AIX

Hello list,

Have a problem that's highlighting gaps in my knowledge; can you assist?

We have a script that's tacked onto our trading application which allows branch managers etc. to kill off the sessions of other users at their branch. A menu option in the application spawns a shell running this script. As far as I can tell it's spawned in the same context as the user that logged in (no sudo ing or any other type of security context switching - as far as I can see).

The script itself doesn't have any sudo reference in it, nor does it call any other scripts, as far as I can tell.

Some detail on an example run of the script:

The script running, and the effective UID:
$ ps -fp 16974070
UID PID PPID C STIME TTY TIME CMD
kccah 16974070 25407552 0 16:21:08 pts/97 0:00 /bin/ksh /usr/hxscripts/brkill
$ ps -fp 16974070 -o ruser=
kccah
$


Some detail on the user:

$ lsuser kccah
kccah id=2957 pgrp=users groups=users,users,mail home=/usr/home/branch/users/kcc shell=/usr/bin/ksh gecos=Alex_Hawdon roles=

The function in the script that runs the kill, bits that do the killing are highlighted bold:


kill_user()
{
# To kill a user we have to do the following :
# kill the user is partition (unix nice kill)
# if they are still there, do a nasty kill
# clear the partition table of illegal entries
# if they were logged in from a spider, then kill that spider port
# (( if they were logged in from an annex, then kill that annex port ))
#
log "Killed a user : User Details"
log "USERID : ${USERID[$1]}"
log "USER NAME : ${USERNAME[$1]}"
log "USER PID : ${USERPID[$1]}"
log "USER TERMINAL : ${USERTERM[$1]}"
#
/usr/bin/kill -15 ${USERPID[$1]} 2>>/dev/null
sleep 1
#
case $UNIXTYPE
in
AIX) COMMAND=`who -u | awk -v pid=${USERPID[$1]} '$7==pid' | wc -l`;;
OSF1) COMMAND=`who -uM | awk -v pid=${USERPID[$1]} '$7==pid' | wc -l`;;
*) echo "Fatal error - unknown UNIX version"
pressreturn
cleanup;;
esac

if [ $COMMAND -eq 1 ]
then
/usr/bin/kill -9 ${USERPID[$1]} 2>>/dev/null
fi
$KCMLADDR/bkstat -C
TERMIDFILE=`echo "$USERHOME" | sed "s/user/termid.csv/"`
# TERMIDFILE=`echo "$USERHOME" | sed "s/users/termid.csv/"`
REMOTE=`awk -v term=${USERTERM[$1]} -F, '$2==term' $TERMIDFILE`
if [ ! "$REMOTE" = "" ]
then
SPIDER=`echo "$REMOTE" | awk -F, '{print $1}' | cut -c 2-9`
PORT=`echo "$REMOTE" | awk -F, '{print $1}' | cut -c 11-12 | sed "s/^0//"`
log "SPIDER INFO : $SPIDER - $PORT"
rsh -l eod saturn "/usr/users/tech/stu/scripts/SPIDER/linekill.exp $SPIDER.harcros.co.uk $PORT" > /dev/null
fi
case $UNIXTYPE
in
AIX) COMMAND=`who -u | awk -v pid=${USERPID[$1]} '$7==pid' | wc -l`;;
OSF1) COMMAND=`who -uM | awk -v pid=${USERPID[$1]} '$7==pid' | wc -l`;;
*) echo "Fatal error - unknown UNIX version"
pressreturn
cleanup;;
esac
if [ $COMMAND -eq 1 ]
then
echo "Unable to clear user - Please contact Service Desk"
fi
#
# NEED TO ADD CHECK FOR AN ANNEX AT THIS POINT
#
pressreturn
}


A copy of the script is attached. A note - the /etc/dirlist script just sets up variables - it doesn't do *anything* fancy at all.

Thanks for your time on this, folks! Sorry if I've hastily overlooked something obvious!

Any further information required - give me a shout.

Thanks and regards,

Alex

I don't see a question in your post...?? Are you asking how one user running this script is able to kill other user's sessions? If so, do a "ls -l brkill.txt" and post that. It may have a root sticky bit on it.

kah00na - yes, sorry! You're right through; I'd like to know how the script allows users to kill other users.

Here's the output, I'm afraid it's not that:

-rwxrwxr-- 1 kcckr users 8090 09 Jul 15:40 /usr/hxscripts/brkill

Any other ideas?

Thanks and regards,

Alex

Do a ls -l on /usr/bin/kill and post the results of that. The permissions of the kill process are relevant, not the permissions on the shell that invokes it. Most shells have a kill built-in and this script is intentionally avoiding the kill built-in.

Perderabo,

Sorry, but I don't think that's it. I did notice it was avoiding the built-in and I had a look at /usr/bin/kill - I should have posted the information but I don't like to bore people with a massive post which no one can be bothered reading...

-r-xr-xr-x 1 bin bin 7222 13 May 2004 /usr/bin/kill

Also -
$ file /usr/bin/kill
/usr/bin/kill: executable (RISC System/6000) or object module

so it's not a wrapper script that's doing any sudoing or suchlike...

What OS? Do a uname -a.