2. Try using 'ksh' or 'csh -bf' as the command interpreter.

It is not advisable to setuid on a script. Definate security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Esther Muller
Unix System Administrator
Xcel Engineering & Management
Cel : 083 454 6117
Tel(w) : (012) 3199405
Fax : (012) 3219622
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~