Terminate Root Processes

Question

Is there a way to terminate a root process without entering an administrator's password?

You might be wondering why I'd want to do this 'cause it sounds fishy. Well I just need to end a process started by a daemon from an agent but daemons runs as root and agents are user specific.

score 1 · Answer 1 · answered Sep 22 '11 at 15:20

1

You should look into sudo.

You can configure it to let you enter any command without a password, or just some like kill, or to ask for your user password (not root's, yours) on every command, etc. It is very flexible.

It may already be installed and set up on your system. This is the case on Ubuntu and OS X, for example. If not, it is available for most Unixy systems.

answered Sep 22 '11 at 15:20

Warren Young

72,032

I used sudo but it still asks for the password; I have to implement this in a program so I can't have the user enter the password – Samantha Catania Sep 22 '11 at 15:23
1

@Samantha "You can configure it to let you enter any command without a password". See this question – Michael Mrozek Sep 22 '11 at 15:45
I can't configure it that way – Samantha Catania Sep 22 '11 at 17:00
@SamanthaCatania: why you can't? You are not able to, or you do not have privilege to modify /etc/sudoers? – enzotib Sep 22 '11 at 17:03
As I wrote in the question this must be done from an agent program there must be no input from the user & there is no terminal window – Samantha Catania Sep 22 '11 at 17:07
I think you're not reading what we're writing carefully. It is possible to configure sudo so that it does not ask for a password. You tell it that such-and-such a user can run thus-and-so program with root privileges without a password. That is what the NOPASSWD bit does in the question Michael pointed you to. Once you set it up correctly, your script can say sudo kill $somepid, and it will do what you're asking. – Warren Young Sep 22 '11 at 18:37

score 0 · Accepted Answer · answered Sep 22 '11 at 23:09

Users are only allowed to kill or otherwise signal their own processes.

You say that the process is started by a daemon running as root. Does that process need to run as root as well? If it doesn't, make it drop privileges and run as the desired user.

If the process must run as root, you'll have to provide a way for the agent to elevate its privileges to kill the process. This can take the form of a setuid root helper executable, or an entry in the sudoers file (with the NOPASSWD tag). The sudo entry has the advantage that its use will be logged.

Note that there is no atomic way to send a signal to a process. Sending a signal is asynchronous: it is possible that you obtain the PID of a process, then you send a signal to that process, but the process has died in the meantime and its process ID has already been reused by another process.

There's a way to avoid this involving the parent of the process you want to kill, but it's complicated. The process ID will not disappear until its parent acknowledges the child's death (a zombie process remains until then). To use this effectively, you need the parent to know that it must hold on until no agent it going to want tot kill the child.

If you're not concerned with the race condition, you can give the agent the permission to run pkill name_of_process_to_kill, if you know that there will be a single process with that name. If you can identify the process by a file it has open, you can use fuser -k /path/to/file.

If you can, modify the process so that it listens to a termination request on a pipe or socket. Set up the permissions or authentication on the pipe or socket according to your needs.

The process is run as root just 'cause it is called by a damon; dropping its privileges would be the best solution. Any ideas on how this is done are greatly appreciated — Samantha Catania, Sep 23 '11 at 05:15

Terminate Root Processes

2 Answers2