Page 1 of 1

Safely killing all processes by UID on macOS

PostPosted: Thu Oct 12, 2017 1:56 pm
by copumpkin
Hi all,

I'm looking for less obvious ways to kill all processes running as a UID in macOS, because the obvious ways are failing me right now.

The obvious thing we tried before was to launch a new process, set(e)uid to the user in question, then kill(-1, SIGKILL). That will kill all running processes under that user (including the killer!), but unfortunately in High Sierra (and possibly earlier), it also crashes the entire system and Apple doesn't seem very interested in fixing it quickly:

To get better exit codes, we've also tried kill(-1, SIGKILL, 0); That's right, the kill syscall in XNU actually takes a secret third argument (not available via C API) that indicates whether you want POSIX behavior or not. Non-POSIX behavior in this case just means not killing the caller process but killing everyone else. This worked up until 10.13 but was also thwarted by the bug I linked above.

So given that the obvious things don't work, what's a good approach here? I'm operating under the assumption that processes can misbehave, so listing processes and then killing them, being non-atomic, has issues: I can list processes while a process is forking and miss stuff. I could run that in a loop but there's no guarantee the loop will ever terminate (e.g., during fork-bomb-like behavior).

I just asked in an adjacent thread in this forum whether it was possible to amend a macOS sandbox during execution to help with this problem: if we could overlay a "deny fork/exec" sandbox over a running process, we could avoid the race conditions I mention above by simply disabling fork, listing processes, and killing them.

Does anyone have other ideas, possibly informed by obscure macOS internal behavior, for how to effectively kill all processes owned by a user?

Re: Safely killing all processes by UID on macOS

PostPosted: Thu Oct 12, 2017 9:46 pm
by morpheus
May I suggest kill -STOPping , then killing individual ones? This can also detect fork bombs if you see that, while you are kill(2)ing, more processes spawn (which, incidentally, you can prevent with ulimit(1) or setrlimit(2)). kill -1 9 would have been the way to go, but if it panics (which I think is a serious bug too), -1 19 should work and hopefully not crash anything.

Re: Safely killing all processes by UID on macOS

PostPosted: Thu Oct 12, 2017 10:34 pm
by copumpkin
I was experimenting a while back and was able to get 10.13 to crash even with a SIGWINCH (albeit had to leave it running for several minutes pounding constantly), which I'm pretty sure nobody even looks at. STOP might strike a good balance between insta-death on 10.13 and actually having desirable effects. Would still be nice to have an effective way to do this that doesn't involve a broad kill though :/