On Tuesday 31 March 2009 09:43, CHAPLIN, JAMES (CTR) wrote:
>Our programmers have been creating java based applications that they
>start and stop using simple scripts. The start script call java to start
>the program; however the stop script issues a simple kill command
>against the PID.
>
>Our problem if User A start the program, only User A can kill it (except
>for root). We want anyone in the group level to be able to also issue
>the kill command (in the script). Is there a way to allow users in a
>group to kill each other's started processes.
Not directly, because the kill(2) system call does not permit a signal to be
sent to processes unless the calling user is also the process owner (or the
superuser). But see below for a work-around.
>Being new to the zLinux and Java worlds, is it standard to issue a 'kill
>-9 pid" to terminate a java program? Is there a better way and how does
>issuing a kill de-allocate memory and other issues?
No. Using "kill -9" is the "kill of last resort" method. You should first do
a "kill -15" to send a SIGTERM signal, which is the polite way to ask the
program to terminate. This gives the program the opportunity to shut itself
down gracefully by catching the signal and handling it. The "kill -9" sends
a SIGKILL which cannot be caught or ignored. The process is immediately
halted by and destroyed by the kernel; the program never gets a chance to do
anything. Resources (open files, memory, etc.) is cleaned up by the kernel,
so you're OK there, but any program state information is lost.
The standard way to kill off a program is to send it a SIGTERM, wait several
seconds for it to shut itself down, then send it a SIGKILL. This is what the
system shutdown scripts do when halting or rebooting Linux.
Now for the work-around I mentioned. Scott has the right idea: the Java app
should provide a way for an external program to tell it to stop. If it does,
use that. Sometimes it is done by starting up another JVM to send the first
one a command via some IPC mechanism (eg. a socket). I think this is what
WebSphere does. Or it is done by sending some signal (usually SIGTERM) to
it, like I mentioned.
But how to get the group-level control you originally asked about? If you can
send a command via IPC to stop it, then you just make the program that sends
that command executable only by users in that group. If you have to send a
signal, it is trickier, because as the good book says:
"For a process to have permission to send a signal it must either be
privileged (under Linux: have the CAP_KILL capability), or the real or
effective user ID of the sending process must equal the real or saved
set-user-ID of the target process."
So the program that sends the signal must be run as either the same user that
started your java app, or the superuser. It sounds like any user in the
group can start the program, so you write a program that is SetUID to root:
it runs as the superuser regardless of who invoked it. You can't do that
with a shell script, but I think you can with PERL. Make it owned by root,
and your group, with permission mode 4750 (SetUID, read-write-execute by
user, execute by group, no access to anyone else). That script finds the
correct PID then does its "kill -15" as root, which will send the SIGTERM to
that process.
- MacK.
-----
Edmund R. MacKenty
Software Architect
Rocket Software
275 Grove Street · Newton, MA 02466-2272 · USA
Tel: +1.617.614.4321
Email: [email protected]
Web: www.rocketsoftware.com
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
