Immortal processes
Problem
Sometimes, on a shared workstation multiple people may have root access. Some of these may be a little too eager with "kill -9", but the kernel can do little to help restrain an administrator. Systemtap can help escalate the arms race.
Scripts
This script requires guru mode, since it alters a $target variable.
probe syscall.kill { if ($sig==9) { $sig=0; printf("Process %d immortalized from the puny process %s(%d)\n", $pid, execname(), pid()) } }
Output
% ps awux | grep tuxracer fche 14350 0.0 0.0 4697516 9483844 pts/9 S+ 13:54 0:00 tuxracer % stap -g immortal.stp & .... now wait for the spoilsport BOFH to "kill -9 14350" Process 14350 immortalized from the puny process zsh(13505) Process 14350 immortalized from the puny process bash(425) ... he must have tried again ^C % ps awux | grep tuxracer fche 14350 0.0 0.0 4697516 9483844 pts/9 S+ 13:54 0:00 tuxracer .... it's alive!!!
Lessons
The general technique of rewriting system call arguments can be used for many purposes good or evil. Look deeply into your soul to lead you on the right path.