UNIX permissions to allow group users to kill each others' processes
Solution 1
The easiest way to do what you want is to create an entry in /etc/sudoers
like this:
%users localhost=(%users) NOPASSWD:/bin/kill
This will let anyone in the users
group run /bin/kill
as any other user in the users
group, and will not prompt for a password. I'm pretty sure this is exactly what you were asking for.
In this example I'm assuming that there exists a group named users
to which all of the members of your dev group belong. You will obviously need to modify this to match your local environment.
Solution 2
Depending what your problem is, if you need the users of the dev group to be able to kill all of the processes of a specific type for some other user, then there might be a solution.
%users localhost=(%users) NOPASSWD:/bin/killall -u <username>
or
%users localhost=(%users) NOPASSWD:/bin/killall -u <username> perl
or whatever. you get the idea. This would allow the developers to kill all of the 'perl' processes, for one specific user. Remember that you can use the command aliases to shorthand writing out longs lists of apps, and you can also use regular expressions (be careful you don't allow too much)
Solution 3
Group file permissions do not extend to running processes. Only the owner of a process can kill the process.
However, you might consider configuring sudo to allow users the kill command in a limited manner.
Related videos on Youtube
maerics
Updated on September 18, 2022Comments
-
maerics over 1 year
Let's say we have a group (
dev
) which has many users and a shared development directory withg+rwx
permissions on all contained files. Is this setup sufficient so that anydev
user can kill a process launched by any otherdev
user (assuming the process was started with the default permissions)?So for example, say we have file
/opt/devfolder/bin/foo
owned by user1 (in groupdev
) with group iddev
and permissions 0770. If user2 (in groupdev
) starts an instance of "foo" from his shell, can user3 (in groupdev
) kill it?[Edit]
If not, how can we achieve this using
sudo
or some other standard UNIX utility? -
maerics over 12 years+1 thanks for the clarification; I've updated my question to include advice on how to make it happen.
-
maerics over 12 yearsSo it sounds like the solution is to have a shared user account which will own all of the files and have the setuid bit on all executables, ya?
-
mailq over 12 years@maerics No. No. No. As mdpc correctly says (so I didn't duplicate this) file permissions are not related to process state permissions.
-
maerics over 12 yearsok, thanks. So any ideas on how to achieve this "process state group" permission I'm looking for?
-
mailq over 12 years@maerics Funny. If there would be a solution I had posted it. But there isn't.
-
mdpc over 12 years@mailq, if the suid bit on the executables, then the process is owned by a specific user and this can be used to setup a kill command for that specific user in a sudo configuration. Thus that approach would work!