I tend to agree that sudo is a much better way of accomplishing this,
you can embed sudo in scripts as long as the script is called
interactively. Thus it would be very simple to get some info about
the process in question (specifically uid) from either the ps command
or the /proc directory (every process is represented by a directory
immediately below /proc bearing a name which is a decimal string
equivalent to the pid.
The proper ps incantation is: ps p [pid] o euid=""
The null string ensures that only one line with the required uid is
specified (i.e. takes out the column header). Alternatively the o
option may take a key-value along the lines of ruser="" to return the
human-readable username. Sudo will happily except either uid or
username as the user argument.
So if you do:
PID = pgrep [progname]
UID = ps p $PID o euid=""
sudo -u $UID kill -15 $PID
and sudoers is properly configged you should be good
unless pgrep returns more than one pid, in which case you need a way
to specify whch instance you want to kill, perhaps you can simply omit
tat step and supply the pid directly as the first positional
parameter.
The more complex thing will be to ensure that all the users in
question have proper sudo permissions. It is VERY possible to specify
exactly which commands a user may execute as another user.
I.e. for the group of users{ bill, fred, ted, joe } and the group of
applications { appA, appB, appC } it is possible to specify that bill
ma execute all three apps as each of the other three users, fred can
execute only appB as bill, ted can execute apps A and C as fred and
joe, and joe has no permission to execute any of A,B, or C as anybody
but himself.
The syntax for doing this is described in the visudo man page.
WARNING!!! Do NOT attempt to edit the /etc/sudoers file by any other
means than executing visudo. This is required in order to ensure the
sudoers database is consistent with the flat config file.
As a supplement to the visudo and sudo man pages, you may also want to
read one of the many many sudo tutorials out there. Iirc the gentoo
forums sudo how-to is very straight-forward and applies to pretty much
any sudo installation anywhere. If your local installation differs in
any way it will most likely be in the pathname to the sudoers config
file (typically /etc/sudoers) and it will be clearly noted in the man
page.
Hope that helps,
Erik Johnson
On Tue, Mar 31, 2009 at 10:10 AM, CHAPLIN, JAMES (CTR)
<james.chap...@associates.dhs.gov> wrote:
> -r--rwsr--+ 1 user group 500 Jan 21 16:23 stopServer.sh
> The setuid is set on group level.
> Removed the user execute perms as shown above, and script failed to
> "kill -p pid", got permission denied message still.
>
> Did a chmod 2474 stopServer.sh to set the bits, is this correct in what
> you are suggesting?
>
> James Chaplin
> Systems Programmer, MVS, zVM & zLinux
> Base Technologies, Inc
>
> -----Original Message-----
> From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of
> Jack Woehr
> Sent: Tuesday, March 31, 2009 10:28 AM
> To: LINUX-390@VM.MARIST.EDU
> Subject: Re: Stopping java based applications
>
> CHAPLIN, JAMES (CTR) wrote:
>> We want anyone in the group level to be able to also issue
>> the kill command (in the script). Is there a way to allow users in a
>> group to kill each other's started processes.
>>
>>
> You can have a script or program
>
> * with the setuid bit set
> * with the write permissions off
> * with group execute perms but no user execute perms
>
> --
> Jack J. Woehr # I run for public office from time to time.
> It's like
> http://www.well.com/~jax # working out at the gym, you sweat a lot,
> don't get
> http://www.softwoehr.com # anywhere, and you fall asleep easily
> afterwards.
>
>
> ----------------------------------------------------------------------
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
> visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
>
> ----------------------------------------------------------------------
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
>
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
