-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James Melin wrote: | Is there any way to limit what processes someone could kill when using | Sudo? | | Our websphere administrator wants the authority to kill a hung java thread | should the need arise, and he wants the root password. I do not want to and | will not give it to him. I am being directed by my management to 'just give | it to him' but I really think that is an astonishingly bad idea. | | Is there a way to setup sudo so that if you issue a kill -9 against a | thread it only allows it if the thread is owned by websphere?
Hello, James. You cannot achieve that using sudo(8), but it does not mean it is impossible. What you need is either a kernel module implementing RSBAC through the SELinux framework or a separate, independent kernel patch that provides this functionality (for example, grsecurity, http://grsecurity.net/). RSBAC stands for RoleSet Based Access Control and provides you with means to define groups of processes, actions and events and authorize certain roles which you can then delegate, to perform certain actions on some processes. Some frameworks, such as grsecurity, even come with a special "learning" mode to provide you with a least-privilege access control list without (much) manual configuration at all. Hope to have helped. Kind regards, - -- Grega Bremec gregab at p0f dot net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFC1SOFfu4IwuB3+XoRAq15AJ4vxt7jem6sYynfPHuZ9QMh4u/9cACbBGOg vW7jHaoLfx9IvdZEdvTx9fg= =5mSK -----END PGP SIGNATURE----- ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390