10

Let's say we have a group (dev) which has many users and a shared development directory with g+rwx permissions on all contained files. Is this setup sufficient so that any dev user can kill a process launched by any other dev user (assuming the process was started with the default permissions)?

So for example, say we have file /opt/devfolder/bin/foo owned by user1 (in group dev) with group id dev and permissions 0770. If user2 (in group dev) starts an instance of "foo" from his shell, can user3 (in group dev) kill it?

[Edit]

If not, how can we achieve this using sudo or some other standard UNIX utility?

maerics
  • 203
  • 1
  • 2
  • 7

4 Answers4

12

The easiest way to do what you want is to create an entry in /etc/sudoers like this:

%users localhost=(%users) NOPASSWD:/bin/kill

This will let anyone in the users group run /bin/kill as any other user in the users group, and will not prompt for a password. I'm pretty sure this is exactly what you were asking for.

In this example I'm assuming that there exists a group named users to which all of the members of your dev group belong. You will obviously need to modify this to match your local environment.

larsks
  • 41,276
  • 13
  • 117
  • 170
4

Depending what your problem is, if you need the users of the dev group to be able to kill all of the processes of a specific type for some other user, then there might be a solution.

%users localhost=(%users) NOPASSWD:/bin/killall -u <username>

or 

%users localhost=(%users) NOPASSWD:/bin/killall -u <username> perl

or whatever. you get the idea. This would allow the developers to kill all of the 'perl' processes, for one specific user. Remember that you can use the command aliases to shorthand writing out longs lists of apps, and you can also use regular expressions (be careful you don't allow too much)

Allan Jude
  • 1,226
  • 9
  • 12
2

Group file permissions do not extend to running processes. Only the owner of a process can kill the process.

However, you might consider configuring sudo to allow users the kill command in a limited manner.

mdpc
  • 11,698
  • 28
  • 51
  • 65
  • +1 thanks for the clarification; I've updated my question to include advice on how to make it happen. – maerics Oct 26 '11 at 21:30
0

Granting users to kill processes with sudo will allow them to kill any process. It cannot be restricted to only kill processes of a specific user.

mailq
  • 16,882
  • 2
  • 36
  • 66
  • So it sounds like the solution is to have a shared user account which will own all of the files and have the setuid bit on all executables, ya? – maerics Oct 26 '11 at 21:49
  • @maerics No. No. No. As mdpc correctly says (so I didn't duplicate this) file permissions are **not** related to process state permissions. – mailq Oct 26 '11 at 21:52
  • ok, thanks. So any ideas on how to achieve this "process state group" permission I'm looking for? – maerics Oct 26 '11 at 21:57
  • @maerics Funny. If there would be a solution I had posted it. But there isn't. – mailq Oct 26 '11 at 22:00
  • @mailq, if the suid bit on the executables, then the process is owned by a specific user and this can be used to setup a kill command for that specific user in a sudo configuration. Thus that approach would work! – mdpc Oct 26 '11 at 22:04