Tuesday, March 28, 2017

Will killing a parent process kill the child processes?

When parent process is sent SIGTERM signal, the parent process will execute it's own signal handlers to terminate it's child processes.

In the below case, sending SIGTERM to parent process ID 2086, kills all the child process too

# ps -eHf | grep http
root      2086     1  0 07:11 ?        00:00:00   /usr/sbin/httpd
apache    2088  2086  0 07:11 ?        00:00:00     /usr/sbin/httpd
apache    2089  2086  0 07:11 ?        00:00:00     /usr/sbin/httpd
apache    2090  2086  0 07:11 ?        00:00:00     /usr/sbin/httpd
apache    2091  2086  0 07:11 ?        00:00:00     /usr/sbin/httpd
apache    2092  2086  0 07:11 ?        00:00:00     /usr/sbin/httpd
apache    2093  2086  0 07:11 ?        00:00:00     /usr/sbin/httpd
apache    2094  2086  0 07:11 ?        00:00:00     /usr/sbin/httpd
apache    2095  2086  0 07:11 ?        00:00:00     /usr/sbin/httpd

# kill 2086

# ps -eHf | grep http
root      2128  1932  0 07:12 pts/0    00:00:00         grep http

However, sending the parent process -9 signal (SIGKILL), will not allow to execute it's signal handlers. So parent process will not be able to send termination signal to it's child processes. So only parent process will get killed and child processes will live.

# ps -eHf | grep http
root      2157  1932  0 07:12 pts/0    00:00:00         grep http
root      2144     1  0 07:12 ?        00:00:00   /usr/sbin/httpd
apache    2146  2144  0 07:12 ?        00:00:00     /usr/sbin/httpd
apache    2147  2144  0 07:12 ?        00:00:00     /usr/sbin/httpd
apache    2148  2144  0 07:12 ?        00:00:00     /usr/sbin/httpd
apache    2149  2144  0 07:12 ?        00:00:00     /usr/sbin/httpd
apache    2150  2144  0 07:12 ?        00:00:00     /usr/sbin/httpd
apache    2151  2144  0 07:12 ?        00:00:00     /usr/sbin/httpd
apache    2152  2144  0 07:12 ?        00:00:00     /usr/sbin/httpd
apache    2153  2144  0 07:12 ?        00:00:00     /usr/sbin/httpd

# kill -9 2144

# ps -eHf | grep http
root      2190  1932  0 07:13 pts/0    00:00:00         grep http
apache    2146     1  0 07:12 ?        00:00:00   /usr/sbin/httpd
apache    2147     1  0 07:12 ?        00:00:00   /usr/sbin/httpd
apache    2148     1  0 07:12 ?        00:00:00   /usr/sbin/httpd
apache    2149     1  0 07:12 ?        00:00:00   /usr/sbin/httpd
apache    2150     1  0 07:12 ?        00:00:00   /usr/sbin/httpd
apache    2151     1  0 07:12 ?        00:00:00   /usr/sbin/httpd
apache    2152     1  0 07:12 ?        00:00:00   /usr/sbin/httpd
apache    2153     1  0 07:12 ?        00:00:00   /usr/sbin/httpd
Posted by at No comments:

Wednesday, March 8, 2017

Difference between fork() and exec() system calls

fork():

It creates a copy of running process. 
The running process is called parent process & newly created process is called child process.

  • fork() returns the process identifier (pid) of the child process in the parent, and
  • fork() returns 0 in the child.
exec():

It initiates a new process within a process. It loads a new program into the current process, replacing the existing one.
Posted by at 1 comment:

Enforce password policy in Linux

To enforce passwords

1) that expire after 90 days,
2) are at least 8 characters long and may not be a regular word

modify the files

1) /etc/login.defs -  In this file we can specify Expiry, Length with following entries
     PASS_MAX_DAYS 90
     PASS_MIN_LEN 8

2) /etc/pam.d/system-auth - In this file we can specify the complexity(Eg: not a regular word) and retries for password attempt with following entry
   password   required   pam_cracklib.so    
Posted by at No comments:

iptables examples

iptables has three chains - INPUT, OUTPUT, FORWARD

Set default policy using -P flag

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Allow TCP traffic on port 80

iptables -A INPUT -p TCP --dport 80 -j ACCEPT

Allow TCP traffic on port 443

iptables -A INPUT -p TCP --dport 443 -j ACCEPT

Allow UDP traffic on port 53

iptables -A INPUT -p udp --dport 53 -j ACCEPT

Allow TCP traffic on port 3306 only from 192.168.0.2

iptables -A INPUT -p tcp --dport 3306 -s 192.168.0.2 -j ACCEPT

Allow outgoing TCP and UDP traffic on any port but only as part of existing connection state. DROP everything else

iptables -P OUTPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -P OUTPUT -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -P OUTPUT DROP

Configure iptables to
(1) ACCEPT all TCP traffic on port 80 in the FORWARD chain
(2) ACCEPT all UDP traffic on port 53 if it comes from the IP 192.168.0.1 in the FORWARD chain
(3) Set the default FORWARD policy to DROP.


iptables -A FORWARD -p TCP --dport 80 -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -P FORWARD DROP

Posted by at No comments:
Subscribe to: Posts (Atom)