TransWikia.com

Sending kill signal using a setuid process results in Operation not permitted

Super User Asked by Ali Tou on February 10, 2021

I want to be able to send a SIGHUP signal to a Prometheus process from a CI tool that runs with a different user than Prometheus. Let’s say CI uses gitlab-runner user and Prometheus uses prometheus user. I thought that I can achieve sending a SIGHUP signal to the Prometheus process by following steps:

  1. Creating a simple shell script that executes kill command:
$ cat `which promhup`
kill -HUP $(pgrep prometheus)
  1. Change the ownership of this script and set the setuid bit for this file:
chown prometheus promhup
chmod +x promhup
chmod u+s promhup

Then, I expected that if I simply run promhup, it can send the desired signal to the Prometheus process. However, I get the following error:

/usr/bin/promhup: line 1: kill: (602) - Operation not permitted

The permissions now look like this:

$ ls -l `which promhup`
-rwsr-xr-x 1 prometheus root 51 Jan 27 19:36 /usr/bin/promhup

What have I done wrong? How can I accomplish this without giving a sudo access to my CI user?

One Answer

Linux ignores setuid bit on scripts/interpreted executables (the ones that start with #!) for the reasons of security.

As a kind of hacky solution you can try to compile a simple binary out of your script using https://github.com/neurobin/shc and setuid it:

sudo add-apt-repository ppa:neurobin/ppa
sudo apt-get install shc

shc -f my_promhup_script -o promhup
sudo mv promhup /usr/bin/

Although I'd rather go for the sudo option - that's what it was designed for.

Update:

For the sudo option, you can add something like this to your sudoers:

gitlab-runner ALL = (ALL) ALL
gitlab-runner ALL = (root) NOPASSWD: /usr/bin/promhup

this will make your sudo not ask password only for your script, while asking it for the others

source: https://unix.stackexchange.com/questions/18830/how-to-run-a-specific-program-as-root-without-a-password-prompt

Answered by O.W.Grant on February 10, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP