I tend to agree that sudo is a much better way of accomplishing this, you can embed sudo in scripts as long as the script is called interactively. Thus it would be very simple to get some info about the process in question (specifically uid) from either the ps command or the /proc directory (every process is represented by a directory immediately below /proc bearing a name which is a decimal string equivalent to the pid.
The proper ps incantation is: ps p [pid] o euid="" The null string ensures that only one line with the required uid is specified (i.e. takes out the column header). Alternatively the o option may take a key-value along the lines of ruser="" to return the human-readable username. Sudo will happily except either uid or username as the user argument. So if you do: PID = pgrep [progname] UID = ps p $PID o euid="" sudo -u $UID kill -15 $PID and sudoers is properly configged you should be good unless pgrep returns more than one pid, in which case you need a way to specify whch instance you want to kill, perhaps you can simply omit tat step and supply the pid directly as the first positional parameter. The more complex thing will be to ensure that all the users in question have proper sudo permissions. It is VERY possible to specify exactly which commands a user may execute as another user. I.e. for the group of users{ bill, fred, ted, joe } and the group of applications { appA, appB, appC } it is possible to specify that bill ma execute all three apps as each of the other three users, fred can execute only appB as bill, ted can execute apps A and C as fred and joe, and joe has no permission to execute any of A,B, or C as anybody but himself. The syntax for doing this is described in the visudo man page. WARNING!!! Do NOT attempt to edit the /etc/sudoers file by any other means than executing visudo. This is required in order to ensure the sudoers database is consistent with the flat config file. As a supplement to the visudo and sudo man pages, you may also want to read one of the many many sudo tutorials out there. Iirc the gentoo forums sudo how-to is very straight-forward and applies to pretty much any sudo installation anywhere. If your local installation differs in any way it will most likely be in the pathname to the sudoers config file (typically /etc/sudoers) and it will be clearly noted in the man page. Hope that helps, Erik Johnson On Tue, Mar 31, 2009 at 10:10 AM, CHAPLIN, JAMES (CTR) <james.chap...@associates.dhs.gov> wrote: > -r--rwsr--+ 1 user group 500 Jan 21 16:23 stopServer.sh > The setuid is set on group level. > Removed the user execute perms as shown above, and script failed to > "kill -p pid", got permission denied message still. > > Did a chmod 2474 stopServer.sh to set the bits, is this correct in what > you are suggesting? > > James Chaplin > Systems Programmer, MVS, zVM & zLinux > Base Technologies, Inc > > -----Original Message----- > From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of > Jack Woehr > Sent: Tuesday, March 31, 2009 10:28 AM > To: LINUX-390@VM.MARIST.EDU > Subject: Re: Stopping java based applications > > CHAPLIN, JAMES (CTR) wrote: >> We want anyone in the group level to be able to also issue >> the kill command (in the script). Is there a way to allow users in a >> group to kill each other's started processes. >> >> > You can have a script or program > > * with the setuid bit set > * with the write permissions off > * with group execute perms but no user execute perms > > -- > Jack J. Woehr # I run for public office from time to time. > It's like > http://www.well.com/~jax # working out at the gym, you sweat a lot, > don't get > http://www.softwoehr.com # anywhere, and you fall asleep easily > afterwards. > > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390