Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Post History

66%
+2 −0
Q&A What are the concrete security risks of forcibly terminating a process?

What security risks can be introduced this way, and how? Consider the following scenario: A legitimate server listens on some network port. Usually¹ no other process can listen on the por...

posted 9mo ago by Kamil Maciorowski‭

Answer
#1: Initial revision by user avatar Kamil Maciorowski‭ · 2024-04-11T09:33:14Z (9 months ago)
> What security risks can be introduced this way, and how?

Consider the following scenario:

1. A legitimate server listens on some network port. Usually¹ no other process can listen on the port.

2. The server exits. This makes the port available to other processes for listening.

3. Another process (possibly under control of another user) starts listening on the port.

4. New clients connect to the wrong process. This may result in:

   - clients leaking sensitive data;
   - clients accepting responses from the wrong process and thus
      - getting wrong (random or phony) data,
      - and/or doing something wrong (being manipulated).

We have several mechanisms to eliminate or to mitigate the risk:

- Privileged ports (usually up to and including 1023), only root can listen on them. But

  - in some cases you want your process to listen on a higher port even as root² (e.g. 8080/TCP is a common choice for a web proxy and caching server);
  - if you are a regular user and you want your legitimate process to listen on a port then you need to pick an unprivileged port anyway.

- Application layer protocols that allow clients to verify the identity of the server (e.g. SSH, HTTPS); but not every protocol is like this.

- Network namespaces. There are programs that use `localhost:port` for inter-process communication or for exposing their interfaces; running them in a separate network namespace would prevent other users from interfering. But as a regular user you cannot use network namespaces freely and the OS does not crate a private network namespace for you automatically (at least this is how it is in common distros).

- Not letting the legitimate server exit in the first place.

- Using unix domain sockets instead of network ports for local inter-process communication. A socket can be protected from being hijacked by another user; in particular a named socket can be created in a private directory other users cannot access at all (e.g. the tmux server uses `/tmp/tmux-$UID/default` by default and the mode of the `tmux-$UID` directory is 700).

The above scenario is equally risky no matter if you send `SIGKILL` or `SIGTERM`, or use some interface to tell the server to exit. From the perspective of the user there are many ways to make a process exit, but if you are a not-necessarily-tech-savvy user and if you want to terminate a process you shall never terminate at your wish (even if technically it belongs to you), like a server designed to run until you log out (when you cannot spawn new local clients) or until the OS starts shutting itself down (when nobody can spawn new local clients or local "impostor" servers), and if the server provides no GUI (because by design you should never interact with it directly), then I guess that Gnome System Monitor (or a similar tool) will be your first choice. In this context it's nice the Monitor tries to warn you.

A different but somewhat similar scenario is if the process you are about to kill announces its presence by creating a pidfile with its PID inside. Forcibly terminating the process will probably leave the pidfile behind, then the PID may be eventually reused, then processes reading the stale pidfile may try to interact with some unrelated program.

In general ending a process (forcibly or not) *may* introduce a security risk by opening a *possibility* that some other process (by chance or by a rogue action) takes its place in some context.

---

> If a process is indeed unresponsive, do I have options other than killing it or waiting?

As far as I know - no.

<sup>But it's a circular reasoning. If the process could respond to other options, it wouldn't be "indeed unresponsive". :D</sup>

---

¹ There is `SO_REUSEPORT`, see `man 7 socket`.  
² There is `/proc/sys/net/ipv4/ip_unprivileged_port_start`; root can use it to extend the range of privileged ports.