Immortal processes

Problem

Sometimes, on a shared workstation multiple people may have root access. Some of these may be a little too eager with "kill -9", but the kernel can do little to help restrain an administrator. Systemtap can help escalate the arms race.

Scripts

This script requires guru mode, since it alters a $target variable.

probe syscall.kill {
   if ($sig==9) {
      $sig=0;
      printf("Process %d immortalized from the puny process %s(%d)\n", $pid, execname(), pid()) 
   }
}

Output

% ps awux | grep tuxracer
fche     14350  0.0  0.0  4697516 9483844 pts/9    S+   13:54   0:00 tuxracer
% stap -g immortal.stp &
.... now wait for the spoilsport BOFH to "kill -9 14350"
Process 14350 immortalized from the puny process zsh(13505)
Process 14350 immortalized from the puny process bash(425)    ... he must have tried again
^C
% ps awux | grep tuxracer
fche     14350  0.0  0.0  4697516 9483844 pts/9    S+   13:54   0:00 tuxracer
.... it's alive!!!

Lessons

The general technique of rewriting system call arguments can be used for many purposes good or evil. Look deeply into your soul to lead you on the right path.


WarStories

None: WSimmortal (last edited 2008-01-10 19:47:34 by localhost)