Re: kill -9 <pid of X>

Linus Torvalds (torvalds@transmeta.com)
Wed, 12 Aug 1998 22:00:36 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dave Wreski: "RE: Brief kernel.org downtime later tonight"
Previous message: Linus Torvalds: "Re: kill -9 <pid of X>"
In reply to: Eugene Crosser: "Re: knfsd and asm/system.h / linux/kernel.h problem [w/patch]"
Next in thread: Martin Mares: "Re: DCF77 driver available"

On Wed, 12 Aug 1998, David S. Miller wrote:
>
> I tell you that X can block SIGKILL, but you don't seem to be happy
> with that either. What's your beef?
>
> Last time I checked kernel/signal.c nobody can block SIGKILL or did
> you propose allowing this in certain limited cases?

People seem to have a really hard time understanding.

Can you as "davem" send a SIGKILL to me as "torvalds"? No.

Blocking ALL signals is something that is done all the time in UNIX, and
it's called "security".

Now, some peopl ehave suggested that you shouldn't be able to kill your X
server, because that leaves the screen in a unusable state. In short,
killing your X server is a security problem. And yes, it makes sense to
use EXISTING security features of the kernel to block that killing.

No kernel changes.

What you do, is you ask a XFree86 person very nicely whether he could add
a line to the XF86Config file that adds a new configuration option, namely
the user as which you run the server once you've done all the initial
setup (maybe the option would default to "bin"). And then you ask the nice
XFree86 person to do something like this (pseudo-code, but I'm sure you
can figure this out):

main()
{
..
.. allocate resources ..
.. open(/dev/mem) ..
.. open(/dev/mouse) ..
.. iopl()/ioperm() ..
..

/*
* get rid of _all_ association with the user that
* started us - a random user must not have the right
* to kill us while we do important hardware stuff
*/
setuid(0);
setuid("xuser");

.. now we actually start running ..

The point being that even the person who started X no longer has
privileges to kill X even with SIGKILL - because the X server isn't
running as that user.

Again: no kernel modifications required.

I'm sure the XFree86 people would be more than happy to consider something
like this: they've already given security-people flags in XF86Config to
disable Ctrl-Alt-Home etc, exactly because they wanted to not let people
break out of "xlock" by just killing the X server with the vulcan nerve-
pinch.

So yes, with the above root can still kill the X server with SIGKILL. Big
deal. If root wants to mess up the screen he can do so very easily without
even starting up X, so root being able to SIGKILL the server is a
non-issue.

I certainly agree that root should be able to send the X server some
signal that allows the server to shut down nicely, but I disagree with
Alan and others who seem to think that it has to be SIGKILL. There is no
reason why X couldn't just intercept all the normal signals and cause a
clean shutdown.

Linus

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html

Next message: Dave Wreski: "RE: Brief kernel.org downtime later tonight"
Previous message: Linus Torvalds: "Re: kill -9 <pid of X>"
In reply to: Eugene Crosser: "Re: knfsd and asm/system.h / linux/kernel.h problem [w/patch]"
Next in thread: Martin Mares: "Re: DCF77 driver available"